Rundeck Token is not working with apache reverse proxy

[Hari.Java]

Hi Team,

When I used apache as reverse proxy to just forwarding the request to pre-authenticated mode - rundeck. getting the below error

Method 1

============

Request Flow: Curl -> Apache2 (reverse proxy)-> Rundeck. (Not working)

Curl Command: curl -v -kL  -X "GET" -H "Content-Type: application/json" -H "X-Rundeck-Auth-Token: nlyLLo0goSHvR2vdKNPj6Lqw6FUFMb1b" https://<apache2IP>/rundeck/api/23/project/CDH-CICD/sources?authtoken=nlyLLo0goSHvR2vdKNPj6Lqw6FUFMb1b

Apache2 Conf:

<Location /api >
  AuthType None
  Require all granted
   Satisfy Any
 ProxyPreserveHost on
ProxyPass http://rundeck:4440/api
ProxyPassReverse http://rundeck:4440/api
</Location>

Rundeck Logs:
[2021-03-31 08:23:45,453] INFO  web.requests "GET /api/35/project/CDH-CICD/sources" 160.34.126.192 https (null) form 6 ? [application/json;charset=utf-8] (curl/7.64.1)

[2021-03-31 08:23:45,453] INFO  api.requests "GET /api/35/project/CDH-CICD/sources" 160.34.126.192 https (null) form 6 CDH-CICD (curl/7.64.1)

Method 2: If I add the following apache2 conf in above , It is working fine

============

RequestHeader add X-Forwarded-Uuid "admin"
RequestHeader add X-Forwarded-Roles "admin"

Method 3: If I access rundeck directly without apache, it is working fine

============

Request Flow: Curl --> Rundeck. (Not working)

Curl Command: curl -v -kL  -X "GET" -H "Content-Type: application/json" -H "X-Rundeck-Auth-Token: nlyLLo0goSHvR2vdKNPj6Lqw6FUFMb1b" https://<Rundeck>:4440/api/23/project/CDH-CICD/sources?authtoken=nlyLLo0goSHvR2vdKNPj6Lqw6FUFMb1b

Rundeck Logs:

[2021-03-31 08:25:17,385] INFO  web.requests "GET /rundeck/api/23/project/CDH-CICD/sources" 127.0.0.1 http stegriff token 19 ? [application/json;charset=utf-8] (curl/7.47.0)

[2021-03-31 08:25:17,385] INFO  api.requests "GET /rundeck/api/23/project/CDH-CICD/sources" 127.0.0.1 http stegriff token 19 CDH-CICD (curl/7.47.0)

[2021-03-31 08:26:19,467] INFO  web.requests "GET /rundeck/api/23/project/CDH-CICD/sources" 127.0.0.1 http stegriff token 13 ? [application/json;charset=utf-8] (curl/7.47.0)

[2021-03-31 08:26:19,467] INFO  api.requests "GET /rundeck/api/23/project/CDH-CICD/sources" 127.0.0.1 http stegriff token 14 CDH-CICD (curl/7.47.0)

What is the problem with Method 1?

P.S., Direct rundeck access logs showing "token" whereas Rundeck accessing through apache is showing "form" in logs

[rac...@rundeck.com]

Hi Hari,

That's requested before here and here you can see a good approach to implement it (based on advanced frontend proxy configuration. In any case, it's seem the only way right now).

Regards!

[Hari.Java]

I am able to route the request properly. but authentication is not working fine when I access the URL(apache) with authtoken query param using curl.

the same way, If I access the direct rundeck(without) URL with authtoken, it is working fine.

What could be the reason for not authenticating the request which is through apache? 

Rundeck Version: 3.2.8

Failed Request, calling apache on 7777 port, what is the reason for failing?
-------------------------------------------------------------------------------------

# curl -v -kL  -X "GET" -H "Content-Type: application/json;charset=utf-8" http://localhost:7777/rundeck/api/23/project/CDH-CICD/sources?authtoken=nlyLLo0goSHvR2vdKNPj6Lqw6FUFMb1b

* About to connect() to localhost port 7777 (#0)

*   Trying 127.0.0.1...

* Connected to localhost (127.0.0.1) port 7777 (#0)

> GET /rundeck/api/23/project/CDH-CICD/sources?authtoken=nlyLLo0goSHvR2vdKNPj6Lqw6FUFMb1b HTTP/1.1

> User-Agent: curl/7.29.0

> Host: localhost:7777

> Accept: */*

> Content-Type: application/json;charset=utf-8

> 

< HTTP/1.1 403 Forbidden

< Date: Mon, 05 Apr 2021 08:40:04 GMT

< Server: Apache/2.4.46 (Unix)

< Expires: Thu, 01 Jan 1970 00:00:00 GMT

< X-Frame-Options: deny

< X-XSS-Protection: 1

< X-Content-Type-Options: nosniff

< Content-Security-Policy: default-src 'none' ; script-src 'self' 'unsafe-inline' 'unsafe-eval' ; style-src 'self' 'unsafe-inline' ; img-src * ; font-src 'self' data: ; connect-src 'self' https://api.rundeck.com ; form-action 'self' ;

