Use HTTPS on Reverse Proxys (/node & /rnode)

I’m able to to use the OOD builtin Reverse Proxy to hit an upstream host via HTTP with no issues.
For example, a simple NGINX server is running on node04.
https://head.cluster/rnode/node04.cluster/80 → works
https://head.cluster/rnode/node04.cluster/443 → Fails with expected ‘The plain HTTP request was sent to HTTPS port’

I’m having trouble figuring out where to set a forced HTTPS protocol within the HTTPD & LUA configs that I believe are relevant to what OOD is doing. I see the /rnode Location block within ood-portal.conf and more in node_proxy.lua, but I’m not sure on where to make the proper change. I also don’t want to make all upstream connections use HTTPS, just a few that require it.

I’ve set up my own NGINX instance with Reverse Proxy as a sanity test that works. I really want to leverage the built in OID auth and host/port mapping that comes with OOD Reverse Proxy though. Any tips would be greatly appreciated.

Hello and welcome!

I think the main document you will want to be using for this is the ood_portaly.yml file here:

This can help you set things up for OIDC auth.

For the question around using HTTPS vs HTTP you’ll have to hack the code that is currently used for the reverse proxy here:

So that you force http based on the port and similar for https instead of using the either or.

Thanks for verifying the location within LUA → /opt/ood/mod_ood_proxy/lib/ood/proxy.lua

For posterity, I changed the following:
local protocol = (r.headers_in['Upgrade'] and "ws://" or "http://")

  -- find protocol used by parsing the request headers
  -- Check if an upstream port was set for reverse proxies.
  local upstreamPort = nil
  local isUpstreamPortSet = (r.subprocess_env['MATCH_PORT'] and 'true' or 'false')
  if isUpstreamPortSet == 'true' then
    upstreamPort = r.subprocess_env['MATCH_PORT']

  -- Default to ws:// or http:// protocols to upstream hosts
  local protocol = (r.headers_in['Upgrade'] and "ws://" or "http://")
  if upstreamPort then
    -- If specified port was used, then use secure protocols
    if upstreamPort == '8443' then
      protocol = (r.headers_in['Upgrade'] and "wss://" or "https://")

You also have to edit /etc/httpd/conf.d/ood-portal.conf and add ‘SSLProxyEngine on’ within the VirtualHost block.

  SSLEngine On
  SSLProxyEngine on

That was the first LUA I’ve ever been forced to touch, so someone else could do better. It appears to work though (10 mins of testing), and only changes to secure protocols when a specific port is set (8443 in this example).
Other, previously added apps still seem to work (NoVNC desktops, etc…)

Thanks again!

Thanks for posting your solution! Let us know if you have anymore questions.