From 77c5fec51eba42ed48ee3ffdb654042a99714e9d Mon Sep 17 00:00:00 2001 From: Jeff Ohrstrom Date: Wed, 17 Apr 2024 13:07:40 -0400 Subject: [PATCH 1/3] support for configurable redirect host --- .../lib/ood_portal_generator/view.rb | 1 + .../share/ood_portal_example.yml | 6 + ood-portal-generator/spec/application_spec.rb | 4 + .../spec/fixtures/input/redirect_host.yml | 14 ++ .../spec/fixtures/output/redirect_host.conf | 192 ++++++++++++++++++ .../templates/ood-portal.conf.erb | 2 +- 6 files changed, 218 insertions(+), 1 deletion(-) create mode 100644 ood-portal-generator/spec/fixtures/input/redirect_host.yml create mode 100644 ood-portal-generator/spec/fixtures/output/redirect_host.conf diff --git a/ood-portal-generator/lib/ood_portal_generator/view.rb b/ood-portal-generator/lib/ood_portal_generator/view.rb index 6b03276a10..6caeb5334c 100644 --- a/ood-portal-generator/lib/ood_portal_generator/view.rb +++ b/ood-portal-generator/lib/ood_portal_generator/view.rb @@ -39,6 +39,7 @@ def initialize(opts = {}) @errorlog = log_filename(error_log,"error") @logformat = opts.fetch(:logformat, nil) @use_rewrites = opts.fetch(:use_rewrites, true) + @redirect_host = opts.fetch(:redirect_host, '%{HTTP_HOST}') @lua_root = opts.fetch(:lua_root, "/opt/ood/mod_ood_proxy/lib") @lua_log_level = opts.fetch(:lua_log_level, "info") @user_map_cmd = opts.fetch(:user_map_cmd, nil) diff --git a/ood-portal-generator/share/ood_portal_example.yml b/ood-portal-generator/share/ood_portal_example.yml index 2ab0c3ec36..228722583d 100644 --- a/ood-portal-generator/share/ood_portal_example.yml +++ b/ood-portal-generator/share/ood_portal_example.yml @@ -80,6 +80,12 @@ # Default: true #use_rewrites: true +# Specify the host to redirect to when redirecting from port 80 +# Example: +# redirect_host: my.proxy.host +# Default: %{HTTP_HOST} +#redirect_host: '%{HTTP_HOST}' + # Should Maintenance Rewrite rules be added # Example: # use_maintenance: false diff --git a/ood-portal-generator/spec/application_spec.rb b/ood-portal-generator/spec/application_spec.rb index bcf24323fb..4bebf52f72 100644 --- a/ood-portal-generator/spec/application_spec.rb +++ b/ood-portal-generator/spec/application_spec.rb @@ -132,6 +132,10 @@ def test_generate(input, output) test_generate('input/custom_directives.yml', 'output/custom_directives.conf') end + it 'redirect_host can be set' do + test_generate('input/redirect_host.yml', 'output/redirect_host.conf') + end + it 'generates full OIDC config' do config = { servername: 'ondemand.example.com', diff --git a/ood-portal-generator/spec/fixtures/input/redirect_host.yml b/ood-portal-generator/spec/fixtures/input/redirect_host.yml new file mode 100644 index 0000000000..57042f4a8f --- /dev/null +++ b/ood-portal-generator/spec/fixtures/input/redirect_host.yml @@ -0,0 +1,14 @@ +--- +auth: + - 'AuthType openid-connect' + - 'Require valid-user' + +servername: ondemand.example.com +proxy_server: ondemand.proxy.example.com +redirect_host: ondemand.redirect-proxy.example.com + +port: 443 +ssl: + - 'SSLCertificateFile /etc/pki/tls/certs/ondemand.example.com.crt' + - 'SSLCertificateKeyFile /etc/pki/tls/private/ondemand.example.com.key' + - 'SSLCertificateChainFile /etc/pki/tls/certs/ondemand.example.com-interm.crt' \ No newline at end of file diff --git a/ood-portal-generator/spec/fixtures/output/redirect_host.conf b/ood-portal-generator/spec/fixtures/output/redirect_host.conf new file mode 100644 index 0000000000..7bf70f667d --- /dev/null +++ b/ood-portal-generator/spec/fixtures/output/redirect_host.conf @@ -0,0 +1,192 @@ +# +# Open OnDemand Portal +# +# Generated using ood-portal-generator version 0.8.0 +# +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# !! !! +# !! DO NOT EDIT THIS FILE !! +# !! !! +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# +# This file is auto-generated by ood-portal-generator and will be over-written +# in future updates. +# +# 1. To modify this file, first update the global configuration file: +# +# /etc/ood/config/ood_portal.yml +# +# You can find more information about the ood-portal-generator configuration +# at: +# +# https://osc.github.io/ood-documentation/latest/reference/commands/ood-portal-generator.html +# +# 2. Then build/install the updated Apache config with: +# +# sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal +# +# 3. Finally, restart Apache to have the changes take effect: +# +# # For CentOS 6 +# sudo service httpd24-httpd condrestart +# sudo service httpd24-htcacheclean condrestart +# +# # For CentOS 7 +# sudo systemctl try-restart httpd24-httpd.service httpd24-htcacheclean.service +# +# # For CentOS 8 +# sudo systemctl try-restart httpd.service htcacheclean.service +# + + +# Redirect all http traffic to the https Open OnDemand portal URI +# http://*:443 +# #=> https://ondemand.proxy.example.com:443 +# + + ServerName ondemand.example.com + + RewriteEngine On + RewriteRule ^(.*) https://ondemand.redirect-proxy.example.com:443$1 [R=301,NE,L] + + +# The Open OnDemand portal VirtualHost +# + + ServerName ondemand.example.com + + ErrorLog "logs/ondemand.example.com_error_ssl.log" + CustomLog "logs/ondemand.example.com_access_ssl.log" combined + + RewriteEngine On + RewriteCond %{HTTP_HOST} !^(ondemand.proxy.example.com(:443)?)?$ [NC] + RewriteRule ^(.*) https://ondemand.proxy.example.com:443$1 [R=301,NE,L] + + # Support maintenance page during outages of OnDemand + RewriteEngine On + RewriteCond /var/www/ood/public/maintenance/index.html -f + RewriteCond /etc/ood/maintenance.enable -f + RewriteCond %{REQUEST_URI} !/public/maintenance/.*$ + RewriteRule ^.*$ /public/maintenance/index.html [R=302,L] + + TraceEnable off + + Header always set Content-Security-Policy "frame-ancestors https://ondemand.proxy.example.com;" + Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" + + SSLEngine On + SSLCertificateFile /etc/pki/tls/certs/ondemand.example.com.crt + SSLCertificateKeyFile /etc/pki/tls/private/ondemand.example.com.key + SSLCertificateChainFile /etc/pki/tls/certs/ondemand.example.com-interm.crt + + # Lua configuration + # + LuaRoot "/opt/ood/mod_ood_proxy/lib" + LogLevel lua_module:info + + # Log authenticated user requests (requires min log level: info) + LuaHookLog logger.lua logger + + # Authenticated-user to system-user mapping configuration + # + SetEnv OOD_USER_MAP_MATCH ".*" + + # Per-user Nginx (PUN) configuration + # NB: Apache will need sudo privs to control the PUNs + # + SetEnv OOD_PUN_STAGE_CMD "sudo /opt/ood/nginx_stage/sbin/nginx_stage" + + SetEnv OOD_ALLOWED_HOSTS "ondemand.example.com,ondemand.proxy.example.com" + + + # + # Below is used for sub-uri's this Open OnDemand portal supports + # + + # Serve up publicly available assets from local file system: + # + # https://ondemand.example.com:443/public/favicon.ico + # #=> /var/www/ood/public/favicon.ico + # + Alias "/public" "/var/www/ood/public" + + Options FollowSymLinks + AllowOverride None + Require all granted + + + + + # Reverse proxy traffic to backend PUNs through Unix domain sockets: + # + # https://ondemand.example.com:443/pun/dev/app/simulations/1 + # #=> unix:/path/to/socket|http://localhost/pun/dev/app/simulations/1 + # + SetEnv OOD_PUN_URI "/pun" + + AuthType openid-connect + Require valid-user + + + ProxyPreserveHost On + ProxyAddHeaders On + ProxyPassReverse "http://localhost/pun" + + # ProxyPassReverseCookieDomain implementation (strip domain) + Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" "" + + # ProxyPassReverseCookiePath implementation (less restrictive) + Header edit* Set-Cookie ";\s*(?i)Path\s*=(?