[ovirt-users] Re: Port 9090 Redirect Nginx Proxy

Tuesday, 18 December 2018

I think haproxy is probably more appropriate for your use case. Use TCP
mode, and you should be good to go.

Donny Davis

"Ease is a greater threat to progress  than hardship"

On Mon, Dec 17, 2018, 1:29 PM <dcsteve24(a)gmail.com wrote:

...
 I've run into a small issue I'm looking to resolve. I
currently have 5
 hosts I'm working to configure as oVirt Hosts and a single oVirt Manager to
 manage them all. The oVirt Manager can talk to the hosts, the hosts show
 up, they can be managed, etc.

 Our client PCs reside on a different network (and this can't be changed).
 We used to just add the interfaces to communicate on the new network but
 because of IP spaces and DFARS/NIST requirements, we are moving away from
 this. I've set up a reverse proxy so only a single machine serves as the
 gateway between the networks. This works for everything except one small
 issue. If you click "Host Console" from the ovirt manager, it opens up a
 new page with port 9090 to the cockpit page of the host.

 I have this working except I am getting a blank page for cockpit after
 logging in. What's even more odd, I can use the reverse proxy settings to
 browse to the 443 port and redirect to 9090 and i can load everything fine,
 but 9090 to 9090 does not work. I've looked at other threads and posts,
 including the GitLab thing, which got me here, but can't get this last
 missing piece. Is anybody able to provide any assistance? Based off
 research it looks like something I could edit in the cockpit.conf file,
 except ovirt apparently doesn't make the cockpit.conf file... and trying to
 force it through the GUI by adding /settings to the URL says page not found.

 Alternatively I could edit the oVirt Mgr to point to client to the 443
 port and that'd work, if I knew where to edit those hyperlinks upon click.

 P.S. this is a test/develop internal network env which is why i have
 proxy_ssl_verify off.

 Nginx Reverse Proxy config:
 map $http_upgrade $connection_upgrade {
         default upgrade;
         '' close;
 }

 upstream websocket {
         server host11.<domain>:9090;
 }

 server {
        listen         80;
        server_name    host11.<domain>;
        return         301 https://$server_name$request_uri;
 }

 #Allows user to go directly to server (I work!)
 server {
         listen 443;
         server_name host11.<domain>;

         ssl on;
         ssl_certificate <path to certificate.pem>;
         ssl_certificate_key <path to key.pem>;
         proxy_ssl_verify off;

         location / {
                 proxy_pass https://websocket;
                 proxy_http_version 1.1;
                 proxy_buffering off;
                 proxy_set_header X-Real-IP  $remote_addr;
                 proxy_set_header Host $host;
                 proxy_set_header X-Forwarded-For $remote_addr;

                 # needed for websocket
                 proxy_set_header Upgrade $http_upgrade;
                 proxy_set_header Connection $connection_upgrade;

                 # change scheme of "Origin" to https
                 proxy_set_header Origin https://$host;

                 gzip off;
         }

 }

 #allows ovirtmgr host console redirect (I don't work)
 server {
         listen 9090;
         server_name host11.<domain>;

         ssl on;
         ssl_certificate <path to certificate.pem>;
         ssl_certificate_key <path to key.pem>;
         proxy_ssl_verify off;

         location / {
                 proxy_pass https://websocket;
                 proxy_http_version 1.1;
                 proxy_buffering off;
                 proxy_set_header X-Real-IP  $remote_addr;
                 proxy_set_header Host $host;
                 proxy_set_header X-Forwarded-For $remote_addr;

                 # needed for websocket
                 proxy_set_header Upgrade $http_upgrade;
                 proxy_set_header Connection $connection_upgrade;

