Rundeck redirections behind a Load Balancer
68 views
Skip to first unread message
Xavier Humbert
Oct 18, 2022, 2:54:05 AM10/18/22
to rundeck...@googlegroups.com
Hi,
I a a very common setup with Rundeck behind a Load Balancer, which redirects
port 443 to 4440 :
|---------------------------|
| https://rundeck.tld (VIP) |
|---------------------------|
| Load Balancer HTTPS |
|---------------------------|
|
|
v
|-------------------------|
| http://server:4440 |
|-------------------------|
When I cURL to the LB, I have to set the -L flag to follow redirections
But it redirects me to the VIP itself, which leads me to the login page :
*************************************************************************
[xhumbert@qp-ord-rundeck01 ~]$ export auth='********'
[xhumbert@qp-ord-rundeck01 ~]$ curl -L -v -H "Accept: application/json"
-H "X-Rundeck-Auth-Token: $auth"
"http://qp-ord-rundeck01.ste.hp.in.phm.education.gouv.fr:4440/api/41/job/5b0264a2-c902-49ef-bc60-7b6cb5222c01/schedule/disable"
* About to connect() to qp-ord-rundeck01.ste.hp.in.phm.education.gouv.fr
port 4440 (#0)
* Trying 172.29.50.41...
* Connected to qp-ord-rundeck01.ste.hp.in.phm.education.gouv.fr
(172.29.50.41) port 4440 (#0)
> GET /api/41/job/5b0264a2-c902-49ef-bc60-7b6cb5222c01/schedule/disable
HTTP/1.1
> User-Agent: curl/7.29.0
> Host: qp-ord-rundeck01.ste.hp.in.phm.education.gouv.fr:4440
> Accept: application/json
> X-Rundeck-Auth-Token: **************
>
< HTTP/1.1 302 Found
< Date: Tue, 18 Oct 2022 06:43:35 GMT
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< X-Frame-Options: deny
< X-XSS-Protection: 0
< X-Content-Type-Options: nosniff
< Content-Security-Policy: default-src 'none' ; script-src 'self'
https://content.analytics.rundeck.com 'unsafe-inline' 'unsafe-eval' ;
style-src 'self' 'unsafe-inline' ; img-src * data: ; font-src 'self'
data: ; connect-src 'self' https://api.rundeck.com
https://data.analytics.rundeck.com ; form-action 'self' ;
< Set-Cookie: JSESSIONID=node0u64w33uozpkb18btk56r30n0t12744.node0;
Path=/; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Location:
https://qp-ordo.hp.in.phm.education.gouv.fr//project?id=5b0264a2-c902-49ef-bc60-7b6cb5222c01&api_version=41&status=false
< Content-Length: 0
<
* Connection #0 to host qp-ord-rundeck01.ste.hp.in.phm.education.gouv.fr
left intact
* Issue another request to this URL:
'https://qp-ordo.hp.in.phm.education.gouv.fr//project?id=5b0264a2-c902-49ef-bc60-7b6cb5222c01&api_version=41&status=false'
* About to connect() to proxy proxy.******* port 3128 (#1)
* Trying 172.29.44.237...
* Connected to proxy.******** port 3128 (#1)
* Establish HTTP proxy tunnel to qp-ordo.hp.in.phm.education.gouv.fr:443
> CONNECT qp-ordo.hp.in.phm.education.gouv.fr:443 HTTP/1.1
> Host: qp-ordo.hp.in.phm.education.gouv.fr:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
> Accept: application/json
> X-Rundeck-Auth-Token: ****************
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=qp-ordo.hp.in.phm.education.gouv.fr,O=Ministère de
l'Education Nationale et de la Jeunesse des sports,ST=Île-de-France,C=FR
* start date: Jun 07 00:00:00 2022 GMT
* expire date: Jun 07 23:59:59 2023 GMT
* common name: qp-ordo.hp.in.phm.education.gouv.fr
* issuer: CN=Sectigo RSA Organization Validation Secure Server
CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB
> GET
//project?id=5b0264a2-c902-49ef-bc60-7b6cb5222c01&api_version=41&status=false
HTTP/1.1
> User-Agent: curl/7.29.0
> Host: qp-ordo.hp.in.phm.education.gouv.fr
> Accept: application/json
> X-Rundeck-Auth-Token: ****************
>
< HTTP/1.1 302 Found
< Date: Tue, 18 Oct 2022 06:43:35 GMT
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< Set-Cookie: JSESSIONID=node01afsqx0p8iayy11mejvbywejb712745.node0;
Path=/; Secure; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Location: https://qp-ordo.hp.in.phm.education.gouv.fr/user/login
< Content-Length: 0
< Strict-Transport-Security: max-age=16070400; includeSubDomains
<
* Connection #1 to host proxy.tec.in.phm.education.gouv.fr left intact
* Issue another request to this URL:
'https://qp-ordo.hp.in.phm.education.gouv.fr/user/login'
* Found bundle for host qp-ordo.hp.in.phm.education.gouv.fr: 0x1ab07e0
* Re-using existing connection! (#1) with host
proxy.tec.in.phm.education.gouv.fr
* Connected to proxy.tec.in.phm.education.gouv.fr (172.29.44.237) port
