Bug 995559
Summary: | Cannot create a resteasy 3 oauth2 server app because of redirect loop | ||||||
---|---|---|---|---|---|---|---|
Product: | OpenShift Online | Reporter: | German <mitking> | ||||
Component: | Containers | Assignee: | Dan Mace <dmace> | ||||
Status: | CLOSED NOTABUG | QA Contact: | libra bugs <libra-bugs> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 1.x | CC: | erich, jdetiber, mitking, nduong | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-08-21 14:45:39 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
German
2013-08-09 17:39:19 UTC
The user needs SSL access to the gear and we terminate SSL at the frontend apache on the node. OpenShift doesn't pass https down to the gears, its terminated at the front-end Apache server proxied to the gears using https. On an SSL connection to the frontend, the gear receives the following headers in addition to normal parsed headers: X-Forwarded-Proto = "https" X-Forwarded-SSL-Client-Cert contains the client cert if there was one. X-Client-IP = the IP address which contacted the front-end. The original request headers and cookies should pass through the proxy. I wasn't able to get your application running to inspect it further (it gives 404 errors on my test setup, even when accessing snoop.jsp). One of our Java people may be able to dig into it and find out what's missing. Were the headers above enough to get your app working with the proxied http connection? I think that headers are not enough because this working test extracted from rest easy 3 provided examples is not interpreting them or is not what it needs to understand ssl. I´m not an expert on this. The zip provided works nicely on an openshift jboss7 scalable application, it needs the app-root/repo folder in order to locate realm.jks and client-truststore.ts Those two files are not packed inside the final deployable war, if you want to run this test app outside the described environment you must copy those two files to a known location and change the corresponding property in pom.xml before build the war file. In profiles definition in pom.xml you will find this properties definition: <properties> <keyspath>${env.OPENSHIFT_REPO_DIR}</keyspath> </properties> You must change this openshift env var to a full path where the app could find those two files. For example: /Users/Rob/testfiles I dont know if this is the problem you are having but worth a try. I think would be interesting to run this test to see the exact problem of redirecting loop. Looking forward to get this solved. Thank you! Passing to one of our developers who is more familiar with JBoss to see what can be done for the app to deal with SSL termination at the front-end Apache (OpenShift does not pass SSL through to the gear). I think that definition of severity low does not fit with the impact this has with my development, so rised it to high. I cannot continue my development with this redirecting loop thing, and after talking with openshift people they agree that this could be a bug. I need some advice or actions to be taken. Thank you! JBoss has explicit support for HTTPS connectors running behind a front-end proxy. In your JBoss standalone.xml configuration, do something like this to configure the HTTP connector for proxy support: <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" proxy-name="${OPENSHIFT_GEAR_DNS}" proxy-port="443" secure="true"/> This resolves the redirect loop. Please refer to the following documentation for further options (such as redirecting HTTP requests to HTTPS, something I didn't account for here): https://docs.jboss.org/jbossweb/7.0.x/config/http.html Closing the issue, as there's no bug (just a difference in local/deployed environment configuration in that in the deployed environment there's a haproxy instance which must be accounted for). The following community posts provide more information on how to detect https/http from the JBoss container and redirecting http -> https: https://www.openshift.com/kb/kb-e1044-how-to-redirect-traffic-to-https https://www.openshift.com/forums/openshift/redirect-to-https-fails-port-8443 Thank you all. I can confirm that Dan Mace suggestion is preventing redirect loop thing. And my test case scenario is working. Now I need to test my production environment. Again, thank you. |