Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1354538 - CloudForm 4.1: WebUI switch CloudForms to run on port 80 (from 443) break the portal
Summary: CloudForm 4.1: WebUI switch CloudForms to run on port 80 (from 443) break the...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: UI - OPS
Version: 5.6.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.6.2
Assignee: Martin Povolny
QA Contact: Dmitry Misharov
URL:
Whiteboard: ui:appliance
Depends On: 1351417
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-11 13:58 UTC by John Prause
Modified: 2016-09-07 13:54 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1351417
Environment:
Last Closed: 2016-09-06 15:33:57 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1381853 None None None 2016-07-11 13:58:22 UTC

Comment 2 Martin Povolny 2016-07-21 07:51:08 UTC
Hi. I have it working. The UI runs, have check the API and most likely fix HTML5 consoles.

My content of /etc/httpd/conf.d/manageiq-https-application.conf


<VirtualHost *:443>
KeepAlive on

DocumentRoot /var/www/miq/vmdb/public

# The following redirects files must be included to
# handle most specific to least specific URLs.
Include conf.d/manageiq-redirects-ws
Include conf.d/manageiq-redirects-ui
Include conf.d/manageiq-redirects-websocket
ProxyPreserveHost on
RequestHeader set X_FORWARDED_PROTO 'https'

ErrorLog /var/www/miq/vmdb/log/apache/ssl_error.log
TransferLog /var/www/miq/vmdb/log/apache/ssl_access.log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW
SSLCertificateFile /var/www/miq/vmdb/certs/server.cer
SSLCertificateKeyFile /var/www/miq/vmdb/certs/server.cer.key

<Location /assets/>
  Header unset ETag
  FileETag None
  ExpiresActive On
  ExpiresDefault "access plus 1 year"
</Location>

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
  SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
  SSLOptions +StdEnvVars 
</Directory>

<Location /proxy_pages/>
  ErrorDocument 403 /error/noindex.html
  ErrorDocument 404 /error/noindex.html
</Location>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \ 
         downgrade-1.0 force-response-1.0
    
CustomLog /var/www/miq/vmdb/log/apache/ssl_request.log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    
</VirtualHost> 


Then in /var/www/miq/vmdb/config/initializers/session_store.rb you need to comment out the line 13: 

# session_options[:secure]   = true

Comment 3 Martin Povolny 2016-07-21 09:23:34 UTC
Confirming that the API and HTML 5 consoles work with the above solution.

Comment 4 Martin Povolny 2016-07-21 09:29:49 UTC
pasted wrong file in the previous comment.

Here's my /etc/httpd/conf.d/manageiq-http.conf:


## ManageIQ HTTP Virtual Host Context

# Timeout: The number of seconds before receives and sends time out.
Timeout 120

# HTTP Start-up error log
ErrorLog /var/www/miq/vmdb/log/apache/miq_apache.log

# Disable this section if using HTTP only
RewriteEngine On
Options SymLinksIfOwnerMatch
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

# Enable this section if using HTTP only
<VirtualHost *:80>
KeepAlive on

DocumentRoot /var/www/miq/vmdb/public

Include conf.d/manageiq-redirects-ui
Include conf.d/manageiq-redirects-ws
Include conf.d/manageiq-redirects-websocket
ProxyPreserveHost on

LogLevel warn

<Location /assets/>
  Header unset ETag
  FileETag None
  ExpiresActive On
  ExpiresDefault "access plus 1 year"
</Location>

</VirtualHost>
~

Comment 5 Faiaz Ahmed 2016-07-25 01:47:53 UTC
Here are feedback after the config test

Customer Setup
- Customer is getting Apache testpage!

My setup
- I am getting login page but after user/password it not responding. The page is standing still.
- HTTPS is still working with same username and password

Comment 6 Faiaz Ahmed 2016-07-25 02:25:22 UTC
Created attachment 1183531 [details]
Fresh Log from Customer appliance

Comment 12 Martin Povolny 2016-08-05 08:00:46 UTC
The comment 'Disable this section if using HTTP only" above the lines below is a nonsense. It's a left-over. I'll fix that in the next release of the appliance.

# Disable this section if using HTTP only
RewriteEngine On
Options SymLinksIfOwnerMatch
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]


The two lines 

RewriteEngine On
Options SymLinksIfOwnerMatch

need to be left untouched or, if you disable the rewrite engine, no rewrite rules will work and the UI will not be accessible.

the other 2 lines:

RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

have no effect in our case so you might comment that out. It's useful if you want a setup where port 80 would be opened just to redirect requests to port 443.

For the line:
ErrorLog /var/www/miq/vmdb/log/apache/miq_apache.log

you could add another 

TransferLog /var/www/miq/vmdb/log/apache/access.log

depending how/if you plan to process the logs. We should check how the log is rotated on the appliance and make sure that that the logs do not grow for ever.

So that is (I hope ;-)) an explanation of what you have experienced.


As of the last change:

# Listen 443

Yes, if you comment out that line, you disable Apache on port 443 so that it will be listening only on port 80.

If that is the goal, then OK, it's right to do it.

Comment 13 Martin Povolny 2016-09-06 15:33:57 UTC
I believe that the information requested was provided so I am closing this BZ.

I am ready to help review a new DOC article if my help is needed. We can probably elaborate a bit on the various cases (HTTP only / HTTPS+HTTP / HTTPS only / HTTP redirecting to HTTPS).


Note You need to log in before you can comment on or make changes to this bug.