support for configurable redirect host (#3515)

Add support for configurable redirect host, defaulting to %{HTTP_HOST}.

ood-portal-generator/lib/ood_portal_generator/view.rb

@@ -39,6 +39,7 @@ def initialize(opts = {})
       @errorlog         = log_filename(error_log,"error")
       @logformat        = opts.fetch(:logformat, nil)
       @use_rewrites     = opts.fetch(:use_rewrites, true)
+      @http_redirect_host = opts.fetch(:http_redirect_host, '%{HTTP_HOST}')
       @lua_root         = opts.fetch(:lua_root, "/opt/ood/mod_ood_proxy/lib")
       @lua_log_level    = opts.fetch(:lua_log_level, "info")
       @user_map_cmd     = opts.fetch(:user_map_cmd, nil)

ood-portal-generator/share/ood_portal_example.yml

@@ -80,6 +80,12 @@
 # Default: true
 #use_rewrites: true
 
+# Specify the host to redirect to when redirecting from port 80
+# Example:
+#     http_redirect_host: my.proxy.host
+# Default: '%{HTTP_HOST}'
+#http_redirect_host: '%{HTTP_HOST}'
+
 # Should Maintenance Rewrite rules be added
 # Example:
 #   use_maintenance: false

ood-portal-generator/spec/application_spec.rb

@@ -132,6 +132,10 @@ def test_generate(input, output)
       test_generate('input/custom_directives.yml', 'output/custom_directives.conf')
     end
 
+    it 'http_redirect_host can be set' do
+      test_generate('input/http_redirect_host.yml', 'output/http_redirect_host.conf')
+    end
+
     it 'generates full OIDC config' do
       config = {
         servername: 'ondemand.example.com',

ood-portal-generator/spec/fixtures/input/http_redirect_host.yml

@@ -0,0 +1,14 @@
+---
+auth:
+ - 'AuthType openid-connect'
+ - 'Require valid-user'
+
+servername: ondemand.example.com
+proxy_server: ondemand.proxy.example.com
+http_redirect_host: ondemand.redirect-proxy.example.com
+
+port: 443
+ssl:
+  - 'SSLCertificateFile /etc/pki/tls/certs/ondemand.example.com.crt'
+  - 'SSLCertificateKeyFile /etc/pki/tls/private/ondemand.example.com.key'
+  - 'SSLCertificateChainFile /etc/pki/tls/certs/ondemand.example.com-interm.crt'

