Maintenance ip allowlist doesn't work

Get Help
,
1

Hello,

I’m trying to configure maintenance mode. Now, it’s working as I expected except allowing IP address in the list.

Here is a part of my `ood_portal.yml` for the maintenance mode. I refered to the document here. maintenance mode

use_rewrites: true
use_maintenance: true
maintenance_ip_allowlist:
  - '10.20.30..*'
  - '10.20.40.3'

However, I encountered public/maintenance/index.html page even if I accessed OOD with IP address that is one of the `maintenance_ip_allowlist`.

What am I missing for this?

Best,

2

Can you confirm that the configuration in you YML file made it to the apache .conf file?

3

Hi Jeff,

This is my ood-portal.conf in /etc/httpd/conf.d.

  # Maintenance location
  #
  #     https://ood.example.org:443/public/maintenance
  #     #=> Displays /var/www/ood/public/maintenance/index.html
  #
  <Directory "/var/www/ood/public/maintenance">
    RewriteCond /etc/ood/maintenance.enable !-f
    ReWriteRule ^.*$ /

    RewriteCond %{REQUEST_URI} !/public/maintenance/.*$
    RewriteRule ^.*$ /public/maintenance/index.html [R=503,L]
    ErrorDocument 503 /public/maintenance/index.html
  </Directory>

There is no maintenance_ip_allowlist in .conf file.

PARK

4

OK - you need to bounce httpd with systemctl restart httpd for the configs in the YML to propagate to the httpd conf. If there are any errors the should be in journalctl or systemctl status httpd.

5

Unfortunately, it does not work even if I restart httpd.

6

Are there errors when you bounce httpd?

7

There is no error during restarting.

$ sudo systemctl restart httpd
$ systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
Drop-In: /etc/systemd/system/httpd.service.d
└─ood-portal.conf, ood.conf
Active: active (running) since Wed 2026-03-25 17:16:38 CET; 7s ago
Docs: man:httpd.service(8)
Process: 3743963 ExecStartPre=/opt/ood/ood-portal-generator/sbin/update_ood_portal --rpm (code=exited, status=0/SUCCESS)
Main PID: 3743974 (httpd)
Status: “Started, listening on: port 443, port 81, port 80”
Tasks: 177 (limit: 23115)
Memory: 42.1M
CPU: 366ms
CGroup: /system.slice/httpd.service
├─3743974 /usr/sbin/httpd -DFOREGROUND
├─3743976 /usr/sbin/httpd -DFOREGROUND
├─3743977 /usr/sbin/httpd -DFOREGROUND
├─3744007 /usr/sbin/httpd -DFOREGROUND
└─3744023 /usr/sbin/httpd -DFOREGROUND

Best,

8

What OnDemand version are you on? That config changed from maintenance_ip_whitelist to maintenance_ip_allowlist at some point. You’re looking at the latest documentation, but you may need to look at your version’s documentation specifically.

9

I’m using OOD 4.0.6

Best,

10

OK there’s something obvious that we’re missing here. Have you modified the distribution at all? Or did you modify the resulting .conf file by hand at any time?

Also I’d check journalctl to see if there really is any output from update_ood_portal at any time.

11

No, I don’t.

I installed OOD via RPM and created .conf file by sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal.

journalctl -xe displayed below.

$ sudo journalctl -xe
 Defined-By: systemd
 Support: https://wiki.rockylinux.org/rocky/support

 A stop job for unit httpd.service has finished.

 The job identifier is 862567 and the job result is done.
Mar 25 18:41:58 ood.example.org systemd[1]: httpd.service: Consumed 2.395s CPU time.
 Subject: Resources consumed by unit runtime
 Defined-By: systemd
 Support: https://wiki.rockylinux.org/rocky/support

 The unit httpd.service completed and consumed the indicated resources.
Mar 25 18:41:58 ood.example.org systemd[1]: One-time temporary TLS key generation for httpd.service was skipped because no trigger condition checks were met.
 Subject: A start job for unit httpd-init.service has finished successfully
 Defined-By: systemd
 Support: https://wiki.rockylinux.org/rocky/support

 A start job for unit httpd-init.service has finished successfully.

 The job identifier is 862712.
Mar 25 18:41:58 ood.example.org systemd[1]: Starting The Apache HTTP Server...
 Subject: A start job for unit httpd.service has begun execution
 Defined-By: systemd
 Support: https://wiki.rockylinux.org/rocky/support

 A start job for unit httpd.service has begun execution.

