Problems with Apache reverse proxy and Ajax calls in Rundeck
438 views
Skip to first unread message
Ignacio Galván Vitas
Oct 5, 2022, 3:24:50 PM10/5/22
to rundeck-discuss
Hello,
I'm trying to make it work a Rundeck instance behind a Apache 2.4 reverse proxy that uses an Apereo CAS to authenticate users. I'm been able to make it work with the SSO but I'm fighting with a problem in the reverse proxy configuration. Almost everything seems to works except the Ajax calls. I'm seeing this in the Network Inspector of Firefox.
I've attached the Apache and Rundeck config files for better understanding of the deployed architecture. I would really apreciate any kind of help with this.
Best regards,
Ignacio.
rac...@rundeck.com
Oct 5, 2022, 3:53:21 PM10/5/22
to rundeck-discuss
Hi Ignacio,
I have an example (to deploy Rundeck behind Apache 2 reverse proxy on docker).
Take a look at the following httpd.conf file, check the “reverse proxy” section at the end:
ServerRoot "/usr/local/apache2"
Listen 80
LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule filter_module modules/mod_filter.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
<IfModule unixd_module>
User www-data
Group www-data
</IfModule>
ServerAdmin y...@example.com
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/usr/local/apache2/htdocs"
<Directory "/usr/local/apache2/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog /proc/self/fd/2
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog /proc/self/fd/1 common
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "/usr/local/apache2/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule headers_module>
RequestHeader unset Proxy early
</IfModule>
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
</IfModule>
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
# reverse proxy config
ProxyPass / http://localhost:4440/
ProxyPassReverse / http://localhost:4440/
ProxyRequests Off
# Local reverse proxy authorization override
<Proxy http://localhost:4440>
Order deny,allow
Allow from all </Proxy>
With this, just make sure to set grails.serverURL parameter (on the rundeck-config.properties file) with the proxy rundeck url address (just “localhost” in my Docker deployment).
Hope it helps!
Ignacio Galván Vitas
Oct 6, 2022, 12:58:15 PM10/6/22
to rundeck-discuss
Hello,
thanks for your help. I'd it pointing to localhost but I was getting this same error. After that I changed to the FQDN of the host, what is the same host of Apache, and I got exactly the same error. Just in case, I've changed it again to localhost with the same result. I reviewed your config and I not able to see any relevant difference. If I wouldn't need the CAS module I would use nginx as reverse proxy, but it's not an option because there is not an equivalent module. Maybe it's because of the CAS module I have this problem, I don't know.
Best regards,
Ignacio
Ignacio Galván Vitas
Oct 6, 2022, 1:14:43 PM10/6/22
to rundeck-discuss
Hello,
As an attempt o simplify the config I've disabled the CAS auth and I tried the reverse proxy with this config and I get the same error.
<Directory />
AllowOverride none
Require all denied
</Directory>
AllowOverride none
Require all denied
</Directory>
<IfModule headers_module>
RequestHeader unset Proxy early
</IfModule>
RequestHeader unset Proxy early
</IfModule>
# reverse proxy config
ProxyPass / http://localhost:4440/
ProxyPassReverse / http://localhost:4440/
ProxyRequests Off
# Local reverse proxy authorization override
<Proxy http://localhost:4440>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:4440/
ProxyPassReverse / http://localhost:4440/
ProxyRequests Off
# Local reverse proxy authorization override
<Proxy http://localhost:4440>
Order deny,allow
Allow from all
</Proxy>
Best regards,
Ignacio.
rac...@rundeck.com
Oct 7, 2022, 8:32:05 AM10/7/22
to rundeck-discuss
Hi Ignacio,
To discard a misconfiguration, Could you test without the reverse proxy? (accessing directly to the Rundeck instance). Also, which Rundeck version are you using? Could you test with the latest one at this moment?
Regards.
Ignacio Galván Vitas
Oct 7, 2022, 1:39:16 PM10/7/22
to rundeck-discuss
Hello,
I did it and works as a charm. I'm using Rundeck 4.6.1 over CentOS 7.
Best regards,
Ignacio.
rac...@rundeck.com
Oct 7, 2022, 2:10:37 PM10/7/22
to rundeck-discuss
Also, try launching Rundeck with this parameter.
Ignacio Galván Vitas
Oct 8, 2022, 3:01:23 PM10/8/22
to rundeck-discuss
Hello,
I'm using Firefox but I've also tested with Chromium with the same result. Also I had the forwarder parameter from the beggining but I'm using it in the rundeck-config.properties file as "server.userForwardHeaders=true". I also enabled the remoteip module but no luck. This is the config I used:
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 192.168.122.13
RemoteIPInternalProxy 192.168.122.13
In the browser I see this. I don't get why some requests are proxied and others no.
And this in the console tab:
Ignacio Galván Vitas
Oct 10, 2022, 2:08:39 PM10/10/22
to rundeck-discuss
Hello,
Finally I made it work. It was easier than we were thinking. I've set the grails.serverURL to https://rundecklab.olimpo.lab and server.userForwardHeaders to true
And in the Apache server I created a rundeck.conf file with this content:
<Directory />
AllowOverride none
Require all denied
</Directory>
<IfModule headers_module>
RequestHeader unset Proxy early
</IfModule>
# reverse proxy config
ProxyPass / http://localhost:4440/
ProxyPassReverse / http://localhost:4440/
ProxyRequests Off
AllowOverride none
Require all denied
</Directory>
<IfModule headers_module>
RequestHeader unset Proxy early
</IfModule>
# reverse proxy config
ProxyPass / http://localhost:4440/
ProxyPassReverse / http://localhost:4440/
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
# Local reverse proxy authorization override
<Proxy http://localhost:4440>
Order deny,allow
Allow from all
</Proxy>
After testing I copied this to my CAS authenticated config and everything works. The last detail is to exclude the api from CAS, but that's not a topic for this forum.
Thank you everybody for your help and time.
Best regards,
Ignacio.
rac...@rundeck.com
Oct 11, 2022, 8:45:47 AM10/11/22
to rundeck-discuss
Great news then!
Cheers!
Reply all
Reply to author
Forward
0 new messages