I’m planning to place multiple OOD servers behind a load balancer (BIG-IP) and would like your advice on the configuration. My environment is following:
With this setup, when I access parent.net from a web browser, I can reach the OOD service running on child1.net, and web browser’s address bar shows parent.net, as expected. However, when I access child1.net directly from the browser, I can still reach the OOD service on child1.net, but the browser’s address bar shows parent.net.
This makes me think that once I add more OOD servers, accessing child1.net directly might sign me into a different backend node. For maintenance purposes, I would like requests to go directly to child1.net when accessing child1.net, bypassing the load balancer, and I would like the browser to remain on child1.net.
Could you advise how to achieve this configuration?
The result was the same, and the browser still showed parent.net when accessing child1.net
directly.
If there are best practices or recommended settings in OOD, OpenIDC, or BIG-IP to support both normal access via parent.net and direct maintenance access to child1.net, I would greatly appreciate your guidance.
If I try the same thing on our host by using the internal DNS name instead of the external DNS name I get a 301 Moved Permanently response from the internal host back to the external host. So that’s why it’s changing the DNS name (you can see the same in your network tab of your browser).
I think it’s coming from this section of the .conf file.
You can try to set use_rewrites: false in ood_portal.yml, but I’m not entirely sure what the behavior will be given you have a proxy server. That seems to be the only thing you can toggle here.
With this setup, I can access the OOD dashboard at https://parent.net/ , but accessing https://child1.net returns Internal Server Error. The error log (/var/log/httpd/child1.net_error_ssl.log) shows:
oidc_authenticate_user: the URL hostname (parent.net) of the configured
OIDCRedirectURI does not match the URL hostname of the URL being accessed
(child1.net): the "state" and "session" cookies will not be shared between the two!
To address this, I updated ood_portal.yml with a server_aliases entry:
server_aliases:
- ‘parent.net’
However, the same error occurs.
Next, I tried changing the OIDCRedirectURI to use child1.net in auth_openidc.conf :
OIDCRedirectURI https://child1.net/oidc
This resulted in the reverse error:
oidc_authenticate_user: the URL hostname (child1.net) of the configured
OIDCRedirectURI does not match the URL hostname of the URL being accessed
(parent.net): the "state" and "session" cookies will not be shared between the two!
Do I need to edit /opt/ood/ood-portal-generator/templates/ood-portal.conf.erb directly?
I’m not 100% sure how to do this. Maybe @tdockendorf knows? @mnakao wants to access the servers behind the proxy directly (to test, verify and so on) while still being able to use the proxy itself.
If the error is around the RedirectURI, maybe if OIDCRedirectURI https://child1.net/oidc were OIDCRedirectURI /oidc (the relative URI) would work? You can try to edit the .conf file manually.
Your timing may be good because we just now have a pull request to be able to configure this to the relative URI.
OK, this will be patched in 4.1. There’s a pull request moving through now (below).
Instead of editing the .conf file which will cause issues when/if you try to do other updates, I’d instead advise that you edit the ruby files that generate the .conf file. In this way it’ll continue to work generating .conf files while still being able to provide the relative URL.