-i)(?!\s*/pun)[^;]*" "; Path=/pun" + + SetEnv OOD_PUN_SOCKET_ROOT "/var/run/ondemand-nginx" + SetEnv OOD_PUN_MAX_RETRIES "5" + LuaHookFixups pun_proxy.lua pun_proxy_handler + + + + # Control backend PUN for authenticated user: + # NB: See mod_ood_proxy for more details. + # + # https://ondemand.example.com:443/nginx/stop + # #=> stops the authenticated user's PUN + # + SetEnv OOD_NGINX_URI "/nginx" + + AuthType openid-connect + Require valid-user + + + LuaHookFixups nginx.lua nginx_handler + + + # Redirect root URI to specified URI + # + # https://ondemand.example.com:443/ + # #=> https://ondemand.example.com:443/pun/sys/dashboard + # + RedirectMatch ^/$ "/pun/sys/dashboard" + + # Redirect logout URI to specified redirect URI + # + # https://ondemand.example.com:443/logout + # #=> https://ondemand.example.com:443/pun/sys/dashboard/logout + # + Redirect "/logout" "/pun/sys/dashboard/logout" + + + # Maintenance location + # + # https://ondemand.example.com:443/public/maintenance + # #=> Displays /var/www/ood/public/maintenance/index.html + # + + RewriteCond /etc/ood/maintenance.enable !-f + ReWriteRule ^.*$ / + + RewriteCond %{REQUEST_URI} !/public/maintenance/.*$ + RewriteRule ^.*$ /public/maintenance/index.html [R=503,L] + ErrorDocument 503 /public/maintenance/index.html + + + + diff --git a/ood-portal-generator/templates/ood-portal.conf.erb b/ood-portal-generator/templates/ood-portal.conf.erb index f4b325b711..3e03b8a5b3 100644 --- a/ood-portal-generator/templates/ood-portal.conf.erb +++ b/ood-portal-generator/templates/ood-portal.conf.erb @@ -63,7 +63,7 @@ Listen <%= addr_port %> <%- end -%> RewriteEngine On - RewriteRule ^(.*) <%= @ssl ? "https" : "http" %>://%{HTTP_HOST}:<%= @port %>$1 [R=301,NE,L] + RewriteRule ^(.*) <%= @ssl ? "https" : "http" %>://<%= @redirect_host %>:<%= @port %>$1 [R=301,NE,L] <% end -%> From 3d0247f759894569bf6d29c669a5e332eeeb1e80 Mon Sep 17 00:00:00 2001 From: Jeff Ohrstrom Date: Thu, 18 Apr 2024 11:00:27 -0400 Subject: [PATCH 2/3] rename this config to be more specific --- ood-portal-generator/lib/ood_portal_generator/view.rb | 2 +- ood-portal-generator/share/ood_portal_example.yml | 6 +++--- ood-portal-generator/spec/fixtures/input/redirect_host.yml | 2 +- ood-portal-generator/templates/ood-portal.conf.erb | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ood-portal-generator/lib/ood_portal_generator/view.rb b/ood-portal-generator/lib/ood_portal_generator/view.rb index 6caeb5334c..23addfeab1 100644 --- a/ood-portal-generator/lib/ood_portal_generator/view.rb +++ b/ood-portal-generator/lib/ood_portal_generator/view.rb @@ -39,7 +39,7 @@ def initialize(opts = {}) @errorlog = log_filename(error_log,"error") @logformat = opts.fetch(:logformat, nil) @use_rewrites = opts.fetch(:use_rewrites, true) - @redirect_host = opts.fetch(:redirect_host, '%{HTTP_HOST}') + @http_redirect_host = opts.fetch(:http_redirect_host, '%{HTTP_HOST}') @lua_root = opts.fetch(:lua_root, "/opt/ood/mod_ood_proxy/lib") @lua_log_level = opts.fetch(:lua_log_level, "info") @user_map_cmd = opts.fetch(:user_map_cmd, nil) diff --git