I am not sure we can do what you are asking for. A lot of stuff is not going to work. AFAIK you will need a dedicated machine to run ovirt engine on the default ports.

On Thu, Feb 14, 2019 at 10:29 PM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote:
hi Ravi
 sorry, I do not understand when I visit http:192.168.122.176:80/ovirt-engine still redirect to https:192.168.122.176:443/ovirt-engine, I already fix sso_clients table;
who redirect http to https??
 thanks

engine=# select * from sso_clients
engine-# ;
 id |     client_id      |                                                                                                                                  client_secret                     
                                                                                                              |             callback_prefix             |          certificate_location       
   |                    notification_callback                    |    description     | email |                                                                                               
                                                         scope                                                                                                                                
                        | trusted | notification_callback_protocol | notification_callback_verify_host | notification_callback_verify_chain 
----+--------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------+-----------------------------------------+-------------------------------------
---+-------------------------------------------------------------+--------------------+-------+-----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
------------------------+---------+--------------------------------+-----------------------------------+------------------------------------
  1 | ovirt-engine-core  | eyJhcnRpZmFjdCI6IkVudmVsb3BlUEJFIiwic2FsdCI6ImRSc3Y1bnNCR2F0b3M1WTNNOHhiQktGaDlSbEd4SnpjWWxmdzY3NmNUaFk9Iiwic2VjcmV0IjoicE5RM2E0TXQ2aU40MU5YVVY3R0ZMZjcvVnZBMWlWWnN
oOE1ERXozQkIwZz0iLCJ2ZXJzaW9uIjoiMSIsIml0ZXJhdGlvbnMiOiI0MDAwIiwiYWxnb3JpdGhtIjoiUEJLREYyV2l0aEhtYWNTSEExIn0= | http://192.168.122.176:80/ovirt-engine/ | /etc/pki/ovirt-engine/certs/engine.c
er | http:/192.168.122.176:80/ovirt-engine/services/sso-callback | oVirt Engine       |       | openid ovirt-app-portal ovirt-app-admin ovirt-app-api ovirt-ext=auth:identity ovirt-ext=token:
password-access ovirt-ext=auth:sequence-priority ovirt-ext=token:login-on-behalf ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovir
t-ext=revoke:revoke-all | t       | TLS                            | f                                 | t
  2 | ovirt-provider-ovn | eyJhcnRpZmFjdCI6IkVudmVsb3BlUEJFIiwic2FsdCI6Ikh0Zlp5eFJEUXB2RmVaOTJCeU83NUxISXR3Uk9Nd05YUWYzd2wyS2lvSkE9Iiwic2VjcmV0IjoiOVlMZldRSHRiZDdBbVVQdnRNcTgwdndzWG8xMzN6a1V
5WXN2dEJxVEttWT0iLCJ2ZXJzaW9uIjoiMSIsIml0ZXJhdGlvbnMiOiI0MDAwIiwiYWxnb3JpdGhtIjoiUEJLREYyV2l0aEhtYWNTSEExIn0= | http://192.168.122.176:80/ovirt-engine/ | /etc/pki/ovirt-engine/certs/engine.c
er | http:/192.168.122.176:80/ovirt-engine/services/sso-callback | ovirt-provider-ovn |       | ovirt-app-api ovirt-ext=token-info:validate ovirt-ext=token-info:public-authz-search          
                                                                                                                                                                                              
                        | t       | TLS                            | f                                 | t
(2 rows)

Regards

Hongyu Du

 
Date: 2019-02-14 23:32
CC: users
Subject: [ovirt-users] Re: access engine by http
thanks Ravi, because  my engine certification is signed by myself, when I visit my ovirt-engine by browser,  browser need add security exception, so I want to engine by http.

I realise /etc/httpd/conf.d/z-ovirt-engine-proxy.conf redirect /ovirt-engine to 127.0.0.1:8702  , but I do not know how to  redirect https , I do not find some redirect https info.

I fix "ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600 retry=5"   to "ProxyPassMatch ajp://127.0.0.1:8543 timeout=3600 retry=5"?

Regards

Hongyu Du

 
Date: 2019-02-14 23:16
Subject: Re: Re: [ovirt-users] access engine by http
Apache uses ajp to communicate with engine on port 8702. You can redirect from Apache with a simple RewriteCond 
to jboss port 8543 but certificate verification is not going to work which will cause issues with all oVirt tools.

More over oVirt SSO is not going to let you access UI on port other than 443 when installed through rpms. 
You will need to fiddle with the database to update the redirect uris in the sso_clients table.

The best you can do is change the proxy port in /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf and keep the AJP in place.

Why are you trying to by pass Apache?

