rundeck F5 SSL termination redirected back to http no matter what I try
599 views
Skip to first unread message
Nicholai Brooks
Jun 4, 2015, 4:39:27 PM6/4/15
to rundeck...@googlegroups.com
I created a new rundeck instance and like any other server, I put it behind our F5 on a new Virtual server with SSL. The issue is though, no matter what I do, the reply for login always comes back via http.
installed via rpm.
configured /etc/rundeck/rundeck-config.properties
grails.serverURL=https://rundeck.xxxxxxx.com
restarted rundeck service and go to https://rundeck.xxxxxxxx.com yet firebug shows:
302 Found | 0 B | xx.xx.xx.xx:443 | |||
view source
| Content-Length | 0 |
| Expires | Thu, 01 Jan 1970 00:00:00 GMT |
| Location | http://rundeck.xxxxxxx.com/user/login |
| Server | Jetty(7.6.0.v20120127) |
| Set-Cookie | JSESSIONID=1xrukcu0hovj5z8i3aj72fe27;Path=/ |
I thought I was onto something when I read:
Using an SSL Terminated Proxy
You can tell Jetty to honor X-Forwarded-Proto, X-Forwarded-Host, X-Forwarded-Server and X-Forwarded-For headers by adding the following JVM property:
rundeck.jetty.connector.forwardedset to "true" to enable proxy forwarded support.
E.g. modify the RDECK_JVM variable in the file /etc/rundeck/profile and add:
-Drundeck.jetty.connector.forwarded=trueThis will enable Jetty to respond correctly when a forwarded request is first received.
Note: You will still need to modify the grails.serverURL value in rundeck-config.properties to let Rundeck know how to properly generate absolute URLs.
But I tried it and restarted rundeck and there is no change. The https request is still redirected back to http every time for the login.
Thanks in advance
Mathieu Chateau
Jun 4, 2015, 4:43:02 PM6/4/15
to rundeck...@googlegroups.com
Hello,
in framework.properties check that framework.rundeck.url is typed with https://...
do you want to do ssl offloading with your F5 ? or SSL to SSL ?
--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/0fce76d0-d7f0-48af-9f83-9e2ed9cbe4c6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Nicholai Brooks
Jun 4, 2015, 4:53:16 PM6/4/15
to rundeck...@googlegroups.com
Thanks. I want to do ssl offloading on the F5 and have the connection between F5 and rundeck via http.
I tried the https://rundeck.xxxxxx.com in the framework.properties and https://localhost:4440 and https://localhost:443 and https://rundeck.xxxx.com:443 with a restart after each but nothing helped. What should be the value here in my case?
Mathieu Chateau
Jun 4, 2015, 5:00:49 PM6/4/15
to rundeck...@googlegroups.com
I am also doing ssl offfloading.
here is my setup:
in framework.properties
framework.server.name = nameofmyserver
framework.server.hostname = nameofmyserver
framework.server.port = 4440
framework.server.url = http://localhost:4440
framework.rundeck.url = https://my.public.url
in rundeck-config.properties:
grails.serverURL=https://my.public.url
in profile
export RDECK_JVM="-Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule.conf \
-Dloginmodule.name=RDpropertyfilelogin \
-Drdeck.config=/etc/rundeck \
-Drdeck.base=/var/lib/rundeck \
-Drundeck.server.configDir=/etc/rundeck \
-Dserver.datastore.path=/var/lib/rundeck/data \
-Drundeck.server.serverDir=/var/lib/rundeck \
-Drdeck.projects=/var/rundeck/projects \
-Drdeck.runlogs=/var/lib/rundeck/logs \
-Drundeck.config.location=/etc/rundeck/rundeck-config.properties \
-Djava.io.tmpdir=$RUNDECK_TEMPDIR \
-Drundeck.jetty.connector.forwarded=true"
then your load balancer must add in header X-Forwarded-*
--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/7332e99e-7708-4313-b645-7223d2af1284%40googlegroups.com.
Nicholai Brooks
Jun 4, 2015, 7:50:09 PM6/4/15
to rundeck...@googlegroups.com
Thank you for your help. That helped my understanding a lot and made it pretty obvious and easy and I made all those changes and restarted but sadly, it's still responding over http.
On Thursday, 4 June 2015 13:39:27 UTC-7, Nicholai Brooks wrote:
Greg Schueler
Jun 4, 2015, 8:12:27 PM6/4/15
to rundeck...@googlegroups.com
On the local host (or ssh tunnel) can you log in and go to the system config page and verify that the grails.serverURL is correct?
--
--
Greg
--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/398e611f-c107-4905-95eb-ac96f7817ba9%40googlegroups.com.
Nicholai Brooks
Jun 5, 2015, 4:25:10 PM6/5/15
to rundeck...@googlegroups.com
Server Connection Info
/etc/rundeck/framework.properties:
framework.server.hostname: my_server_hostnameframework.server.name: my_server_hostnameframework.server.password:
*****
framework.server.port:
4440
framework.server.url:
http://localhost:4440
framework.server.username:
admin
/etc/rundeck/rundeck-config.properties:
grails.serverURL:
https://rundeck.xxxxx.com
The weird thing is, we have two environments and two F5's. In the other environment it just worked out of the box. I only configured the /etc/rundeck/rundeck-config.properties:grails.serverURL and everything worked. I'm starting to wonder if it's a subtle difference on the F5 that's causing this.On Thursday, 4 June 2015 13:39:27 UTC-7, Nicholai Brooks wrote:
Greg Schueler
Jun 5, 2015, 4:32:46 PM6/5/15
to rundeck...@googlegroups.com
the setting Drundeck.jetty.connector.forwarded=true requires that the load balancer include X-Forwarded-Proto headers in the request, which should tell Rundeck the correct https protocol.
are you able to wiresniff the HTTP connection from the F5 to rundeck to verify those headers are being sent?
--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/cd8554d9-862d-49af-8190-dba36e61c181%40googlegroups.com.
Nicholai Brooks
Jun 5, 2015, 6:35:16 PM6/5/15
to rundeck...@googlegroups.com
I installed wireshark on the both rundeck servers (good and bad) and as far as I can tell, I see the x forwarded header on both. (see screenshots) I'm at a loss...
On Thursday, 4 June 2015 13:39:27 UTC-7, Nicholai Brooks wrote:
Mathieu Chateau
Jun 6, 2015, 3:05:19 AM6/6/15
to rundeck...@googlegroups.com
Hello,
can you temporary invert good & bad rundeck on f5 so we can guess on which side is the issue ?
--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/d186273e-19ad-4de6-9600-d76cc0af4452%40googlegroups.com.
Nicholai Brooks
Jun 8, 2015, 5:33:42 PM6/8/15
to rundeck...@googlegroups.com
Thanks for your help. These are two different data centers so unfortunately this is not possible. At this point I've concluded that the issue is specific to this F5 and rundeck together. In the mean time, I've configured SSL on rundeck server directly and configured the F5 as a layer 4 pass through. This setup works well but is not ideal.
Reply all
Reply to author
Forward
0 new messages