a/ood-portal-generator/share/ood_portal_example.yml b/ood-portal-generator/share/ood_portal_example.yml index 228722583d..3b733d3af8 100644 --- a/ood-portal-generator/share/ood_portal_example.yml +++ b/ood-portal-generator/share/ood_portal_example.yml @@ -82,9 +82,9 @@ # Specify the host to redirect to when redirecting from port 80 # Example: -# redirect_host: my.proxy.host -# Default: %{HTTP_HOST} -#redirect_host: '%{HTTP_HOST}' +# http_redirect_host: my.proxy.host +# Default: '%{HTTP_HOST}' +#http_redirect_host: '%{HTTP_HOST}' # Should Maintenance Rewrite rules be added # Example: diff --git a/ood-portal-generator/spec/fixtures/input/redirect_host.yml b/ood-portal-generator/spec/fixtures/input/redirect_host.yml index 57042f4a8f..34ba5b80c7 100644 --- a/ood-portal-generator/spec/fixtures/input/redirect_host.yml +++ b/ood-portal-generator/spec/fixtures/input/redirect_host.yml @@ -5,7 +5,7 @@ auth: servername: ondemand.example.com proxy_server: ondemand.proxy.example.com -redirect_host: ondemand.redirect-proxy.example.com +http_redirect_host: ondemand.redirect-proxy.example.com port: 443 ssl: diff --git a/ood-portal-generator/templates/ood-portal.conf.erb b/ood-portal-generator/templates/ood-portal.conf.erb index 3e03b8a5b3..ff4898374b 100644 --- a/ood-portal-generator/templates/ood-portal.conf.erb +++ b/ood-portal-generator/templates/ood-portal.conf.erb @@ -63,7 +63,7 @@ Listen <%= addr_port %> <%- end -%> RewriteEngine On - RewriteRule ^(.*) <%= @ssl ? "https" : "http" %>://<%= @redirect_host %>:<%= @port %>$1 [R=301,NE,L] + RewriteRule ^(.*) <%= @ssl ? "https" : "http" %>://<%= @http_redirect_host %>:<%= @port %>$1 [R=301,NE,L] <% end -%> From 2244a6c78a0ea327af075cbaf5d8d274a27fb4c9 Mon Sep 17 00:00:00 2001 From: Jeff Ohrstrom Date: Thu, 18 Apr 2024 11:01:51 -0400 Subject: [PATCH 3/3] rename this files as appropriate --- ood-portal-generator/spec/application_spec.rb | 4 ++-- .../input/{redirect_host.yml => http_redirect_host.yml} | 0 .../output/{redirect_host.conf => http_redirect_host.conf} | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename ood-portal-generator/spec/fixtures/input/{redirect_host.yml => http_redirect_host.yml} (100%) rename ood-portal-generator/spec/fixtures/output/{redirect_host.conf => http_redirect_host.conf} (100%) diff --git a/ood-portal-generator/spec/application_spec.rb b/ood-portal-generator/spec/application_spec.rb index 4bebf52f72..c20cde94c8 100644 --- a/ood-portal-generator/spec/application_spec.rb +++ b/ood-portal-generator/spec/application_spec.rb @@ -132,8 +132,8 @@ def test_generate(input, output) test_generate('input/custom_directives.yml', 'output/custom_directives.conf') end - it 'redirect_host can be set' do - test_generate('input/redirect_host.yml', 'output/redirect_host.conf') + it 'http_redirect_host can be set' do + test_generate('input/http_redirect_host.yml', 'output/http_redirect_host.conf') end it 'generates full OIDC config' do diff --git a/ood-portal-generator/spec/fixtures/input/redirect_host.yml b/ood-portal-generator/spec/fixtures/input/http_redirect_host.yml similarity index 100% rename from ood-portal-generator/spec/fixtures/input/redirect_host.yml rename to ood-portal-generator/spec/fixtures/input/http_redirect_host.yml diff --git a/ood-portal-generator/spec/fixtures/output/redirect_host.conf b/ood-portal-generator/spec/fixtures/output/http_redirect_host.conf similarity index 100% rename from ood-portal-generator/spec/fixtures/output/redirect_host.conf rename to ood-portal-generator/spec/fixtures/output/http_redirect_host.conf