< Content-Type: text/xml;charset=utf-8

< X-Rundeck-API-Version: 35

< Set-Cookie: JSESSIONID=node0ga49jz1zq73e5vfe6fmilxiw2.node0; Path=/rundeck; HttpOnly

< Transfer-Encoding: chunked

< 

<result error='true' apiversion='35'>

  <error code='api.error.item.unauthorized'>

    <message>Not authorized for action "[configure, Project, CDH-CICD]" for {1} {2}</message>

  </error>

* Connection #0 to host localhost left intact

Failed Rundeck Logs:
------------------------------------

[2021-04-05 08:21:34,527] WARN  authorization.LoggingAuthorization LoggingAuthorization - Evaluating Decision for: res<name:CDH-CICD, type:project> subject<Username:(null) Group:(null)> action<configure> env<rundeck:auth:env:application:rundeck>: authorized: false: No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (1ms)

[2021-04-05 08:21:34,528] WARN  authorization.LoggingAuthorization LoggingAuthorization - Evaluating Decision for: res<name:CDH-CICD, type:project> subject<Username:(null) Group:(null)> action<admin> env<rundeck:auth:env:application:rundeck>: authorized: false: No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)

[2021-04-05 08:21:34,581] INFO  web.requests "GET /rundeck/api/23/project/CDH-CICD/sources" 172.18.0.1 http (null) form 696 ? [text/xml;charset=utf-8] (curl/7.29.0)

[2021-04-05 08:21:34,586] INFO  api.requests "GET /rundeck/api/23/project/CDH-CICD/sources" 172.18.0.1 http (null) form 672 CDH-CICD (curl/7.29.0)

Passed Request, calling Rundeck direct on 4440 port
--------------------------------------------------------------

# curl -v -kL  -X "GET" -H "Content-Type: application/json;charset=utf-8" http://localhost:4440/rundeck/api/23/project/CDH-CICD/sources?authtoken=nlyLLo0goSHvR2vdKNPj6Lqw6FUFMb1b

* About to connect() to localhost port 4440 (#0)

*   Trying 127.0.0.1...

* Connected to localhost (127.0.0.1) port 4440 (#0)

> GET /rundeck/api/23/project/CDH-CICD/sources?authtoken=nlyLLo0goSHvR2vdKNPj6Lqw6FUFMb1b HTTP/1.1

> User-Agent: curl/7.29.0

> Host: localhost:4440

> Accept: */*

> Content-Type: application/json;charset=utf-8

> 

< HTTP/1.1 200 OK

< Date: Mon, 05 Apr 2021 08:44:05 GMT

< X-Frame-Options: deny

< X-XSS-Protection: 1

< X-Content-Type-Options: nosniff

< Content-Security-Policy: default-src 'none' ; script-src 'self' 'unsafe-inline' 'unsafe-eval' ; style-src 'self' 'unsafe-inline' ; img-src * ; font-src 'self' data: ; connect-src 'self' https://api.rundeck.com ; form-action 'self' ;

< Set-Cookie: JSESSIONID=node01g976sllhfs1915jxymcpwwrat3.node0; Path=/rundeck; HttpOnly

< Expires: Thu, 01 Jan 1970 00:00:00 GMT

< Content-Type: application/json;charset=utf-8

< Transfer-Encoding: chunked

< 

* Connection #0 to host localhost left intact

[{"index":1,"type":"local","resources":{"href":"https://192.29.99.81/rundeck/api/35/project/CDH-CICD/source/1/resources","writeable":false}}]

Passed Rundeck Logs:
------------------------------------

[2021-04-05 08:22:37,226] INFO  web.requests "GET /rundeck/api/23/project/CDH-CICD/sources" 172.18.0.1 http stegriff token 689 ? [application/json;charset=utf-8] (curl/7.29.0)

[2021-04-05 08:22:37,229] INFO  api.requests "GET /rundeck/api/23/project/CDH-CICD/sources" 172.18.0.1 http stegriff token 692 CDH-CICD (curl/7.29.0)

[Hari.Java]

Another observation from the logs:

=============================

Rundeck log if it is direct Rundeck(without apache reverse proxy) - Working good
[2021-04-05T14:51:58,561] INFO  web.requests "GET /rundeck/api/23/project/CDH-CICD/sources" 127.0.0.1 http yietha token 91 ? [application/json;charset=utf-8] (curl/7.29.0)

Rundeck log if it is through apache reverse proxy - Not working
[2021-04-05T14:50:20,546] INFO  web.requests "GET /rundeck/api/23/project/CDH-CICD/sources" 172.18.0.3 http (null) form 8 ? [text/xml;charset=utf-8] (curl/7.29.0)

Is there any different flow in Rundeck for having apache and not having apache. If yes, what is the flag that it is driving the flow

Thanks,
Yell