-
Notifications
You must be signed in to change notification settings - Fork 137
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using behind a SSL terminating reverse proxy in a different context root #101
Comments
Hi @rmetcalf9 I front (and terminate SSL) my Rundeck instances with HAProxy, so your setup should be able to work as well. I don't change the context though as I route requests based on FQDN.
If that doesn't work, can you describe what is occurring? Are you able to get to the login page, but after trying to login it redirects to the wrong URL for example? Also, is there anything in the rundeck logs that might help? Thanks 😄 |
Hi, To answer your points:
With the setup:
When my browser goes to: The address bar changes to: which fails. I removed the line SERVER_URL line and stopped and restarted the stack. Next I have retried with the following setup:
I removed and restarted the stack: I did another test using and I saw the following in the results:
I think I am getting through to rundeck but I am getting redirected to http://rundeck:4440/user/login which is the wrong url. I need to understand why I am not getting redirected to After this I re verified rundeck-config.properties was correct:
(password changed in above) I did a final experiment. I restarted a clean stack
I then went with my browser to https://cat-sdts.metcarob-home.com:4443/rundeck/ I re-checked the log directory and not a single file size had changed. So I have determined that no log entry has occured. I have also used the docker logs command to get the log of the rundeck container and no log entrys are made. I am not sure how to proceed with investigating this issue. |
Hi @rmetcalf9 Thanks for all of the attempts and details. This is a really weird problem. The symptoms are all the same, you're able to connect to the Rundeck server through the proxy but Rundeck is redirecting to the wrong URL. The URL is constructed using the grails server URL and yours seems to be set correctly. Do you mind including the rundeck.log and service.log from the last attempt? |
Hi,
service.log
Robert |
Thanks, @rmetcalf9 The logs look like everything is OK. Is Kong set up to pass the correct forwarding headers like X-Forwarded-For? |
Hi, Now when I visit I am redirected to So the behavour has changed but it is still not working. There are two things that are wrong with this redirection:
Robert |
I have reconfirmed and the logs are unchanged from before |
Hi @rmetcalf9 We're getting there! 😛 Did you add the context parameter back to RDECK_JVM?
Finally, is Kong setting the X-Forwarded-Proto header? |
Hi, I have done another test, in my compose file I have: When running I log into a command shell inside the container, install tcpdump and run it with the command again I visit and I can see from the output:
So I have worked out, Kong is setting the X-Forwarded-Proto header, but adding the server.web.context seemed to have no effect. I am wondering if the RDECK_JVM options are being correctly set. |
Hi @rmetcalf9 Do you see -Dserver.web.context=/rundeck -Drundeck.jetty.connector.forwarded=true in the output of
If so, that confirms that they are being set correctly. Let's try one more addition. Can you try setting the SERVER_URL environment variable one more time?
Thanks for your patience and all the debugging information provided 😄 |
I have updated the compose file as follows
I redid the test and I get the same result (redirected to http://cat-sdts.metcarob-home.com:4443/user/login) Inside the container I have:
It seems I have two processes running under the rundeck user. I think the interesting one is the /usr/bin/java one PID=485. I have checked it's command line:
I can't see webcontext in the above output, suggesting that it is not being set. I thought I would do one more test. I removed RDECK_JVM completely from the docker compose file and removed and restarted the stack. I repeated the test and I got exactly the same behavior. |
Thanks @rmetcalf9 I think I found the issue thanks to all of your detective work! 😄 There was a big update to /etc/rundeck/profile a few releases ago. It looks like RDECK_JVM_SETTINGS is the preferred variable to use now. I'll update the documentation now. |
Unfortunatly this didn't resolve the issue for me but it has changed the situation slightly. I now have the following docker compose file:
Now when I visit: my browser is forwarded to: so it's changed a bit. It's getting the https bit right Firstly I checked the Java enviroment in the container:
so it looks like all the settings are being set sucessfully.
So the problem is still the fact that the first forward is wrong. |
Hi @rmetcalf9 I'm fresh out of ideas 😞 I've gone through http://rundeck.org/docs/administration/configuring-ssl.html#using-an-ssl-terminated-proxy and the open/closed issues for the Rundeck repo itself ( https://github.com/rundeck/rundeck ) and can't find anything that might help. It's probably something small we're missing out on. Do you mind opening an issue with the main Rundeck repo to see if they might be able to help? Make sure to link to this one so we can keep track of things. Really appreciate it and I hope to get you sorted soon 😄 |
Thanks |
good it running behind
maybe this info helps. |
Thanks for the info. It seems like you are running it from the base path rather than from a context. |
@rmetcalf9 @jjethwa I was trying to run the container behind a reverse proxy with context (
My nginx config: (no proxy header needed)
|
That's awesome, @laubstein Thanks so much! 😃 |
I am trying to deploy this Rundeck container as part of a docker stack deployment. I am using Kong as a front-end revers proxy for all the various parts of the stack. Kong has my certificates installed so is terminating all my SSL traffic and making non-SSL calls to API’s inside the docker network. The entire system has a single host and port so Kong will direct traffic depending on the start of the path.
So all Rundeck calls will have the following url:
But Kong needs to forward the traffic to the docker service, which I have configured according to defaults:
I am not using SSL on rundeck.
I would like to use the docker image out of the box and pass it parameters to achieve this rather than build my own derived version.
I have not been able to get this working. I have been trying to look through the source of the docker. The relevant part of my docker compose file is:
This setup isn't working and I am struggling to debug it. What I need is a clear statement of the requirements for running Rundeck in this configuration - if it is possible.
It might be a good idea to add a documentation page in this docker repositories github which describes different configuration scanarios that the container will run in and give the matching docker run commands.
The text was updated successfully, but these errors were encountered: