I have a working, ondemand instance in production with version 2.0.31.
I recently tried to update it to 3.0.1
All I see is the apache test page, I’m unsure what’s missing here.
All I did to update was, follow this guide.
I noticed the httpd pages generated also reflect what I’m seeing,
/etc/httpd/conf.d/ood-portal.conf in 2.0.31
#
# Open OnDemand Portal
#
# Generated using ood-portal-generator version 0.8.0
#
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# !! !!
# !! DO NOT EDIT THIS FILE !!
# !! !!
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
# This file is auto-generated by ood-portal-generator and will be over-written
# in future updates.
#
# 1. To modify this file, first update the global configuration file:
#
# /etc/ood/config/ood_portal.yml
#
# You can find more information about the ood-portal-generator configuration
# at:
#
# https://osc.github.io/ood-documentation/latest/reference/commands/ood-portal-generator.html
#
# 2. Then build/install the updated Apache config with:
#
# sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal
#
# 3. Finally, restart Apache to have the changes take effect:
#
# # For CentOS 6
# sudo service httpd24-httpd condrestart
# sudo service httpd24-htcacheclean condrestart
#
# # For CentOS 7
# sudo systemctl try-restart httpd24-httpd.service httpd24-htcacheclean.service
#
# # For CentOS 8
# sudo systemctl try-restart httpd.service htcacheclean.service
#
# Redirect all http traffic to the https Open OnDemand portal URI
# http://*:443
# #=> https://ondemand-domain.com:443
#
<VirtualHost *:80>
RewriteEngine On
RewriteRule ^(.*) https://ondemand-domain.com:443$1 [R=301,NE,L]
</VirtualHost>
# The Open OnDemand portal VirtualHost
#
<VirtualHost *:443>
ServerName ondemand-domain.com
ErrorLog "logs/ondemand-domain.com_error_ssl.log"
CustomLog "logs/ondemand-domain.com_access_ssl.log" combined
RewriteEngine On
RewriteCond %{HTTP_HOST} !^(ondemand-domain.com(:443)?)?$ [NC]
RewriteRule ^(.*) https://ondemand-domain.com:443$1 [R=301,NE,L]
Header Unset ETag
Header always set Expires "Thu, 1 Jan 1970 00:00:00 GMT"
Header always set Cache-Control "max-age=0, no-store, no-cache, must-revalidate"
# Support maintenance page during outages of OnDemand
RewriteEngine On
RewriteCond /var/www/ood/public/maintenance/index.html -f
RewriteCond /etc/ood/maintenance.enable -f
RewriteCond %{REQUEST_URI} !/public/maintenance/.*$
RewriteRule ^.*$ /public/maintenance/index.html [R=302,L]
Header always set Content-Security-Policy "frame-ancestors https://ondemand-domain.com;"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
SSLEngine On
SSLCertificateFile "/etc/ssl/certs/apache-selfsigned.crt"
SSLCertificateKeyFile "/etc/ssl/private/apache-selfsigned.key"
# OIDC configuration
#
OIDCProviderMetadataURL https://ondemand-domain.com:5554/.well-known/openid-configuration
OIDCClientID <id>
OIDCClientSecret <secret>
OIDCRedirectURI https://ondemand-domain.com/oidc
OIDCRemoteUserClaim email
OIDCScope "openid profile email groups"
OIDCCryptoPassphrase
OIDCSessionInactivityTimeout 28800
OIDCSessionMaxDuration 28800
OIDCStateMaxNumberOfCookies 7 true
OIDCCookieSameSite Off
OIDCClientID <id>
OIDCClientSecret <secret>
OIDCDefaultURL https://ondemand-domain.com/
OIDCPassClaimsAs environment
OIDCPassIDTokenAs serialized
OIDCPassRefreshToken On
OIDCProviderMetadataURL https://name.okta.com/.well-known/openid-configuration
OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1
# Lua configuration
#
LuaRoot "/opt/ood/mod_ood_proxy/lib"
LogLevel lua_module:info
# Log authenticated user requests (requires min log level: info)
LuaHookLog logger.lua logger
# Authenticated-user to system-user mapping configuration
#
SetEnv OOD_USER_MAP_MATCH "^([^@]+)@.*$"
# Per-user Nginx (PUN) configuration
# NB: Apache will need sudo privs to control the PUNs
#
SetEnv OOD_PUN_STAGE_CMD "sudo /opt/ood/nginx_stage/sbin/nginx_stage"
#
# Below is used for sub-uri's this Open OnDemand portal supports
#
# Serve up publicly available assets from local file system:
#
# https://ondemand-domain.com:443/public/favicon.ico
# #=> /var/www/ood/public/favicon.ico
#
Alias "/public" "/var/www/ood/public"
<Directory "/var/www/ood/public">
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
# Reverse proxy traffic to backend webserver through IP sockets:
#
# https://ondemand-domain.com:443/node/HOST/PORT/index.html
# #=> http://HOST:PORT/node/HOST/PORT/index.html
#
<LocationMatch "^/node/(?<host>[^/]+)/(?<port>\d+)">
AuthType openid-connect
Require valid-user
# ProxyPassReverse implementation
Header edit Location "^[^/]+//[^/]+" ""
# ProxyPassReverseCookieDomain implemenation
Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""
# ProxyPassReverseCookiePath implementation
Header edit* Set-Cookie ";\s*(?i)Path[^;]*" ""
Header edit Set-Cookie "^([^;]+)" "$1; Path=/node/%{MATCH_HOST}e/%{MATCH_PORT}e"
LuaHookFixups node_proxy.lua node_proxy_handler
