From: Ravi Shankar Nori
Date: 2019-02-15 22:15
CC: users
Subject: Re: [ovirt-users] Re: access engine by http
I am not sure we can do what you are asking for. A lot of stuff is not going to work. AFAIK you will need a dedicated machine to run ovirt engine on the default ports.
hi Ravisorry, I do not understand when I visit http:192.168.122.176:80/ovirt-engine still redirect to https:192.168.122.176:443/ovirt-engine, I already fix sso_clients table;who redirect http to https??thanksengine=# select * from sso_clientsengine-# ;id | client_id | client_secret| callback_prefix | certificate_location| notification_callback | description | email |scope| trusted | notification_callback_protocol | notification_callback_verify_host | notification_callback_verify_chain----+--------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------+----------------------------------------+-------------------------------------------------------------+--------------------+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+--------------------------------+-----------------------------------+------------------------------------1 | ovirt-engine-core | eyJhcnRpZmFjdCI6IkVudmVsb3BlUEJFIiwic2FsdCI6ImRSc3Y1bnNCR2F0b3M1WTNNOHhiQktGaDlSbEd4SnpjWWxmdzY3NmNUaFk9Iiwic2VjcmV0IjoicE5RM2E0TXQ2aU40MU5YVVY3R0ZMZjcvVnZBMWlWWnNoOE1ERXozQkIwZz0iLCJ2ZXJzaW9uIjoiMSIsIml0ZXJhdGlvbnMiOiI0MDAwIiwiYWxnb3JpdGhtIjoiUEJLREYyV2l0aEhtYWNTSEExIn0= | http://192.168.122.176:80/ovirt-engine/ | /etc/pki/ovirt-engine/certs/engine.cer | http:/192.168.122.176:80/ovirt-engine/services/sso-callback | oVirt Engine | | openid ovirt-app-portal ovirt-app-admin ovirt-app-api ovirt-ext=auth:identity ovirt-ext=token:password-access ovirt-ext=auth:sequence-priority ovirt-ext=token:login-on-behalf ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=revoke:revoke-all | t | TLS | f | t2 | ovirt-provider-ovn | eyJhcnRpZmFjdCI6IkVudmVsb3BlUEJFIiwic2FsdCI6Ikh0Zlp5eFJEUXB2RmVaOTJCeU83NUxISXR3Uk9Nd05YUWYzd2wyS2lvSkE9Iiwic2VjcmV0IjoiOVlMZldRSHRiZDdBbVVQdnRNcTgwdndzWG8xMzN6a1V5WXN2dEJxVEttWT0iLCJ2ZXJzaW9uIjoiMSIsIml0ZXJhdGlvbnMiOiI0MDAwIiwiYWxnb3JpdGhtIjoiUEJLREYyV2l0aEhtYWNTSEExIn0= | http://192.168.122.176:80/ovirt-engine/ | /etc/pki/ovirt-engine/certs/engine.cer | http:/192.168.122.176:80/ovirt-engine/services/sso-callback | ovirt-provider-ovn | | ovirt-app-api ovirt-ext=token-info:validate ovirt-ext=token-info:public-authz-search| t | TLS | f | t(2 rows)
Regards
Hongyu Du
From: du_hongyu@yeah.netDate: 2019-02-14 23:32To: Ravi NoriCC: usersSubject: [ovirt-users] Re: access engine by httpthanks Ravi, because my engine certification is signed by myself, when I visit my ovirt-engine by browser, browser need add security exception, so I want to engine by http.I realise /etc/httpd/conf.d/z-ovirt-engine-proxy.conf redirect /ovirt-engine to 127.0.0.1:8702 , but I do not know how to redirect https , I do not find some redirect https info.I fix "ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600 retry=5" to "ProxyPassMatch ajp://127.0.0.1:8543 timeout=3600 retry=5"?