 The job identifier is 862567.
Mar 25 18:41:58 ood.example.org update_ood_portal[3744981]: cp -p /etc/pki/tls/certs/bundle.pem /etc/ood/dex/bundle.pem
Mar 25 18:41:58 ood.example.org update_ood_portal[3744981]: chown ondemand-dex:ondemand-dex /etc/ood/dex/bundle.pem
Mar 25 18:41:58 ood.example.org update_ood_portal[3744981]: cp -p /etc/pki/tls/private/wildcard.key /etc/ood/dex/wildcard.key
Mar 25 18:41:58 ood.example.org update_ood_portal[3744981]: chown ondemand-dex:ondemand-dex /etc/ood/dex/wildcard.key
Mar 25 18:41:59 ood.example.org update_ood_portal[3744981]: No change in Apache config.
Mar 25 18:41:59 ood.example.org update_ood_portal[3744981]: No change in the Dex config.
Mar 25 18:41:59 ood.example.org httpd[3744992]: [Wed Mar 25 18:41:59.079220 2026] [so:warn] [pid 3744992:tid 3744992] AH01574: module status_module is already loaded, skipping
Mar 25 18:41:59 ood.example.org httpd[3744992]: Server configured, listening on: port 443, port 81, port 80
Mar 25 18:41:59 ood.example.org systemd[1]: Started The Apache HTTP Server.
 Subject: A start job for unit httpd.service has finished successfully
 Defined-By: systemd
 Support: https://wiki.rockylinux.org/rocky/support

 A start job for unit httpd.service has finished successfully.

 The job identifier is 862567.
Mar 25 18:41:59 ood.example.org sudo[3744978]: pam_unix(sudo:session): session closed for user root
Mar 25 18:42:00 ood.example.org sudo[3745173]: s.park : TTY=pts/0 ; PWD=/var/www/ood/apps/dev/s.park ; USER=root ; COMMAND=/bin/journalctl -xe
Mar 25 18:42:00 ood.example.org sudo[3745173]: pam_unix(sudo:session): session opened for user root(uid=0) by s.park(uid=37447)

Best,

12

OK there’s something simple and obvious that we’re missing. I checked for spelling, what you have listed is correct.

How about the ood_portal.yml. I see in your initial comment, it’s well formatted. Is the actual YML file well formatted too?

13

Hello Jeff,

I think it is.
Here’s my /etc/ood/config/ood_portal.yml.

$ sudo cat ood_portal.yml
servername: ood.example.org

use_rewrites: true
use_maintenance: true
maintenance_ip_allowlist:
  - '10.20.30..*'
  - '10.20.40.3'

use_ssl: true
ssl:
  - 'SSLCertificateFile "/etc/pki/tls/certs/bundle.pem"'
  - 'SSLCertificateKeyFile "/etc/pki/tls/private/wildcard.key"'

redirect_to_https: true

auth:
  - 'AuthType openid-connect'
  - 'Require valid-user'

oidc_uri: "/oidc"
oidc_session_inactivity_timeout: 1800

host_regex: '(cpu|gpu|bio|visu)\d+'
node_uri: '/node'
rnode_uri: '/rnode'

# Dex runs standalone (no reverse proxy)
dex_uri: false

dex:
  client_secret: ***************************
  connectors:
    - type: ldap
      id: ldap
      name: LDAP
      config:
        host: LDAP.EXAMPLE.ORG
        insecureSkipVerify: true
        bindDN: CN=svc_bind_linux,OU=users-generiques,DC=example,DC=org
        bindPW: **************************************
        userSearch:
          baseDN: DC=example,DC=org
          filter: "(objectClass=user)"
          username: sAMAccountName
          idAttr: sAMAccountName
          emailAttr: mail
          nameAttr: displayName
          preferredUsernameAttr: sAMAccountName
        groupSearch:
          baseDN: DC=example,DC=org
          filter: "(objectClass=group)"
          userMatchers:
            - userAttr: DN
              groupAttr: member
          nameAttr: cn
  frontend:
    theme: "ood"
    extra:
      navLogo: "/theme/logo.png"
      loginLogo: "/theme/logo.png"
      loginTitle: "Log in with your account"
      loginButtonText: "Login"

Best,

14

OK again, there’s something obvious here that we’re just missing.

You’ve linked the Directory portion of your .conf file, but this is not where the RewriteCond directives exist for maintenance ips exist.

Are you quite sure that something like this doesn’t exist in the .conf file anywhere?

 RewriteCond %{REMOTE_ADDR} !^10\.20\.40\.3
15

Yes, it exists in .conf file as below.

 # Support maintenance page during outages of OnDemand
  RewriteEngine On
  RewriteCond /var/www/ood/public/maintenance/index.html -f
  RewriteCond /etc/ood/maintenance.enable -f
  RewriteCond %{REQUEST_URI} !/public/maintenance/.*$
  RewriteCond %{REMOTE_ADDR} !^10\.20\.30\..*
  RewriteCond %{REMOTE_ADDR} !^10\.20\.40\.3
  RewriteRule ^.*$ /public/maintenance/index.html [R=302,L]

And I found the reason.

The first is the cache of browser. After I cleaned the cache, it’s working. The second one(I tried) is the format of IP address. I thought the type of IP address like 10.20.40.0/24 would be okay, but it’s not. I misunderstood the sentence in the doc.

In this example we allow access to anyone from 192.168.1..* which is the 192.168.1.0/24 CIDR and the single IP ‘10.0.0.1’.

Thank you Jeff.

PARK