</LocationMatch>
# Reverse "relative" proxy traffic to backend webserver through IP sockets:
#
# https://ondemand-domain.com:443/rnode/HOST/PORT/index.html
# #=> http://HOST:PORT/index.html
#
<LocationMatch "^/rnode/(?<host>[^/]+)/(?<port>\d+)(?<uri>/.*|)">
AuthType openid-connect
Require valid-user
# ProxyPassReverse implementation
Header edit Location "^([^/]+//[^/]+)|(?=/)|^([\./]{1,}(?<!/))" "/rnode/%{MATCH_HOST}e/%{MATCH_PORT}e"
# ProxyPassReverseCookieDomain implemenation
Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""
# ProxyPassReverseCookiePath implementation
Header edit* Set-Cookie ";\s*(?i)Path[^;]*" ""
Header edit Set-Cookie "^([^;]+)" "$1; Path=/rnode/%{MATCH_HOST}e/%{MATCH_PORT}e"
LuaHookFixups node_proxy.lua node_proxy_handler
</LocationMatch>
# Reverse proxy traffic to backend PUNs through Unix domain sockets:
#
# https://ondemand-domain.com:443/pun/dev/app/simulations/1
# #=> unix:/path/to/socket|http://localhost/pun/dev/app/simulations/1
#
SetEnv OOD_PUN_URI "/pun"
<Location "/pun">
AuthType openid-connect
Require valid-user
ProxyPassReverse "http://localhost/pun"
# ProxyPassReverseCookieDomain implementation (strip domain)
Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""
# ProxyPassReverseCookiePath implementation (less restrictive)
Header edit* Set-Cookie ";\s*(?i)Path\s*=(?-i)(?!\s*/pun)[^;]*" "; Path=/pun"
SetEnv OOD_PUN_SOCKET_ROOT "/var/run/ondemand-nginx"
SetEnv OOD_PUN_MAX_RETRIES "5"
LuaHookFixups pun_proxy.lua pun_proxy_handler
</Location>
# Control backend PUN for authenticated user:
# NB: See mod_ood_proxy for more details.
#
# https://ondemand-domain.com:443/nginx/stop
# #=> stops the authenticated user's PUN
#
SetEnv OOD_NGINX_URI "/nginx"
<Location "/nginx">
AuthType openid-connect
Require valid-user
LuaHookFixups nginx.lua nginx_handler
</Location>
# Redirect root URI to specified URI
#
# https://ondemand-domain.com:443/
# #=> https://ondemand-domain.com:443/pun/sys/dashboard
#
RedirectMatch ^/$ "/pun/sys/dashboard"
# Redirect logout URI to specified redirect URI
#
# https://ondemand-domain.com:443/logout
# #=> https://ondemand-domain.com:443/oidc?logout=https%3A%2F%2Fondemand-domain.com
#
Redirect "/logout" "/oidc?logout=https%3A%2F%2Fondemand-domain.com"
# OpenID Connect redirect URI:
#
# https://ondemand-domain.com:443/oidc
# #=> handled by mod_auth_openidc
#
<Location "/oidc">
AuthType openid-connect
Require valid-user
</Location>
# Maintenance location
#
# https://ondemand-domain.com:443/public/maintenance
# #=> Displays /var/www/ood/public/maintenance/index.html
#
<Directory "/var/www/ood/public/maintenance">
RewriteCond /etc/ood/maintenance.enable !-f
ReWriteRule ^.*$ /
RewriteCond %{REQUEST_URI} !/public/maintenance/.*$
RewriteRule ^.*$ /public/maintenance/index.html [R=503,L]
ErrorDocument 503 /public/maintenance/index.html
</Directory>
</VirtualHost>
/etc/httpd/conf.d/ood-portal.conf in 3.0.1
<VirtualHost *:*>
ServerName ondemand-domain.com
RewriteEngine On
RewriteCond %{REQUEST_URI} !/public/need_auth.html
RewriteRule ^.*$ /public/need_auth.html [R=301,L]
# Only public assets enabled in this mode.
# If you're reading this message you need to setup authentication: https://osc.github.io/ood-documentation/latest/authentication.html
Alias "/public" "/var/www/ood/public"
<Directory "/var/www/ood/public">
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
Any idea why 3.0 doesn’t even say, it’s says it’s autogenerated by ood-portal generator?
Also unsure why it complains about the authentication.
And I saw some differences in the template between 2.0 and 3.0, /opt/ood/ood-portal-generator/templates/ood-portal.conf.erb
So I tried pasting 2.0’s template and generating httpd config, via the command, /opt/ood/ood-portal-generator/sbin/update_ood_portal
It did not have any changes in the httpd config.
Here, is the /etc/ood/config/ood_portal.yml that’s used as well,
servername: ondemand-domain.com
logout_redirect: /oidc?logout=https://ondemand-domain.com
node_uri: /node
rnode_uri: /rnode
dex_uri: false
oidc_uri: /oidc
oidc_provider_metadata_url: https://company.okta.com/.well-known/openid-configuration
oidc_client_id: <id>
oidc_client_secret: <secret>
oidc_remote_user_claim: preferred_username
oidc_scope: openid profile email groups
oidc_state_max_number_of_cookies: 7 true
oidc_settings:
OIDCProviderMetadataURL: https://company.okta.com/.well-known/openid-configuration
OIDCClientID: <id>
OIDCClientSecret: <secret>
OIDCPassIDTokenAs: serialized
OIDCPassClaimsAs: environment
OIDCStripCookies: mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1
OIDCDefaultURL: https://ondemand-domain.com/
OIDCPassRefreshToken: "On"
ssl:
- 'SSLCertificateFile "/etc/ssl/certs/apache-selfsigned.crt"'
- 'SSLCertificateKeyFile "/etc/ssl/private/apache-selfsigned.key"'
Tried without dex_uri, that doesn’t work either.
Any help would be appreciated here. Thanks