Maintenance whitelist not working

jennyfothergill · July 15, 2024, 4:42pm

When I navigate to our OnDemand site from a whitelisted IP, I get a 500 error. Maintenance mode is working–when I view the page from a non-whitelisted IP I see the maintenance message.

After changing the ood_portal.yml, I’ve run update_ood_portal, restarted httpd, ondemand-dex, and removed and recreated the maintenance.enable file.

relevant bits of ood_portal.yml (MY_IP_ADDRESS is replaced with my actual IP):

use_rewrites: true
use_maintenance: true
maintenance_ip_whitelist:
     - 'MY_IP_ADDRESS'

The error I see in error_ssl.log:

oidc_util_decode_json_object: JSON parsing returned an error: '[' or '{' expected near '<' (<!DOCTYPE html>\n<html lang="en">\n  <head>\n    <title>Borah OnDemand Maintenance</title>\n  </head>\n\n  <body>\n    <h1>Borah OnDemand is currently offline for maintenance</h1>\n    Access will be restored by the end of today (Monday July, 15th)\n  </body>\n</html>\n)
oidc_metadata_provider_retrieve: JSON parsing of retrieved Discovery document failed

I’ve also tried changing maintenance.html to remove all non-alphanumeric characters–same issue.

TIA!

jeff.ohrstrom · July 15, 2024, 5:11pm

Hi and welcome!

It appears to be having trouble with your OIDC provider. What’s the oidc_provider_metadata_url setting you have and is it valid json?

For example - CILogon’s oidc_provider_metadata_url is below. Hitting this, you can see that it’s JSON.

https://cilogon.org/.well-known/openid-configuration

jennyfothergill · July 15, 2024, 5:19pm

Thank you for the quick response!

Sorry if I misunderstand, but we don’t have that set in ood_portal.yml as we’re using ondemand-dex:

# Default: null (value auto-generated if using Dex)
#oidc_provider_metadata_url: null

jennyfothergill · July 15, 2024, 5:21pm

The url (I think autogenerated by dex) in the error is: https://borah-ondemand.boisestate.edu/dex/.well-known/openid-configuration

jeff.ohrstrom · July 15, 2024, 5:23pm

OK - I’ll try to replicate. There could be a bug on our side - this is the URL it’s trying to access and can’t.

jeff.ohrstrom · July 15, 2024, 8:01pm

I think as a workaround you can use dex_uri: false in ood_portal.yml. This way we don’t route through apache (which is giving you the issues) for OIDC calls.

Just for reference, this is a bug on our side.

jennyfothergill · July 15, 2024, 8:59pm

Awesome, thank you!

We get a new error, which might be due to our firewall:
oidc_util_http_call: curl_easy_perform() failed on: https://borah-ondemand.boisestate.edu:5554/.well-known/openid-configuration (Failed to connect to borah-ondemand.boisestate.edu port 5554: Connection refused)

Does port 5554 need to be open to the connecting clients? We’ve added the port in firewalld.

jeff.ohrstrom · July 16, 2024, 1:16pm

It does. The issue is that either we proxy behind apache (port 443) but there’s currently a bug in that as you’re finding. If we don’t proxy, then we send requests directly to that port 5554.

jennyfothergill · July 18, 2024, 8:43pm

OK, thank you–good to know. We’ll need to work with our network team to get this set up.

Topic		Replies	Views
Maintenance page without maintenance enabled Get Help question	9	1903	May 26, 2022
Maintenance mode for Open OnDemand Get Help	1	110	June 7, 2024
Maintenance mode shown when you Restart Web Server from Help tab RHEL 8.3 Get Help question	14	1211	May 26, 2022
Internal Server Error on CNAME Get Help question	2	83	May 9, 2024
400 Bad Request Get Help question	9	327	October 1, 2024

Maintenance whitelist not working

Related Topics