Regards
Hongyu Du
From: Ravi Shankar NoriDate: 2019-02-14 23:16CC: Greg Sheremeta; usersSubject: Re: Re: [ovirt-users] access engine by httpApache uses ajp to communicate with engine on port 8702. You can redirect from Apache with a simple RewriteCondto jboss port 8543 but certificate verification is not going to work which will cause issues with all oVirt tools.More over oVirt SSO is not going to let you access UI on port other than 443 when installed through rpms.You will need to fiddle with the database to update the redirect uris in the sso_clients table.The best you can do is change the proxy port in /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf and keep the AJP in place.Why are you trying to by pass Apache?sorry I describe errror,my /etc/ovirt-engine/engine.conf.d/10-setup-protocols.confENGINE_FQDN=localhost.localdomainENGINE_PROXY_ENABLED=falseENGINE_PROXY_HTTP_PORT=NoneENGINE_PROXY_HTTPS_PORT=NoneENGINE_AJP_ENABLED=falseENGINE_AJP_PORT=NoneENGINE_HTTP_ENABLED=trueENGINE_HTTPS_ENABLED=falseENGINE_HTTP_PORT=8080ENGINE_HTTPS_PORT=8443I know install ovirt-engine from source in a developer setup, this can visit engine by http. and not apache in the frontend. but I want to visit engine that is installed rpm by http?Besides I realize apache not redirect http to https ovirt jboss redirect http to https?
Regards
Hongyu Du
Sorry, I'm still not understanding what you are trying to achieve. Nothing is on 8843 - ?If you install ovirt-engine from source in a developer setup, it's 8080 http by default and no apache in front. Maybe try that.Greghi Greg, Ravithanks, https is ok,when I try to visit http://ip:8080/ovirt-engine but still rediect https://192.168.122.176:8443/tchyp-engine/, I want to know How to redirect to 8843?Besides I try to disable ssl by comment /etc/httpd/conf/httpd.conf#IncludeOptional conf.d/*.conf,But http is still redirect to https, I should how disable redirect?I find this file /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in, I try to delete follow line. but ovirt-engine server is not boot<socket-bindingname="redirect"port="{{ HTTPS_PORT }}"/>/var/log/ovirt-engine/boot.log has some error?13:12:43,144 INFO [org.jboss.as] WFLYSRV0049: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) starting13:12:44,644 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=native-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.13:12:44,646 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.13:12:44,677 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.13:12:44,677 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'enabled-protocols' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found restapi.war in deployment directory. To trigger deployment create a file called restapi.war.dodeploy13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found engine.ear in deployment directory. To trigger deployment create a file called engine.ear.dodeploy13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found ovirt-web-ui.war in deployment directory. To trigger deployment create a file called ovirt-web-ui.war.dodeploy13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found apidoc.war in deployment directory. To trigger deployment create a file called apidoc.war.dodeploy13:12:44,895 ERROR [org.jboss.as.controller] WFLYCTL0362: Capabilities required by resource '/subsystem=undertow/server=default-server/http-listener=http' are not available:org.wildfly.network.socket-binding.redirect; Possible registration points for this capability:/socket-binding-group=*/socket-binding=*13:12:44,900 FATAL [org.jboss.as.server] WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.13:12:44,920 INFO [org.jboss.as] WFLYSRV0050: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) stopped in 13ms
Regards
Hongyu Du
What are you trying to achieve? SSL is good :)I suspect you have to disable ssl in the apache server/etc/httpd/conf.d/ssl.confbut I'm not really sure.And, if you do, I suspect some things that use certificates won't work, either (console, disk upload, etc.)Ravi might know more.Greg_______________________________________________I want to access engine by http, after engine-setup success, I fix /etc/ovirt-engine/engine.conf.d/10-setup-protocols.confENGINE_FQDN=localhost.localdomainENGINE_PROXY_ENABLED=falseENGINE_PROXY_HTTP_PORT=NoneENGINE_PROXY_HTTPS_PORT=NoneENGINE_AJP_ENABLED=falseENGINE_AJP_PORT=NoneENGINE_HTTP_ENABLED=trueENGINE_HTTPS_ENABLED=falseENGINE_HTTP_PORT=8080ENGINE_HTTPS_PORT=443but I access http://ip:8080/ovirt-engine , still browser is redirect to https, I should how to disable redirect?
Regards
Hongyu Du
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5K4Z2Y5ORRCA4QLQLA5BPPJNSEP6JKNN/
----