3128 (#1)
> GET /user/login HTTP/1.1
> User-Agent: curl/7.29.0
> Host: qp-ordo.hp.in.phm.education.gouv.fr
> Accept: application/json
> X-Rundeck-Auth-Token: ********************
>
< HTTP/1.1 200 OK
< Date: Tue, 18 Oct 2022 06:43:35 GMT
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< X-Frame-Options: deny
< X-XSS-Protection: 0
< X-Content-Type-Options: nosniff
< Content-Security-Policy: default-src 'none' ; script-src 'self'
https://content.analytics.rundeck.com 'unsafe-inline' 'unsafe-eval' ;
style-src 'self' 'unsafe-inline' ; img-src * data: ; font-src 'self'
data: ; connect-src 'self' https://api.rundeck.com
https://data.analytics.rundeck.com ; form-action 'self' ;
< Set-Cookie: JSESSIONID=node0k85zgz5v92qg131faa0ojhh0w12746.node0;
Path=/; Secure; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Language: en-US
< Content-Type: text/html;charset=utf-8
< Transfer-Encoding: chunked
< Strict-Transport-Security: max-age=16070400; includeSubDomains
<
<!DOCTYPE html>
<!--[if lt IE 7 ]> <html class="ie6"> <![endif]-->
<!--[if IE 7 ]> <html class="ie7"> <![endif]-->
<!--[if IE 8 ]> <html class="ie8"> <![endif]-->
<!--[if IE 9 ]> <html class="ie9"> <![endif]-->
<!--[if (gt IE 9)|!(IE)]><!--> <html lang="en"><!--<![endif]-->
<head>
<title>
QUALIFICATION - Login</title>
[etc.]
***********************************************************************
here is my config :
from framework.properties :
framework.server.name = qp-ord-rundeck01
framework.server.hostname =
qp-ord-rundeck01.ste.hp.in.phm.education.gouv.fr
framework.server.port = 4440
framework.server.url = https://qp-ordo.hp.in.phm.education.gouv.fr/
framework.rundeck.url = https://qp-ordo.hp.in.phm.education.gouv.fr/
from rundeck-config.properties :
grails.serverURL=https://qp-ordo.hp.in.phm.education.gouv.fr/
What I'm again doing wrong ?
Thanks,
Regards,
Xavier
--
Xavier Humbert
CRT Supervision et Exploitation de Niveau 1
Rectorat de Nancy-Metz
03 83 86 27 39
I a a very common setup with Rundeck behind a Load Balancer, which redirects
port 443 to 4440 :
|---------------------------|
| https://rundeck.tld (VIP) |
|---------------------------|
| Load Balancer HTTPS |
|---------------------------|
|
|
v
|-------------------------|
| http://server:4440 |
|-------------------------|
When I cURL to the LB, I have to set the -L flag to follow redirections
But it redirects me to the VIP itself, which leads me to the login page :
*************************************************************************
[xhumbert@qp-ord-rundeck01 ~]$ export auth='********'
[xhumbert@qp-ord-rundeck01 ~]$ curl -L -v -H "Accept: application/json"
-H "X-Rundeck-Auth-Token: $auth"
"http://qp-ord-rundeck01.ste.hp.in.phm.education.gouv.fr:4440/api/41/job/5b0264a2-c902-49ef-bc60-7b6cb5222c01/schedule/disable"
* About to connect() to qp-ord-rundeck01.ste.hp.in.phm.education.gouv.fr
port 4440 (#0)
* Trying 172.29.50.41...
* Connected to qp-ord-rundeck01.ste.hp.in.phm.education.gouv.fr
(172.29.50.41) port 4440 (#0)
> GET /api/41/job/5b0264a2-c902-49ef-bc60-7b6cb5222c01/schedule/disable
HTTP/1.1
> User-Agent: curl/7.29.0
> Host: qp-ord-rundeck01.ste.hp.in.phm.education.gouv.fr:4440
> Accept: application/json
> X-Rundeck-Auth-Token: **************
>
< HTTP/1.1 302 Found
< Date: Tue, 18 Oct 2022 06:43:35 GMT
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< X-Frame-Options: deny
< X-XSS-Protection: 0
< X-Content-Type-Options: nosniff
< Content-Security-Policy: default-src 'none' ; script-src 'self'
https://content.analytics.rundeck.com 'unsafe-inline' 'unsafe-eval' ;
style-src 'self' 'unsafe-inline' ; img-src * data: ; font-src 'self'
data: ; connect-src 'self' https://api.rundeck.com
https://data.analytics.rundeck.com ; form-action 'self' ;
< Set-Cookie: JSESSIONID=node0u64w33uozpkb18btk56r30n0t12744.node0;
Path=/; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Location:
https://qp-ordo.hp.in.phm.education.gouv.fr//project?id=5b0264a2-c902-49ef-bc60-7b6cb5222c01&api_version=41&status=false
< Content-Length: 0
<
* Connection #0 to host qp-ord-rundeck01.ste.hp.in.phm.education.gouv.fr
left intact
* Issue another request to this URL:
'https://qp-ordo.hp.in.phm.education.gouv.fr//project?id=5b0264a2-c902-49ef-bc60-7b6cb5222c01&api_version=41&status=false'
* About to connect() to proxy proxy.******* port 3128 (#1)
* Trying 172.29.44.237...
