Modifications to the view.rb file to allow multiple ood servers to have an ServerAlias

rsand · May 11, 2023, 1:37pm

When multiple servers are behind an HAProxy load balancer it is useful to have the dns point to the haproxy server. This causes a couple of problems:

There is not a way to get the ServerAlias added to the ood.conf file as generated by the portal generator script.
When the view.rb script for the portal generator goes out to the oidc_crypto_passphrase it goes out to the haproxy server instead of the ood’s own yml config file (servername) as listed below.
@oidc_crypto_passphrase = Digest::SHA1.hexdigest(servername)

This last one is a problem because then the crypto_passphrase is for the haproxy server and not the OOD server the user is on and the decryption of the auth cookie fails.

I would like a modification that allows sites to have a serveralias and oidc-crypto-passphrase option in the ood yml config file. The passphrase can be setup to use the variable in the yml file and if not found go out to the servername. If the serveralias variable is not found then nothing would be added to the OOD.conf file for the web server.

jeff.ohrstrom · May 11, 2023, 2:25pm

3.0 supports server aliases, looks like we just forgot to document it.

I don’t think I follow number 2, but I see that we do force the value instead of overwriting it. @tdockendorf do you know more about why this may be an issue for HAPorxy environments?

github.com

OSC/ondemand/blob/e812e7d9b56a122fd6efdecfb84efd17fd91303a/ood-portal-generator/lib/ood_portal_generator/view.rb#L107


      
            @register_root = opts.fetch(:register_root, nil)
          
          
  @dex_uri                          = opts.fetch(:dex_uri, '/dex')
            @dex_http_port                    = opts.fetch(:dex_http_port, nil)
            @oidc_provider_metadata_url       = opts.fetch(:oidc_provider_metadata_url, nil)
            @oidc_client_id                   = opts.fetch(:oidc_client_id, nil)
            @oidc_client_secret               = opts.fetch(:oidc_client_secret, nil)
            @oidc_redirect_uri                = "#{protocol}#{servername}#{@oidc_uri}"
            @oidc_remote_user_claim           = opts.fetch(:oidc_remote_user_claim, 'preferred_username')
            @oidc_scope                       = opts.fetch(:oidc_scope, "openid profile email")
            @oidc_crypto_passphrase           = Digest::SHA1.hexdigest(servername)
            @oidc_session_inactivity_timeout  = opts.fetch(:oidc_session_inactivity_timeout, 28800)
            @oidc_session_max_duration        = opts.fetch(:oidc_session_max_duration, 28800)
            @oidc_state_max_number_of_cookies = opts.fetch(:oidc_state_max_number_of_cookies, '10 true')
            @oidc_cookie_same_site            = opts.fetch(:oidc_cookie_same_site, @ssl ? 'Off' : 'On')
            @oidc_settings                    = opts.fetch(:oidc_settings, {})
          end
          
          
def servername
            @servername || OodPortalGenerator.fqdn
          end

tdockendorf · May 11, 2023, 3:08pm

I’m not sure I follow what the issue is with the crypto passphrase. It can be anything. You can do something like echo "foo" | sha1sum and copy that value into mod_auth_openidc and it will work. It doesn’t have to be anything specific to any server name, the value doesn’t matter really. The fact we set it to the servername is just to make the value not change constantly, ie if we instead chose a random SHA1 checksum.

rsand · May 11, 2023, 3:20pm

When I use the code as given the auth sent back from CiLogon fails. When I create the passphrase on the server and put that into the yml config file and modify the view.rb file to read it from the yml file the auth from CiLogon works. Our dns for our OOD servers is set to the HAProxy server which makes the server names on all of the OOD servers the same. This was done so that users cannot save the url in a bookmark and bypass the HAProxy server. So ServerName is the HAProxy server but the ServerAlias is the actual OOD server dns name. Our Certificates are MultiDomain Certs with the HAProxy server dns name as the Alternate Name in the Certificate.

tdockendorf · May 11, 2023, 3:48pm

Sorry, I’m still not following. The only thing that cares about the crypto passphrase is mod_auth_openidc, and the value can be randomly assigned to any value. Are you somehow configuring HAProxy with the crypto passphrase or are you getting that crypo passphrase from some other source where they have to match and can’t be the value ood-portal-generator assigns?

Based on the docs, mod_auth_openidc/auth_openidc.conf at master · OpenIDC/mod_auth_openidc · GitHub - if you wanted to have multiple servers handle the encrypted cache, they just have to have same passphrase, so why can’t HAProxy be assigned the passphrase generated by ood-portal-generator?

rsand · May 11, 2023, 3:56pm

The HAProxy server is not the endpoint. There isn’t any authentication done at that server it just passes the packets to the OOD servers where the authentication is started and ended. The connection to the OOD servers is kept persistent by a cookie set by the HAProxy server. So when a user connects to one of the backend OOD servers they keep getting that single server not all of them.

tdockendorf · May 11, 2023, 5:54pm

Does that cookie set for persistent connections have to do anything with the mod_auth_openidc cookies set for authentication or are they totally separate? Since the authentication is happening entirely on the backend server and not the frontend HAProxy then I’m not sure why crypto passphrase would be an issue since it’s only used by mod_auth_openidc to encrypt the session data that it’s responsible for.

We don’t run HAProxy so I’m just taking stabs but this mentions some headers, like X-Forwarded-Port and X-Forwarded-Host and X-Forwarded-Proto. Not sure if setting those would help or if those headers are already set by HAProxy.

rsand · May 11, 2023, 6:19pm

All the persistence cookie does is set a name in a cookie on the users browser. If the cookie is set then the HAProxy server will always use a connection to the backend server that cookie belongs to. It does nothing more.

This all worked fine when the view.rb script was getting the passphrase from the yml file then it stopped working at some point. If there is nothing that can be done to get this read from the yml file in the distributed code then I’ll just have to keep my modification there by using sed to modify it every time we reboot the server (These are stateless servers that get rebuilt at each reboot).

rsand · May 11, 2023, 7:03pm

I guess the difference between what I do:
openssl rand -base64 24
and what you do:

Digest::SHA1.hexdigest(servername)

is what works and doesn’t work. The one you do is the same over all 4 servers and mine is different over all 4 servers.

tdockendorf · May 12, 2023, 1:08pm

I’m still confused why that change is required but since it works for you I created Allow oidc_crypto_passphrase to be set for ood-portal-generator by treydock · Pull Request #2807 · OSC/ondemand · GitHub to make it so you can set the crypto passphrase via YAML.

rsand · May 12, 2023, 1:11pm

Thanks that will be one less thing I have to check on each update of the software.

Topic		Replies	Views
Change the UI colors based on url? Get Help	9	374	January 1, 2024
Port configuration for OOD behind a web proxy? Get Help ondemand2	3	542	July 9, 2022
How to add a proxy rule in the ood_portal.yml file? Get Help	8	1001	May 26, 2022
How to insert an alias into apache ood-portal.conf? Get Help ondemand2	2	308	February 28, 2023
Update_ood_portal Not working as expected in ODD 3 Get Help	7	230	February 11, 2024

Modifications to the view.rb file to allow multiple ood servers to have an ServerAlias

Related Topics