Bug 1354538
| Summary: | CloudForm 4.1: WebUI switch CloudForms to run on port 80 (from 443) break the portal | ||
|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | John Prause <jprause> |
| Component: | UI - OPS | Assignee: | Martin Povolny <mpovolny> |
| Status: | CLOSED NOTABUG | QA Contact: | Dmitry Misharov <dmisharo> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 5.6.0 | CC: | cpelland, fahmed, hkataria, jhardy, jkrocil, mfalesni, mpovolny, obarenbo |
| Target Milestone: | GA | Keywords: | ZStream |
| Target Release: | 5.6.2 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | ui:appliance | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1351417 | Environment: | |
| Last Closed: | 2016-09-06 15:33:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1351417 | ||
| Bug Blocks: | |||
Confirming that the API and HTML 5 consoles work with the above solution. pasted wrong file in the previous comment.
Here's my /etc/httpd/conf.d/manageiq-http.conf:
## ManageIQ HTTP Virtual Host Context
# Timeout: The number of seconds before receives and sends time out.
Timeout 120
# HTTP Start-up error log
ErrorLog /var/www/miq/vmdb/log/apache/miq_apache.log
# Disable this section if using HTTP only
RewriteEngine On
Options SymLinksIfOwnerMatch
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
# Enable this section if using HTTP only
<VirtualHost *:80>
KeepAlive on
DocumentRoot /var/www/miq/vmdb/public
Include conf.d/manageiq-redirects-ui
Include conf.d/manageiq-redirects-ws
Include conf.d/manageiq-redirects-websocket
ProxyPreserveHost on
LogLevel warn
<Location /assets/>
Header unset ETag
FileETag None
ExpiresActive On
ExpiresDefault "access plus 1 year"
</Location>
</VirtualHost>
~
Here are feedback after the config test Customer Setup - Customer is getting Apache testpage! My setup - I am getting login page but after user/password it not responding. The page is standing still. - HTTPS is still working with same username and password Created attachment 1183531 [details]
Fresh Log from Customer appliance
The comment 'Disable this section if using HTTP only" above the lines below is a nonsense. It's a left-over. I'll fix that in the next release of the appliance.
# Disable this section if using HTTP only
RewriteEngine On
Options SymLinksIfOwnerMatch
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
The two lines
RewriteEngine On
Options SymLinksIfOwnerMatch
need to be left untouched or, if you disable the rewrite engine, no rewrite rules will work and the UI will not be accessible.
the other 2 lines:
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
have no effect in our case so you might comment that out. It's useful if you want a setup where port 80 would be opened just to redirect requests to port 443.
For the line:
ErrorLog /var/www/miq/vmdb/log/apache/miq_apache.log
you could add another
TransferLog /var/www/miq/vmdb/log/apache/access.log
depending how/if you plan to process the logs. We should check how the log is rotated on the appliance and make sure that that the logs do not grow for ever.
So that is (I hope ;-)) an explanation of what you have experienced.
As of the last change:
# Listen 443
Yes, if you comment out that line, you disable Apache on port 443 so that it will be listening only on port 80.
If that is the goal, then OK, it's right to do it.
I believe that the information requested was provided so I am closing this BZ. I am ready to help review a new DOC article if my help is needed. We can probably elaborate a bit on the various cases (HTTP only / HTTPS+HTTP / HTTPS only / HTTP redirecting to HTTPS). |
Hi. I have it working. The UI runs, have check the API and most likely fix HTML5 consoles. My content of /etc/httpd/conf.d/manageiq-https-application.conf <VirtualHost *:443> KeepAlive on DocumentRoot /var/www/miq/vmdb/public # The following redirects files must be included to # handle most specific to least specific URLs. Include conf.d/manageiq-redirects-ws Include conf.d/manageiq-redirects-ui Include conf.d/manageiq-redirects-websocket ProxyPreserveHost on RequestHeader set X_FORWARDED_PROTO 'https' ErrorLog /var/www/miq/vmdb/log/apache/ssl_error.log TransferLog /var/www/miq/vmdb/log/apache/ssl_access.log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW SSLCertificateFile /var/www/miq/vmdb/certs/server.cer SSLCertificateKeyFile /var/www/miq/vmdb/certs/server.cer.key <Location /assets/> Header unset ETag FileETag None ExpiresActive On ExpiresDefault "access plus 1 year" </Location> <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> <Location /proxy_pages/> ErrorDocument 403 /error/noindex.html ErrorDocument 404 /error/noindex.html </Location> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/www/miq/vmdb/log/apache/ssl_request.log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> Then in /var/www/miq/vmdb/config/initializers/session_store.rb you need to comment out the line 13: # session_options[:secure] = true