* Connected to proxy.******** port 3128 (#1)
* Establish HTTP proxy tunnel to qp-ordo.hp.in.phm.education.gouv.fr:443
> CONNECT qp-ordo.hp.in.phm.education.gouv.fr:443 HTTP/1.1
> Host: qp-ordo.hp.in.phm.education.gouv.fr:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
> Accept: application/json
> X-Rundeck-Auth-Token: ****************
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=qp-ordo.hp.in.phm.education.gouv.fr,O=Ministère de
l'Education Nationale et de la Jeunesse des sports,ST=Île-de-France,C=FR
* start date: Jun 07 00:00:00 2022 GMT
* expire date: Jun 07 23:59:59 2023 GMT
* common name: qp-ordo.hp.in.phm.education.gouv.fr
* issuer: CN=Sectigo RSA Organization Validation Secure Server
CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB
> GET
//project?id=5b0264a2-c902-49ef-bc60-7b6cb5222c01&api_version=41&status=false
HTTP/1.1
> User-Agent: curl/7.29.0
> Host: qp-ordo.hp.in.phm.education.gouv.fr
> Accept: application/json
> X-Rundeck-Auth-Token: ****************
>
< HTTP/1.1 302 Found
< Date: Tue, 18 Oct 2022 06:43:35 GMT
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< Set-Cookie: JSESSIONID=node01afsqx0p8iayy11mejvbywejb712745.node0;
Path=/; Secure; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Location: https://qp-ordo.hp.in.phm.education.gouv.fr/user/login
< Content-Length: 0
< Strict-Transport-Security: max-age=16070400; includeSubDomains
<
* Connection #1 to host proxy.tec.in.phm.education.gouv.fr left intact
* Issue another request to this URL:
'https://qp-ordo.hp.in.phm.education.gouv.fr/user/login'
* Found bundle for host qp-ordo.hp.in.phm.education.gouv.fr: 0x1ab07e0
* Re-using existing connection! (#1) with host
proxy.tec.in.phm.education.gouv.fr
* Connected to proxy.tec.in.phm.education.gouv.fr (172.29.44.237) port
3128 (#1)
> GET /user/login HTTP/1.1
> User-Agent: curl/7.29.0
> Host: qp-ordo.hp.in.phm.education.gouv.fr
> Accept: application/json
> X-Rundeck-Auth-Token: ********************
>
< HTTP/1.1 200 OK
< Date: Tue, 18 Oct 2022 06:43:35 GMT
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< X-Frame-Options: deny
< X-XSS-Protection: 0
< X-Content-Type-Options: nosniff
< Content-Security-Policy: default-src 'none' ; script-src 'self'
https://content.analytics.rundeck.com 'unsafe-inline' 'unsafe-eval' ;
style-src 'self' 'unsafe-inline' ; img-src * data: ; font-src 'self'
data: ; connect-src 'self' https://api.rundeck.com
https://data.analytics.rundeck.com ; form-action 'self' ;
< Set-Cookie: JSESSIONID=node0k85zgz5v92qg131faa0ojhh0w12746.node0;
Path=/; Secure; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Language: en-US
< Content-Type: text/html;charset=utf-8
< Transfer-Encoding: chunked
< Strict-Transport-Security: max-age=16070400; includeSubDomains
<
<!DOCTYPE html>
<!--[if lt IE 7 ]> <html class="ie6"> <![endif]-->
<!--[if IE 7 ]> <html class="ie7"> <![endif]-->
<!--[if IE 8 ]> <html class="ie8"> <![endif]-->
<!--[if IE 9 ]> <html class="ie9"> <![endif]-->
<!--[if (gt IE 9)|!(IE)]><!--> <html lang="en"><!--<![endif]-->
<head>
<title>
QUALIFICATION - Login</title>
[etc.]
***********************************************************************
here is my config :
from framework.properties :
framework.server.name = qp-ord-rundeck01
framework.server.hostname =
qp-ord-rundeck01.ste.hp.in.phm.education.gouv.fr
framework.server.port = 4440
framework.server.url = https://qp-ordo.hp.in.phm.education.gouv.fr/
framework.rundeck.url = https://qp-ordo.hp.in.phm.education.gouv.fr/
from rundeck-config.properties :
grails.serverURL=https://qp-ordo.hp.in.phm.education.gouv.fr/
What I'm again doing wrong ?
Thanks,
Regards,
Xavier
--
Xavier Humbert
CRT Supervision et Exploitation de Niveau 1
Rectorat de Nancy-Metz
03 83 86 27 39
rac...@rundeck.com
Oct 18, 2022, 8:34:45 AM10/18/22
to rundeck-discuss
Hi Xavier,
Do you see the same behavior configuring the framework.properties with the LB URL/Port?
Regards.
Reply all
Reply to author
Forward
0 new messages