Bug 1353093

Summary: [RFE] oVirt/RHV 4 should be accessible from reverse proxy server
Product: Red Hat Enterprise Virtualization Manager Reporter: Marcus West <mwest>
Component: RFEsAssignee: Martin Perina <mperina>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.0.0CC: amarchuk, dornelas, eedri, gklein, lsurette, lsvaty, mgoldboi, mkalinin, mperina, mwest, omachace, pstehlik, rbalakri, srevivo, tjelinek, ykaul
Target Milestone: ovirt-4.0.4Keywords: FutureFeature, ZStream
Target Release: 4.0.4Flags: jbelka: testing_plan_complete-
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Settings needed to configure oVirt/RHV 4 with reverse proxy server are described in doc texts in dependent bugs: BZ1325746 BZ1362196.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-10 11:52:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1325746, 1362196, 1376329, 1376330    
Bug Blocks:    

Description Marcus West 2016-07-06 04:45:50 UTC 
oVirt/RHEV 4 should be accessible from reverse proxy server
Comment 2 Derrick Ornelas 2016-07-28 21:14:13 UTC 
Marcus, can you confirm if you've tried the reverse proxy directions written by Martin here:  http://lists.ovirt.org/pipermail/users/2016-July/040877.html
Comment 6 Martin Perina 2016-08-04 13:13:16 UTC 
Please take a look at BZ1325746 and BZ1362196, those are targeted to 4.0.4 and they should solve all currently known issues around accessing engine with multiple different FQDNs and allows using dynamic ports (so engine can run inside container).
Comment 7 Martin Perina 2016-08-04 13:14:09 UTC 
Restoring needinfo
Comment 8 Jiri Belka 2016-09-08 11:53:31 UTC 
ok, ovirt-engine-4.0.4.1-0.1.el7ev.noarch

tested via apache httpd 2.x as reverse proxy. (Tested with self-signed certs on httpd host, playing with custom certificates can be an exercise for interested users. Also engine's certs verfication was not done. SPICE console opening was successful as well.)

~~~

== /etc/httpd/conf.d/proxy.conf
<VirtualHost _default_:80>

  ServerAdmin root@localhost
  ServerName 10-34-61-191.exmaple.com:80

  ProxyPreserveHost On
  ProxyPass / http://jb-rhevm40.exmaple.com/ retry=0
  ProxyPassReverse / http://jb-rhevm40.exmaple.com/

  ErrorLog logs/proxy_error_log
  TransferLog logs/proxy_access_log
  LogLevel warn

</VirtualHost>


== /etc/httpd/conf.d/ssl.conf
Listen 10.34.61.191:443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

<VirtualHost _default_:443>

  ServerName 10-34-61-191.exmaple.com:443

  ErrorLog logs/ssl_error_log
  TransferLog logs/ssl_access_log
  LogLevel warn

  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
  #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
  #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

  # let's do not check engine's certificate
  SSLProxyEngine On
  SSLProxyVerify None
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerName Off

  # proxy to engine
  ProxyPreserveHost On
  ProxyPass / https://jb-rhevm40.exmaple.com/ retry=0
  ProxyPassReverse / https://jb-rhevm40.exmaple.com/

  BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

  CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost> 
~~~

~~~
# cat /etc/ovirt-engine/engine.conf.d/99-custom-sso-setup.conf
SSO_ALTERNATE_ENGINE_FQDNS="10-34-61-191.example.com jb-rhevm40.example.com"
~~~
Comment 9 Jiri Belka 2016-09-08 15:06:42 UTC 
I managed to get working kerberos SSO via reverse proxy, here are some details:

- add reverse proxy fqdn into IPA
~~~
ipa host-add 10-34-61-191.example.com
ipa service-add HTTP/10-34-61-191.example.com
ipa-getkeytab -p HTTP/10-34-61-191.example.com -k /tmp/temporary.keytab
~~~
- get already existing http.keytab
- merging keytabs (on IPA host)
~~~
ktutil
: rkt /tmp/temporay.keytab
: rtk http.keytab
: list
: wkt /tmp/new.keytab
~~~
- copy new keytab to engine host as http.keytab

After opening User Portal via reverse proxy URL (10-34-61-191.example.com), I get automatically logged in and klist shows:

~~~
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: vdcadmin.COM

  Issued                Expires               Principal
Sep  8 16:18:43 2016  Sep  9 02:18:42 2016  krbtgt/BRQ-IPA.EXAMPLE.COM.COM
Sep  8 16:30:21 2016  Sep  9 02:18:42 2016  HTTP/jb-rhevm40.example.com.COM
Sep  8 16:57:44 2016  Sep  9 02:18:42 2016  HTTP/10-34-61-191.example.com.COM
~~~