I’m in the process of updating our infrastructure from OOD 3 to OOD 4.0.3, and I’m finding that I’m getting a lot of warnings in our Apache logs like this:
oidc_check_x_forwarded_hdr: header X-Forwarded-Proto received but OIDCXForwardedHeaders not configured for it
oidc_check_x_forwarded_hdr: header X-Forwarded-Port received but OIDCXForwardedHeaders not configured for it
I’ve tried adding a configuration line to ood_portal.yml to configure for those headers, like so:
oidc_settings:
OIDCXForwardedHeaders: X-Forwarded-Proto X-Forwarded-Port
But when I do that, I start getting “Bad request” errors when logging in to the OOD dashboard. A difference between requests that I’ve noticed is that our OIDC redirect uri started including the port after changing the oidc_settings, so instead of https://dev.ood.huit.harvard.edu/oidc it’s https://dev.ood.huit.harvard.edu:443/oidc.
The ood_portal.yml file looks like this (partially redacted):
servername: dev.ood.huit.harvard.edu
ssl:
- 'SSLCertificateFile "/etc/ssl/private/cert.crt"'
- 'SSLCertificateKeyFile "/etc/ssl/private/private_key.key"'
#oidc_settings:
# OIDCXForwardedHeaders: X-Forwarded-Proto X-Forwarded-Port
dex_uri: /dex
dex:
connectors:
- type: oidc
id: harvardkey
name: HarvardKey
config:
issuer: 'https://stage.pin1.harvard.edu/cas/oidc'
clientID: 'redacted'
clientSecret: 'redacted'
redirectURI: 'https://dev.ood.huit.harvard.edu/dex/callback'
scopes:
- openid
- email
- profile
getUserInfo: true
insecureSkipEmailVerified: true
userIDKey: sub
userNameKey: sub
# turn on proxy for interactive desktop apps
host_regex: '[^/]+'
node_uri: '/node'
rnode_uri: '/rnode'
user_map_cmd: '/etc/ood/add_user.sh'
We’ve also changed over from an Ubuntu operating system to Amazon Linux 3 in this switch, so that could be more of the issue than the version update.
Any insights would be much appreciated.