Maintenance page configuration and Shibboleth

Description

I am using OOD with Shibboleth Auth. When I enable maintenance mode by touching the file /etc/ood/maintenance.enable, the maintenance feature does not work as expected.

If I am already authenticated, the maintenance page is displayed; otherwise, the authentication page keeps reloading until it fails due to excessive queries and end with message :

Bad Request - Header Field Too Long

HTTP Error 400. A request header field is too long.

Work arround

To resolve this issue, I had to manually edit the OOD-Portal HTTP configuration file and add the following block:

+<Location "/public/maintenance">
+        Satisfy any 
+        Allow from all
+        AuthType None
+        Require all granted  
+</Location>
  <Directory "/var/www/ood/public/maintenance">
    RewriteCond /etc/ood/maintenance.enable !-f
    ReWriteRule ^.*$ /
    
    RewriteCond %{REQUEST_URI} !/public/maintenance/.*$
    RewriteRule ^.*$ /public/maintenance/index.html [R=503,L]
    ErrorDocument 503 /public/maintenance/index.html
  </Directory

Once maintenance is completed (file removed), this page is no longer accessible and is redirected to the PUN dashboard.

The problem is that manually modifying the file prevents the OOD portal update script from being used.

Questions

I suspect I may be doing something incorrectly. Do you have any recommendations for addressing this issue?

What is it that did not work?

It may have worked as expected given the following from the docs:

“While in maintenance mode, Apache returns the HTML file and a 503 response code to all users whose IP does not match one of the configured allowlist regular expressions. The allowlist is to allow staff, localhost or a subset of your users access while restricting others.”

From: Customizations — Open OnDemand 3.0.3 documentation

Is this the behavior you saw?

There’s an example there that might give you the piece you need of maintenance_ip_allowlist in the /etc/ood/config/ood_portal.yml.

Hi Travert

Edit

Sorry I think I create post with the wrong window and the description is not enough descriptive. it missing the most important :

If I am already authenticated, the maintenance page is displayed; otherwise, the authentication page keeps reloading until it fails due to excessive queries.

I update the original post

My understanding is : This option allow you to get acces to openondemand dashbord during the maintenance. I test it and it’s working.

But What I want is, when the maintenance is enable, the user get acces to the maintenance page. Currently they can not, because shibboleth ask for authentication to get acces and maybe due to error 503 athentication mechanism failed.

I need to do some digging on Shibboleth, there could be a bug here. I get what you’re trying to do and it should just work.

If you embed those directives in the Directory, does that work as well?
I.e.,

  <Directory "/var/www/ood/public/maintenance">
    Satisfy any 
    Allow from all
    AuthType None
    Require all granted

    RewriteCond /etc/ood/maintenance.enable !-f
    ReWriteRule ^.*$ /
    
    RewriteCond %{REQUEST_URI} !/public/maintenance/.*$
    RewriteRule ^.*$ /public/maintenance/index.html [R=503,L]
    ErrorDocument 503 /public/maintenance/index.html
  </Directory>

Or do you indeed need the other Location segment?

Hi @jeff.ohrstrom

For now to avoid any conflict with ood-portal generation I add the http conf block in another file ood_maint_workarround.conf and it’s working fine.

I will test tomorrow directly in Directory block and give you a feed back.

Thank you for checking

Thanks, I also made this ticket upstream. Hopefully we can figure it out and patch it in the next release.