Regarding Reverse Proxy settings in Open Ondemand

General Discussion
1

Hello,

This is Hariharan.I am working for Goeteh UNiversity as Linux System Administartor. Currently, I am setting up the open ondemand for my project and I am currently facing an issue with enabling reverse proxy. Before jumping into the issue, short overview of my open ondemand setup. I have installed and configured open ondemand in proxmox container with non-ssl (http) and we use nginx reverse proxy in another machine which terminates the HTTPS connection and forwards it as http to port 80 of the open ondemand server. The idea is, user hits the hhtps and nginx terminates it and forward it to port 80 of open ondemand server. So the ssl certificates are configured in nginx reverse proxy.

Here’s the actual issue which I need your help;
I have followed the exact procedure from the document under the section: Setup Interative Apps
While following 3.2 Steps to Enable in Apache, I am facing an issue afte doing the configuration in ood_portal.yml.

Below is the configuration which I have configured on ood_portal.yml file:
*# /etc/ood/config/ood_portal.yml

host_regex: ‘[\w.-]+\.compute01.csc.uni-frankfurt\.de’
node_uri: ‘/node’
rnode_uri: ‘/rnode’*

But somehow its not working as the error says that “Failed to conenct to the compute01.csc.uni-frankfurt.de. I have installed the following supporting softwares on compute node (compute01 node in my case).

Would it posisble to help me with your suggestion? Cause I tried my best but no luck. Your help is indeed;

Another question: At this point, do I have to configure batch connect in /etc/ood/config/clusters.d/cluster1.yml file?

Thanks in advance!

2

Looking at the regex and the supplied example of “compute01.csc.uni-frankfurt.de” there’s an issue jumping out.

Using [\w.-]+\.compute01.csc.uni-frankfurt\.de against “compute01.csc.uni-frankfurt.de” I don’t get a match. as you are expecting some prefix to the “compute01” in that regex. I wonder if you meant something more like [\w.-]+.csc.uni-frankfurt\.de for the regex? That matches for me when I use it against that domain.

Let’s start with the regex and iterate from there.

Also, it is best to sequentially work through the docs during your install and not jump around too much or you may get confused. I’d also point out we do provide Ansible roles as well.

So work through the install of the software and integrating the authn/z: Installation — Open OnDemand 4.1.0 documentation
Then you can setup the cluster files: Cluster Configuration — Open OnDemand 4.1.0 documentation
And if you are interested in Ansible to help:
GitHub - OSC/ood-ansible: An ansible role for Open Ondemand

3

Hello,

Many thanks for your kind resposne! You are right. Sorry! I was a typo mistake in my above message. Below is my exact configuration in ood_portal.yml:

host_regex: ‘[\w.-]+\.csc.uni-frankfurt\.de’
node_uri: ‘/node’
rnode_uri: ‘/rnode’*

As I said earlier, it wasn’t working. But now I get a different error in web browser as “Failed to connect to compute01.csc.uni-frankfurt.de:4455.

Below is the eror log message;
[Thu Feb 19 22:53:35.604762 2026] [auth_openidc:warn] [pid 14598:tid 129932382414528] [client 10.141.204.103:57866] oidc_check_x_forwarded_hdr: header X-Forwarded-Proto received but OIDCXForwardedHeaders not configured for it
[Thu Feb 19 22:53:35.605023 2026] [proxy:error] [pid 14598:tid 129932382414528] (111)Connection refused: AH00957: http: attempt to connect to 10.141.204.201:4455 (*:80) failed

[Thu Feb 19 22:53:35.605037 2026] [proxy_http:error] [pid 14598:tid 129932382414528] [client 10.141.204.103:57866] AH01114: HTTP: failed to make connection to backend: compute01.lan.csc.uni-frankfurt.de

[Thu Feb 19 22:53:35.605272 2026] [lua:info] [pid 14598:tid 129932382414528] [client 10.141.204.103:57866] res_content_encoding=“” req_is_websocket=“false” req_accept_charset=“” req_port=“80” req_is_https=“false” req_accept_language=“en-us,en;q=0.5” req_accept=“text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8” req_content_type="log_id=“evGzLM0J63o” req_uri=“/node/node01.lan.csc.uni-frankfurt.de/4455” log_time=“2026-02-19T22:53:35.605219.0Z” req_user_ip=“10.141.204.103” log_hook=“ood” local_user=“jsethuraman” req_cache_control=“” req_method=“GET” res_content_disp=“” time_user_map=“0.002” req_referer=“” req_server_name=“ood.csc.uni-frankfurt.de” remote_user=“jsethraman” req_filename=“proxy:http://compute01.lan.csc.uni-frankfurt.de:4455/node/compute01.lan.csc.uni-frankfurt.de/4455” res_content_length=“57” req_hostname=“ood.csc.uni-frankfurt.de” res_content_language=“” res_location=“” time_proxy=“0.539” res_content_type=“text/html; charset=iso-8859-1” req_protocol=“HTTP/1.1” res_content_location=“” req_sstatus=“503” allowed_hosts=“ood.csc.uni-frankfurt.de” req_accept_encoding=“gzip, deflate, br, zstd” req_handler=“proxy:http://compute01.lan.csc.uni-frankfurt.de:4455” req_origin=“” req_user_agent=“Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0”

