Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support for multiple server names in ood-portal.conf.j2 #191

Closed
ltalirz opened this issue Jun 7, 2023 · 4 comments
Closed

support for multiple server names in ood-portal.conf.j2 #191

ltalirz opened this issue Jun 7, 2023 · 4 comments

Comments

@ltalirz
Copy link
Contributor

ltalirz commented Jun 7, 2023
edited
Loading

This is a minor feature request for a scenario that comes up when deploying HPC clusters in cloud environments for corporations

  • Users of the cluster may access it through the virtual private network of the corporation, where connection to the Ondemand login node is provided via a private endpoint
  • IT admins of cluster may deploy/manage it from a different private network, where the private IP address / the domain name of the same Open Ondemand login node may differ

For this to work, as of today the domain name (or the private IP address) on both sides needs to match, since the templating of the apache configuration file only supports one server name.

It would probably not be too difficult to extend the role to support a list of server names.
I copy below a comment that may have been for a previous version of this role (and perhaps somewhat specific to use in AZ-HOP); but the basic idea still applies

=====

For the HTTP=>HTTPS redirect rule in /opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf, the generic solution is simple:

<VirtualHost *:80>
  RewriteEngine On
  RewriteRule ^(.*) https://%{HTTP_HOST}$1 [R=301,NE,L]
</VirtualHost>

For the SSL hosts it is a little more involved since the FQDN appears in many places.
Also, the fact that different FQDNs will have different certificates means there is no similarly generic solution (some work will need to be done per domain in order to create the certificates).

The easiest way to handle this in the config file is probably using mod_macro, something like (untested)

<Macro VHost $domain>
<VirtualHost *:443>
  ServerName $domain
  ServerAlias www.$domain

  ErrorLog  "/var/log/httpd24/$domain_error_ssl.log"
  CustomLog "/var/log/httpd24/$domain_access_ssl.log" combined

  RewriteEngine On
  RewriteCond %{HTTP_HOST} !^$domain(:443)?$ [NC]
  RewriteRule ^(.*) https://$domain$1 [R=301,NE,L]

  # Support maintenance page during outages of OnDemand
  RewriteEngine On
  RewriteCond /var/www/ood/public/maintenance/index.html -f
  RewriteCond /etc/ood/maintenance.enable -f
  RewriteCond %{REQUEST_URI} !/public/maintenance/.*$
  RewriteRule ^.*$ /public/maintenance/index.html [R=302,L]

  Header always set Content-Security-Policy "frame-ancestors https://$domain;"
  Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

  SSLEngine On
  SSLCertificateFile "/etc/ssl/$domain/$domain.crt"
  SSLCertificateKeyFile "/etc/ssl/$domain/$domain.key"
</VirtualHost>
</Macro>

You can then simply have one line per FQDN in the config file

Use VHost example.com
Use VHost 10.92.4.3
@ltalirz ltalirz mentioned this issue Jun 7, 2023
Closed
@johrstrom
Copy link
Collaborator

We deprecated the use of ood-portal.conf.j2. It's just too much to maintain both that and ood_portal.yml.j2 which the proper OnDemand libraries use to make the actual conf file. So, we should be using values in ood_portal.yml and let OnDemand generate the apache config file.

#128

That said - 3.0 did ship with server_aliases (which I'm now seeing we didn't document). Would this solve your issue?

https://github.com/OSC/ondemand/blob/133b879d381a037f01bcc7a4373c71608c980dc1/ood-portal-generator/share/ood_portal_example.yml#L18-L22

If it doesn't let me know as I would like to enable this upstream in OnDemand itself and forgo ood_portal.conf.j2 templating.

@johrstrom
Copy link
Collaborator

We have support for server_aliases here, but there appears to be a bug in it (it's using maintenance_ip_allowlist instead).

ood-ansible/templates/ood_portal.yml.j2

Lines 23 to 34 in 45e3460

# The server aliases used for the name-based Virtual Host
# Example:
# server_aliases:
# - foo.example.com
{% if server_aliases is defined and server_aliases|length > 0 %}
server_aliases:
{% for item in maintenance_ip_allowlist %}
- '{{ item }}'
{% endfor %}
{% else %}
#server_aliases: []
{% endif %}

@ltalirz
Copy link
Contributor Author

ltalirz commented Jun 7, 2023

Hi @johrstrom , thank you very much for the quick reply!

That said - 3.0 did ship with server_aliases (which I'm now seeing we didn't document). Would this solve your issue?

https://github.com/OSC/ondemand/blob/133b879d381a037f01bcc7a4373c71608c980dc1/ood-portal-generator/share/ood_portal_example.yml#L18-L22

That is great news, thank you! Indeed, that will solve the issue once we upgrade

@xpillons @matt-chan

@ltalirz ltalirz closed this as completed Jun 7, 2023
@johrstrom
Copy link
Collaborator

Thanks! I'll fix the bug in this role's support for server_aliases today.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ltalirz @johrstrom