                 # change scheme of "Origin" to https
                 proxy_set_header Origin https://$host;

                 gzip off;
         }

 }

 Host Error Log:
 #Log in Page
 Dec 17 11:22:15 ovirt11 systemd: Cannot add dependency job for unit
 lvm2-lvmetad.socket, ignoring: Unit is masked.
 Dec 17 11:22:15 ovirt11 systemd: Starting Cockpit Web Service...
 Dec 17 11:22:15 ovirt11 systemd: Started Cockpit Web Service.
 Dec 17 11:22:16 ovirt11 cockpit-ws: Using certificate:
 /etc/cockpit/ws-certs.d/0-self-signed.cert
 Dec 17 11:22:16 ovirt11 kernel: HTTPS SYN: IN=ovirtmgmt OUT=
 MAC=b8:2a:72:de:a3:76:00:50:56:8b:01:ca:08:00 SRC=192.168.100.251
 DST=192.168.100.111 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18185 DF PROTO=TCP
 SPT=34518 DPT=9090 WINDOW=29200 RES=0x00 SYN URGP=0
 Dec 17 11:22:42 ovirt11 kernel: HTTPS SYN: IN=ovirtmgmt OUT=
 MAC=b8:2a:72:de:a3:76:00:50:56:8b:01:ca:08:00 SRC=192.168.100.251
 DST=192.168.100.111 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54797 DF PROTO=TCP
 SPT=34520 DPT=9090 WINDOW=29200 RES=0x00 SYN URGP=0

