Bug 1266989

Summary: Redirect issues due to changing to 172.16.x.x network
Product: OpenShift Online Reporter: Ryan Howe <rhowe>
Component: ImageAssignee: Timothy Williams <tiwillia>
Status: CLOSED WONTFIX QA Contact: DeShuai Ma <dma>
Severity: low Docs Contact:
Priority: unspecified    
Version: 2.xCC: agrimm, aos-bugs, jokerman, mmccomas, rthrashe, tiwillia
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-18 20:08:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ryan Howe 2015-09-28 18:26:41 UTC
Description of problem:

This issue is related to our VPC migration in early August.  This migration moved us from a 10.x.x.x network to a 172.16.x.x network.  According to the RemoteIPValve documentation for the internalProxies at https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html :

"By default, 10/8, 192.168/16, 169.254/16 and 127/8 are allowed ; 172.16/12 has not been enabled by default because it is complex to describe with regular expressions"

The solution is to define the Valve in context.xml slightly differently from what the knowledgebase article describes.  The following should work:

    <Valve className="org.apache.catalina.valves.RemoteIpValve"
            protocolHeader="x-forwarded-proto"
            internalProxies="169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172.16.\d{1,2}.\d{1,3}" />



Version-Release number of selected component (if applicable):
2.2.6

How reproducible:
100%

Steps to Reproduce:

# rhc app create jbossews-2.0 -a work -s
# rhc cartridge scale jbossews-2.0 --min 2 --max 2 -a work

Follow previous instructions  
https://forums.openshift.com/how-to-redirect-all-http-traffic-to-https-on-tomcat-7-jboss-ews-20-in-war

-git add commit push
-in private window test  the results are weird because everything works but then if you try again with a private window it doesn't

- curl to local gear passes



Actual results:

- Redirect error 

Expected results:

- Work like it did in the past. 

Additional info:

Since we have moved from a 10.x.x.x network to a 172.16.x.x network, should we update the online docs or provide an announcement?

Comment 2 Timothy Williams 2015-12-18 20:08:08 UTC
We do not plan on changing the cartridge. This is due to the change allowing all 172.16.0.0 addresses rather than just the 172.16.0.0/12 addresses. Instead, we've made the article that describes the workaround public to all users. This should allow users who may still be hitting this issue to find a workaround:

  https://access.redhat.com/site/solutions/749733

Closing this.