On Thu, Feb 14, 2019 at 9:25 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote:
sorry I describe errror,
 my /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf 

ENGINE_FQDN=localhost.localdomain
ENGINE_PROXY_ENABLED=false
ENGINE_PROXY_HTTP_PORT=None
ENGINE_PROXY_HTTPS_PORT=None
ENGINE_AJP_ENABLED=false
ENGINE_AJP_PORT=None
ENGINE_HTTP_ENABLED=true
ENGINE_HTTPS_ENABLED=false
ENGINE_HTTP_PORT=8080
ENGINE_HTTPS_PORT=8443

I know install ovirt-engine from source in a developer setup, this can visit engine by http.  and  not apache  in the frontend.  but I want to visit engine that is installed rpm by http?

Besides I realize apache not redirect http to https  ovirt  jboss redirect http to https? 

Regards

Hongyu Du

 
Date: 2019-02-14 19:24
Subject: Re: Re: [ovirt-users] access engine by http
Sorry, I'm still not understanding what you are trying to achieve. Nothing is on 8843 - ?

If you install ovirt-engine from source in a developer setup, it's 8080 http by default and no apache in front. Maybe try that.

Greg

On Thu, Feb 14, 2019 at 12:14 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote:
hi Greg, Ravi
thanks, https is ok,when I try to visit http://ip:8080/ovirt-engine but still rediect https://192.168.122.176:8443/tchyp-engine/,  I want to know How to redirect to 8843? 
Besides I try to disable ssl by comment /etc/httpd/conf/httpd.conf   
#IncludeOptional conf.d/*.conf,
But http is still redirect to https,  I should how disable redirect?
I find  this file  /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in, I try to delete follow line. but ovirt-engine server is not boot
    <socket-binding
        name="redirect"
        port="{{ HTTPS_PORT }}"/>
/var/log/ovirt-engine/boot.log has some error?
13:12:43,144 INFO  [org.jboss.as] WFLYSRV0049: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) starting
13:12:44,644 INFO  [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=native-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
13:12:44,646 INFO  [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
13:12:44,677 INFO  [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
13:12:44,677 INFO  [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'enabled-protocols' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
13:12:44,840 INFO  [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found restapi.war in deployment directory. To trigger deployment create a file called restapi.war.dodeploy
13:12:44,840 INFO  [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found engine.ear in deployment directory. To trigger deployment create a file called engine.ear.dodeploy
13:12:44,840 INFO  [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found ovirt-web-ui.war in deployment directory. To trigger deployment create a file called ovirt-web-ui.war.dodeploy
13:12:44,840 INFO  [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found apidoc.war in deployment directory. To trigger deployment create a file called apidoc.war.dodeploy
13:12:44,895 ERROR [org.jboss.as.controller] WFLYCTL0362: Capabilities required by resource '/subsystem=undertow/server=default-server/http-listener=http' are not available:
    org.wildfly.network.socket-binding.redirect; Possible registration points for this capability:
                /socket-binding-group=*/socket-binding=*
13:12:44,900 FATAL [org.jboss.as.server] WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
13:12:44,920 INFO  [org.jboss.as] WFLYSRV0050: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) stopped in 13ms


Regards

Hongyu Du

 
Date: 2019-02-14 04:08
CC: users
Subject: Re: [ovirt-users] access engine by http
What are you trying to achieve? SSL is good :)

I suspect you have to disable ssl in the apache server
/etc/httpd/conf.d/ssl.conf
but I'm not really sure.

And, if you do, I suspect some things that use certificates won't work, either (console, disk upload, etc.)

Ravi might know more.

Greg

On Wed, Feb 13, 2019 at 3:39 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote:
I want to access engine by http, after engine-setup success, I fix /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf

ENGINE_FQDN=localhost.localdomain
ENGINE_PROXY_ENABLED=false
ENGINE_PROXY_HTTP_PORT=None
ENGINE_PROXY_HTTPS_PORT=None
ENGINE_AJP_ENABLED=false
ENGINE_AJP_PORT=None
ENGINE_HTTP_ENABLED=true
ENGINE_HTTPS_ENABLED=false
ENGINE_HTTP_PORT=8080
ENGINE_HTTPS_PORT=443

but I access http://ip:8080/ovirt-engine ,  still browser is redirect to https,  I should how to disable redirect?



Regards

Hongyu Du

_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5K4Z2Y5ORRCA4QLQLA5BPPJNSEP6JKNN/


--

GREG SHEREMETA

SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX

Red Hat NA

gshereme@redhat.com    IRC: gshereme



--

GREG SHEREMETA

SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX

Red Hat NA

gshereme@redhat.com    IRC: gshereme