 #after successfully logging in
 Dec 17 11:22:42 ovirt11 cockpit-session: pam_ssh_add: Failed adding some
 keys
 Dec 17 11:22:42 ovirt11 systemd-logind: New session 856 of user locadmin.
 Dec 17 11:22:42 ovirt11 systemd: Started Session 856 of user locadmin.
 Dec 17 11:22:43 ovirt11 cockpit-ws: logged in user session
 Dec 17 11:22:43 ovirt11 kernel: HTTPS SYN: IN=ovirtmgmt OUT=
 MAC=b8:2a:72:de:a3:76:00:50:56:8b:01:ca:08:00 SRC=192.168.100.251
 DST=192.168.100.111 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=28754 DF PROTO=TCP
 SPT=34522 DPT=9090 WINDOW=29200 RES=0x00 SYN URGP=0
 Dec 17 11:22:43 ovirt11 kernel: HTTPS SYN: IN=ovirtmgmt OUT=
 MAC=b8:2a:72:de:a3:76:00:50:56:8b:01:ca:08:00 SRC=192.168.100.251
 DST=192.168.100.111 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24281 DF PROTO=TCP
 SPT=34524 DPT=9090 WINDOW=29200 RES=0x00 SYN URGP=0
 Dec 17 11:22:43 ovirt11 kernel: HTTPS SYN: IN=ovirtmgmt OUT=
 MAC=b8:2a:72:de:a3:76:00:50:56:8b:01:ca:08:00 SRC=192.168.100.251
 DST=192.168.100.111 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=32811 DF PROTO=TCP
 SPT=34526 DPT=9090 WINDOW=29200 RES=0x00 SYN URGP=0
 Dec 17 11:22:43 ovirt11 kernel: HTTPS SYN: IN=ovirtmgmt OUT=
 MAC=b8:2a:72:de:a3:76:00:50:56:8b:01:ca:08:00 SRC=192.168.100.251
 DST=192.168.100.111 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24156 DF PROTO=TCP
 SPT=34528 DPT=9090 WINDOW=29200 RES=0x00 SYN URGP=0
 Dec 17 11:22:43 ovirt11 kernel: HTTPS SYN: IN=ovirtmgmt OUT=
 MAC=b8:2a:72:de:a3:76:00:50:56:8b:01:ca:08:00 SRC=192.168.100.251
 DST=192.168.100.111 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60945 DF PROTO=TCP
 SPT=34530 DPT=9090 WINDOW=29200 RES=0x00 SYN URGP=0
 Dec 17 11:22:43 ovirt11 kernel: HTTPS SYN: IN=ovirtmgmt OUT=
 MAC=b8:2a:72:de:a3:76:00:50:56:8b:01:ca:08:00 SRC=192.168.100.251
 DST=192.168.100.111 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31779 DF PROTO=TCP
 SPT=34532 DPT=9090 WINDOW=29200 RES=0x00 SYN URGP=0
 Dec 17 11:22:43 ovirt11 kernel: HTTPS SYN: IN=ovirtmgmt OUT=
 MAC=b8:2a:72:de:a3:76:00:50:56:8b:01:ca:08:00 SRC=192.168.100.251
 DST=192.168.100.111 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45849 DF PROTO=TCP
 SPT=34534 DPT=9090 WINDOW=29200 RES=0x00 SYN URGP=0
 Dec 17 11:22:43 ovirt11 kernel: HTTPS SYN: IN=ovirtmgmt OUT=
 MAC=b8:2a:72:de:a3:76:00:50:56:8b:01:ca:08:00 SRC=192.168.100.251
 DST=192.168.100.111 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7433 DF PROTO=TCP
 SPT=34536 DPT=9090 WINDOW=29200 RES=0x00 SYN URGP=0
 Dec 17 11:22:43 ovirt11 kernel: HTTPS SYN: IN=ovirtmgmt OUT=
 MAC=b8:2a:72:de:a3:76:00:50:56:8b:01:ca:08:00 SRC=192.168.100.251
 DST=192.168.100.111 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13932 DF PROTO=TCP
 SPT=34538 DPT=9090 WINDOW=29200 RES=0x00 SYN URGP=0
 Dec 17 11:22:43 ovirt11 kernel: HTTPS SYN: IN=ovirtmgmt OUT=
 MAC=b8:2a:72:de:a3:76:00:50:56:8b:01:ca:08:00 SRC=192.168.100.251
 DST=192.168.100.111 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48921 DF PROTO=TCP
 SPT=34540 DPT=9090 WINDOW=29200 RES=0x00 SYN URGP=0
 Dec 17 11:22:43 ovirt11 kernel: HTTPS SYN: IN=ovirtmgmt OUT=
 MAC=b8:2a:72:de:a3:76:00:50:56:8b:01:ca:08:00 SRC=192.168.100.251
 DST=192.168.100.111 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23475 DF PROTO=TCP
 SPT=34542 DPT=9090 WINDOW=29200 RES=0x00 SYN URGP=0
 Dec 17 11:22:43 ovirt11 kernel: HTTPS SYN: IN=ovirtmgmt OUT=
 MAC=b8:2a:72:de:a3:76:00:50:56:8b:01:ca:08:00 SRC=192.168.100.251
 DST=192.168.100.111 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21419 DF PROTO=TCP
 SPT=34544 DPT=9090 WINDOW=29200 RES=0x00 SYN URGP=0
 Dec 17 11:22:43 ovirt11 kernel: HTTPS SYN: IN=ovirtmgmt OUT=
 MAC=b8:2a:72:de:a3:76:00:50:56:8b:01:ca:08:00 SRC=192.168.100.251
 DST=192.168.100.111 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54052 DF PROTO=TCP
 SPT=34546 DPT=9090 WINDOW=29200 RES=0x00 SYN URGP=0
 Dec 17 11:22:43 ovirt11 kernel: HTTPS SYN: IN=ovirtmgmt OUT=
 MAC=b8:2a:72:de:a3:76:00:50:56:8b:01:ca:08:00 SRC=192.168.100.251
 DST=192.168.100.111 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34558 DF PROTO=TCP
 SPT=34548 DPT=9090 WINDOW=29200 RES=0x00 SYN URGP=0
 Dec 17 11:22:58 ovirt11 cockpit-ws: session timed out
 Dec 17 11:22:58 ovirt11 systemd-logind: Removed session 856.
 _______________________________________________
 Users mailing list -- users(a)ovirt.org
 To unsubscribe send an email to users-leave(a)ovirt.org
 Privacy Statement: https://www.ovirt.org/site/privacy-policy/
 oVirt Code of Conduct:
 https://www.ovirt.org/community/about/community-guidelines/
 List Archives:

https://lists.ovirt.org/archives/list/users@ovirt.org/message/JMK45XBR2DT...

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

[ovirt-users] Re: Port 9090 Redirect Nginx Proxy