1353093 – [RFE] oVirt/RHV 4 should be accessible from reverse proxy server

Bug 1353093 - [RFE] oVirt/RHV 4 should be accessible from reverse proxy server

Summary: [RFE] oVirt/RHV 4 should be accessible from reverse proxy server

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	RFEs
Sub Component:
Version:	4.0.0
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	ovirt-4.0.4
Target Release:	4.0.4
Assignee:	Martin Perina
QA Contact:	Jiri Belka
Docs Contact:
URL:
Whiteboard:
Depends On:	1325746 1362196 1376329 1376330
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-06 04:45 UTC by Marcus West
Modified:	2016-10-10 11:52 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	Settings needed to configure oVirt/RHV 4 with reverse proxy server are described in doc texts in dependent bugs: BZ1325746 BZ1362196.
Clone Of:
Environment:
Last Closed:	2016-10-10 11:52:18 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:
Flags:	jbelka: testing_plan_complete-

Attachments	(Terms of Use)

Description Marcus West 2016-07-06 04:45:50 UTC

oVirt/RHEV 4 should be accessible from reverse proxy server

Comment 2 Derrick Ornelas 2016-07-28 21:14:13 UTC

Marcus, can you confirm if you've tried the reverse proxy directions written by Martin here:  http://lists.ovirt.org/pipermail/users/2016-July/040877.html

Comment 6 Martin Perina 2016-08-04 13:13:16 UTC

Please take a look at BZ1325746 and BZ1362196, those are targeted to 4.0.4 and they should solve all currently known issues around accessing engine with multiple different FQDNs and allows using dynamic ports (so engine can run inside container).

Comment 7 Martin Perina 2016-08-04 13:14:09 UTC

Restoring needinfo

Comment 8 Jiri Belka 2016-09-08 11:53:31 UTC

ok, ovirt-engine-4.0.4.1-0.1.el7ev.noarch

tested via apache httpd 2.x as reverse proxy. (Tested with self-signed certs on httpd host, playing with custom certificates can be an exercise for interested users. Also engine's certs verfication was not done. SPICE console opening was successful as well.)

~~~

== /etc/httpd/conf.d/proxy.conf
<VirtualHost _default_:80>

  ServerAdmin root@localhost
  ServerName 10-34-61-191.exmaple.com:80

  ProxyPreserveHost On
  ProxyPass / http://jb-rhevm40.exmaple.com/ retry=0
  ProxyPassReverse / http://jb-rhevm40.exmaple.com/

  ErrorLog logs/proxy_error_log
  TransferLog logs/proxy_access_log
  LogLevel warn

</VirtualHost>


== /etc/httpd/conf.d/ssl.conf
Listen 10.34.61.191:443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

<VirtualHost _default_:443>

  ServerName 10-34-61-191.exmaple.com:443

  ErrorLog logs/ssl_error_log
  TransferLog logs/ssl_access_log
  LogLevel warn

  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
  #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
  #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

  # let's do not check engine's certificate
  SSLProxyEngine On
  SSLProxyVerify None
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerName Off

  # proxy to engine
  ProxyPreserveHost On
  ProxyPass / https://jb-rhevm40.exmaple.com/ retry=0
  ProxyPassReverse / https://jb-rhevm40.exmaple.com/

  BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

  CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost> 
~~~

~~~
# cat /etc/ovirt-engine/engine.conf.d/99-custom-sso-setup.conf
SSO_ALTERNATE_ENGINE_FQDNS="10-34-61-191.example.com jb-rhevm40.example.com"
~~~

Comment 9 Jiri Belka 2016-09-08 15:06:42 UTC

I managed to get working kerberos SSO via reverse proxy, here are some details:

- add reverse proxy fqdn into IPA
~~~
ipa host-add 10-34-61-191.example.com
ipa service-add HTTP/10-34-61-191.example.com
ipa-getkeytab -p HTTP/10-34-61-191.example.com -k /tmp/temporary.keytab
~~~
- get already existing http.keytab
- merging keytabs (on IPA host)
~~~
ktutil
: rkt /tmp/temporay.keytab
: rtk http.keytab
: list
: wkt /tmp/new.keytab
~~~
- copy new keytab to engine host as http.keytab

After opening User Portal via reverse proxy URL (10-34-61-191.example.com), I get automatically logged in and klist shows:

~~~
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: vdcadmin.COM

  Issued                Expires               Principal
Sep  8 16:18:43 2016  Sep  9 02:18:42 2016  krbtgt/BRQ-IPA.EXAMPLE.COM.COM
Sep  8 16:30:21 2016  Sep  9 02:18:42 2016  HTTP/jb-rhevm40.example.com.COM
Sep  8 16:57:44 2016  Sep  9 02:18:42 2016  HTTP/10-34-61-191.example.com.COM
~~~

Note You need to log in before you can comment on or make changes to this bug.