ood-portal-generator/spec/fixtures/output/http_redirect_host.conf

@@ -0,0 +1,192 @@
+#
+# Open OnDemand Portal
+#
+# Generated using ood-portal-generator version 0.8.0
+#
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+# !!                                    !!
+# !!     DO NOT EDIT THIS FILE          !!
+# !!                                    !!
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+#
+# This file is auto-generated by ood-portal-generator and will be over-written
+# in future updates.
+#
+# 1. To modify this file, first update the global configuration file:
+#
+#      /etc/ood/config/ood_portal.yml
+#
+#    You can find more information about the ood-portal-generator configuration
+#    at:
+#
+#      https://osc.github.io/ood-documentation/latest/reference/commands/ood-portal-generator.html
+#
+# 2. Then build/install the updated Apache config with:
+#
+#      sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal
+#
+# 3. Finally, restart Apache to have the changes take effect:
+#
+#      # For CentOS 6
+#      sudo service httpd24-httpd condrestart
+#      sudo service httpd24-htcacheclean condrestart
+#
+#      # For CentOS 7
+#      sudo systemctl try-restart httpd24-httpd.service httpd24-htcacheclean.service
+#
+#      # For CentOS 8
+#      sudo systemctl try-restart httpd.service htcacheclean.service
+#
+
+
+# Redirect all http traffic to the https Open OnDemand portal URI
+#     http://*:443
+#     #=> https://ondemand.proxy.example.com:443
+#
+<VirtualHost *:80>
+  ServerName ondemand.example.com
+
+  RewriteEngine On
+  RewriteRule ^(.*) https://ondemand.redirect-proxy.example.com:443$1 [R=301,NE,L]
+</VirtualHost>
+
+# The Open OnDemand portal VirtualHost
+#
+<VirtualHost *:443>
+  ServerName ondemand.example.com
+
+  ErrorLog  "logs/ondemand.example.com_error_ssl.log"
+  CustomLog "logs/ondemand.example.com_access_ssl.log" combined
+
+  RewriteEngine On
+  RewriteCond %{HTTP_HOST} !^(ondemand.proxy.example.com(:443)?)?$ [NC]
+  RewriteRule ^(.*) https://ondemand.proxy.example.com:443$1 [R=301,NE,L]
+
+  # Support maintenance page during outages of OnDemand
+  RewriteEngine On
+  RewriteCond /var/www/ood/public/maintenance/index.html -f
+  RewriteCond /etc/ood/maintenance.enable -f
+  RewriteCond %{REQUEST_URI} !/public/maintenance/.*$
+  RewriteRule ^.*$ /public/maintenance/index.html [R=302,L]
+
+  TraceEnable off
+
+  Header always set Content-Security-Policy "frame-ancestors https://ondemand.proxy.example.com;"
+  Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+
+  SSLEngine On
+  SSLCertificateFile /etc/pki/tls/certs/ondemand.example.com.crt
+  SSLCertificateKeyFile /etc/pki/tls/private/ondemand.example.com.key
+  SSLCertificateChainFile /etc/pki/tls/certs/ondemand.example.com-interm.crt
+
+  # Lua configuration
+  #
+  LuaRoot "/opt/ood/mod_ood_proxy/lib"
+  LogLevel lua_module:info
+
+  # Log authenticated user requests (requires min log level: info)
+  LuaHookLog logger.lua logger
+
+  # Authenticated-user to system-user mapping configuration
+  #
+  SetEnv OOD_USER_MAP_MATCH ".*"
+
+  # Per-user Nginx (PUN) configuration
+  # NB: Apache will need sudo privs to control the PUNs
+  #
+  SetEnv OOD_PUN_STAGE_CMD "sudo /opt/ood/nginx_stage/sbin/nginx_stage"
+
+  SetEnv OOD_ALLOWED_HOSTS "ondemand.example.com,ondemand.proxy.example.com"
+
+
+  #
+  # Below is used for sub-uri's this Open OnDemand portal supports
+  #
+
+  # Serve up publicly available assets from local file system:
+  #
+  #     https://ondemand.example.com:443/public/favicon.ico
+  #     #=> /var/www/ood/public/favicon.ico
+  #
+  Alias "/public" "/var/www/ood/public"
+  <Directory "/var/www/ood/public">
+    Options FollowSymLinks
+    AllowOverride None
+    Require all granted
+  </Directory>
+
+
+
+  # Reverse proxy traffic to backend PUNs through Unix domain sockets:
+  #
+  #     https://ondemand.example.com:443/pun/dev/app/simulations/1
+  #     #=> unix:/path/to/socket|http://localhost/pun/dev/app/simulations/1
+  #
+  SetEnv OOD_PUN_URI "/pun"
+  <Location "/pun">
+    AuthType openid-connect
+    Require valid-user
+
+
+    ProxyPreserveHost On
+    ProxyAddHeaders On
+    ProxyPassReverse "http://localhost/pun"
+
+    # ProxyPassReverseCookieDomain implementation (strip domain)
+    Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""
+
+    # ProxyPassReverseCookiePath implementation (less restrictive)
+    Header edit* Set-Cookie ";\s*(?i)Path\s*=(?-i)(?!\s*/pun)[^;]*" "; Path=/pun"
+
+    SetEnv OOD_PUN_SOCKET_ROOT "/var/run/ondemand-nginx"
+    SetEnv OOD_PUN_MAX_RETRIES "5"
+    LuaHookFixups pun_proxy.lua pun_proxy_handler
+
+  </Location>
+
+  # Control backend PUN for authenticated user:
+  # NB: See mod_ood_proxy for more details.
+  #
+  #    https://ondemand.example.com:443/nginx/stop
+  #    #=> stops the authenticated user's PUN
+  #
+  SetEnv OOD_NGINX_URI "/nginx"
+  <Location "/nginx">
+    AuthType openid-connect
+    Require valid-user
+
+
+    LuaHookFixups nginx.lua nginx_handler
+  </Location>
+
+  # Redirect root URI to specified URI
+  #
+  #     https://ondemand.example.com:443/
+  #     #=> https://ondemand.example.com:443/pun/sys/dashboard
+  #
+  RedirectMatch ^/$ "/pun/sys/dashboard"
+
+  # Redirect logout URI to specified redirect URI
+  #
+  #     https://ondemand.example.com:443/logout
+  #     #=> https://ondemand.example.com:443/pun/sys/dashboard/logout
+  #
+  Redirect "/logout" "/pun/sys/dashboard/logout"
+
+
+  # Maintenance location
+  #
+  #     https://ondemand.example.com:443/public/maintenance
+  #     #=> Displays /var/www/ood/public/maintenance/index.html
+  #
+  <Directory "/var/www/ood/public/maintenance">
+    RewriteCond /etc/ood/maintenance.enable !-f
+    ReWriteRule ^.*$ /
+
+    RewriteCond %{REQUEST_URI} !/public/maintenance/.*$
+    RewriteRule ^.*$ /public/maintenance/index.html [R=503,L]
+    ErrorDocument 503 /public/maintenance/index.html
+  </Directory>
+
+
+</VirtualHost>

ood-portal-generator/templates/ood-portal.conf.erb

@@ -63,7 +63,7 @@ Listen <%= addr_port %>
   <%- end -%>
 
   RewriteEngine On
-  RewriteRule ^(.*) <%= @ssl ? "https" : "http" %>://%{HTTP_HOST}:<%= @port %>$1 [R=301,NE,L]
+  RewriteRule ^(.*) <%= @ssl ? "https" : "http" %>://<%= @http_redirect_host %>:<%= @port %>$1 [R=301,NE,L]
 </VirtualHost>
 <% end -%>