Hey folks. I’m trying to set up OOD behind a reverse proxy which does TLS termination, and for irritating internal network reasons I’m hoping to have the reverseproxy↔OOD communication done on port 8000 (but expose it to the world on port 443 as usual). Setting listen_addr_port: 8000 and port: 8000 doesn’t seem to work – the redirect to /pun/sys/dashboard sends me to port 8000. (And it uses the http scheme, but that’s not such a big problem.)
I’ve looked through a bunch of posts about this, but I can’t find any suggestions other than “don’t do that”. Has anyone done this successfully?
Unfortunately this isn’t something we support yet, but you might try something with iptables to route things around those defaults. If you want to share more about the specific network limitations you are working with someone might have more concrete suggestions for workarounds.
HA Proxy receives the request and sends TLS traffic to the backend server on port 8443
Apache #1 uses mod_auth_cas to require single sign-on authentication. It is listening on port 8443 and is running in a Docker container on the VM that runs OOD.
Apache #2 runs directly on the server and uses mod_auth_gssapi and is listening on port 443. Apache #1 proxies to Apache #2.
Here’s some of the proxy config in Apache #1
…
General setup for the virtual host
DocumentRoot “/usr/local/apache2/htdocs”
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyErrorOverride off
ProxyPreserveHost on
ProxyPassMatch ^/rnode/(.)$ wss://10.0.0.5:443/rnode/$1
ProxyPassMatch ^/node/(.)$ wss://10.0.0.5:443/node/$1
ProxyPassMatch ^/pun/sys/shell/ssh/(.*)$ wss://10.0.0.5:443/pun/sys/shell/ssh/$1
ProxyPass / https://10.0.0.5:443/
ProxyPassReverse / https://10.0.0.5:443/
ProxyTimeout 300
ServerName ood.dartmouth.edu:443
ServerAdmin research.computing@dartmouth.edu
ErrorLog /proc/self/fd/2TransferLog /proc/self/fd/1
…
Internal IPs have been changed. You can see more details at