[Thu Feb 19 22:57:09.814116 2026] [proxy_http:error] [pid 14599:tid 129932248196800] (70007)The timeout specified has expired: [client 10.141.204.103:42904] AH01102: error reading status line from remote server compute01.csc.uni-frankfurt.de:4455

[Thu Feb 19 22:57:09.814219 2026] [proxy:error] [pid 14599:tid 129932248196800] [client 10.141.204.103:42904] AH00898: Error reading from remote server returned by /node/compute01.csc.uni-frankfurt.de/4455

[Thu Feb 19 22:57:09.814618 2026] [lua:info] [pid 14599:tid 129932248196800] [client 10.141.204.103:42904] req_status=“502” req_is_websocket=“false” res_content_disp=“” allowed_hosts=“ood.csc.uni-frankfurt.de” req_accept=“text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8” req_handler="proxy:http://compute01.lan.csc.uni-frankfurt.de:4455” req_referer=“” req_uri=“/node/compute01.lan.csc.uni-frankfurt.de/4455” res_location=“” time_proxy=“300003.192” req_protocol=“HTTP/1.1” res_content_encoding=“” res_content_location=“” req_filename=“proxy:http://compute01.lan.csc.uni-frankfurt.de:4455/node/compute01.lan.csc.uni-frankfurt.de/4455” log_time=“2026-02-19T22:57:09.814567.0Z” req_user_agent=“Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0” req_user_ip=“10.141.204.103” local_user=“jsethuraman” res_content_type=“text/html; charset=iso-8859-1” remote_user=“jsethuraman” req_server_name=“ood.csc.uni-frankfurt.de” res_content_length=“431” time_user_map=“0.002” req_method=“GET” res_content_language=“”req_accept_language=“en-us,en;q=0.5” req_port=“80” req_content_type=“” req_accept_encoding=“gzip, deflate, br, zstd” req_is_https=“false” req_hostname="ood.csc.uni-frankfurt.de” log_hook=“ood” req_accept_charset=“” log_id=“vdaWJ80K63o” req_origin=“” req_cache_control=“”

I will also look at ansible roles as well. Let me know if you can suggest me a recoomendation from the above error web page.

Many thanks again!!!

Best Regards,
Hariharan

4

Can you ssh to the compute node (the card will have a button to click to do this to make it easy by the “Host” line) and see if the app is in fact running using something like telnet to ensure the port you see in the logs is actually being used? Here’s an example I just ran:

$ netstat -tlnp | grep 5911
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:5911            0.0.0.0:*               LISTEN      2038909/Xvnc

And that was after I checked the output.log to see which port was in use. If you don’t see something returned here, then the app didn’t even start on the compute node and we can go from there.

Now this is where I’m out of my league and you are doing a non-standard thing where I’m just winging it. Have you tested connectivity between this container and the compute? That’s outside my realm of knowledge, but you will need to test this as well if the first check above passes.

Lastly it looks like you need to set the OIDCXForwardedHeaders in the ood_portal.yml as well here. This is a bit unknown to me but I see other posts of users going through this here:

Which says you will need something like:

oidc_settings:
  OIDCXForwardedHeaders: X-Forwarded-Proto X-Forwarded-Port
dex_uri: /dex
dex:
  client_redirect_uris:
    - 'https://your.redirect.edu:443/oidc'
....

Though they were using dex in that example. I’m definitely not an expert in this area but that’s the best i can see to get this unique setup running possibly. Hope some of this helps!

5

Hallo,
Thanks again for your quick and kind repsonse! Based on your suggestion, I use dex authentication which is a default one and I can also ssh to compute node but I can see that the port 4455 which I use it for connecting to compute node is not listening when I check with netstat -tlnp | grep 4455. I have also addeed below parameters in ood_portal.yml file:
oidc_settings:
OIDCXForwardedHeaders: X-Forwarded-Proto X-Forwarded-Port

but still no luck. I have no clue where is the problem is.

Happy to have your suggestion if there’s any;

Thanks again!

Best Regards,
Hariharan