I want to access engine by http, after engine-setup success, I fix /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf ENGINE_FQDN=localhost.localdomain ENGINE_PROXY_ENABLED=false ENGINE_PROXY_HTTP_PORT=None ENGINE_PROXY_HTTPS_PORT=None ENGINE_AJP_ENABLED=false ENGINE_AJP_PORT=None ENGINE_HTTP_ENABLED=true ENGINE_HTTPS_ENABLED=false ENGINE_HTTP_PORT=8080 ENGINE_HTTPS_PORT=443 but I access http://ip:8080/ovirt-engine , still browser is redirect to https, I should how to disable redirect? Regards Hongyu Du
What are you trying to achieve? SSL is good :) I suspect you have to disable ssl in the apache server /etc/httpd/conf.d/ssl.conf but I'm not really sure. And, if you do, I suspect some things that use certificates won't work, either (console, disk upload, etc.) Ravi might know more. Greg On Wed, Feb 13, 2019 at 3:39 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote:
I want to access engine by http, after engine-setup success, I fix /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf
ENGINE_FQDN=localhost.localdomain ENGINE_PROXY_ENABLED=false ENGINE_PROXY_HTTP_PORT=None ENGINE_PROXY_HTTPS_PORT=None ENGINE_AJP_ENABLED=false ENGINE_AJP_PORT=None ENGINE_HTTP_ENABLED=true ENGINE_HTTPS_ENABLED=false ENGINE_HTTP_PORT=8080 ENGINE_HTTPS_PORT=443
but I access http://ip:8080/ovirt-engine , still browser is redirect to https, I should how to disable redirect?
------------------------------
Regards
Hongyu Du _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5K4Z2Y5ORRCA4Q...
-- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA <https://www.redhat.com/> gshereme@redhat.com IRC: gshereme <https://red.ht/sig>
hi Greg, Ravi thanks, https is ok,when I try to visit http://ip:8080/ovirt-engine but still rediect https://192.168.122.176:8443/tchyp-engine/, I want to know How to redirect to 8843? Besides I try to disable ssl by comment /etc/httpd/conf/httpd.conf #IncludeOptional conf.d/*.conf, But http is still redirect to https, I should how disable redirect? I find this file /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in, I try to delete follow line. but ovirt-engine server is not boot <socket-binding name="redirect" port="{{ HTTPS_PORT }}"/> /var/log/ovirt-engine/boot.log has some error? 13:12:43,144 INFO [org.jboss.as] WFLYSRV0049: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) starting 13:12:44,644 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=native-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,646 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,677 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,677 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'enabled-protocols' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found restapi.war in deployment directory. To trigger deployment create a file called restapi.war.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found engine.ear in deployment directory. To trigger deployment create a file called engine.ear.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found ovirt-web-ui.war in deployment directory. To trigger deployment create a file called ovirt-web-ui.war.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found apidoc.war in deployment directory. To trigger deployment create a file called apidoc.war.dodeploy 13:12:44,895 ERROR [org.jboss.as.controller] WFLYCTL0362: Capabilities required by resource '/subsystem=undertow/server=default-server/http-listener=http' are not available: org.wildfly.network.socket-binding.redirect; Possible registration points for this capability: /socket-binding-group=*/socket-binding=* 13:12:44,900 FATAL [org.jboss.as.server] WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. 13:12:44,920 INFO [org.jboss.as] WFLYSRV0050: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) stopped in 13ms Regards Hongyu Du From: Greg Sheremeta Date: 2019-02-14 04:08 To: du_hongyu@yeah.net; Ravi Nori CC: users Subject: Re: [ovirt-users] access engine by http What are you trying to achieve? SSL is good :) I suspect you have to disable ssl in the apache server /etc/httpd/conf.d/ssl.conf but I'm not really sure. And, if you do, I suspect some things that use certificates won't work, either (console, disk upload, etc.) Ravi might know more. Greg On Wed, Feb 13, 2019 at 3:39 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote: I want to access engine by http, after engine-setup success, I fix /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf ENGINE_FQDN=localhost.localdomain ENGINE_PROXY_ENABLED=false ENGINE_PROXY_HTTP_PORT=None ENGINE_PROXY_HTTPS_PORT=None ENGINE_AJP_ENABLED=false ENGINE_AJP_PORT=None ENGINE_HTTP_ENABLED=true ENGINE_HTTPS_ENABLED=false ENGINE_HTTP_PORT=8080 ENGINE_HTTPS_PORT=443 but I access http://ip:8080/ovirt-engine , still browser is redirect to https, I should how to disable redirect? Regards Hongyu Du _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5K4Z2Y5ORRCA4Q... -- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA gshereme@redhat.com IRC: gshereme
Sorry, I'm still not understanding what you are trying to achieve. Nothing is on 8843 - ? If you install ovirt-engine from source in a developer setup, it's 8080 http by default and no apache in front. Maybe try that. Greg On Thu, Feb 14, 2019 at 12:14 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote:
hi Greg, Ravi thanks, https is ok,when I try to visit http://ip:8080/ovirt-engine but still rediect https://192.168.122.176:8443/tchyp-engine/, I want to know How to redirect to 8843? Besides I try to disable ssl by comment /etc/httpd/conf/httpd.conf #IncludeOptional conf.d/*.conf, But http is still redirect to https, I should how disable redirect? I find this file /usr/share/ovirt-engine/services/ovirt-engine/ ovirt-engine.xml.in, I try to delete follow line. but ovirt-engine server is not boot <socket-binding name="redirect" port="{{ HTTPS_PORT }}"/> /var/log/ovirt-engine/boot.log has some error? 13:12:43,144 INFO [org.jboss.as] WFLYSRV0049: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) starting 13:12:44,644 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=native-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,646 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,677 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,677 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'enabled-protocols' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found restapi.war in deployment directory. To trigger deployment create a file called restapi.war.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found engine.ear in deployment directory. To trigger deployment create a file called engine.ear.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found ovirt-web-ui.war in deployment directory. To trigger deployment create a file called ovirt-web-ui.war.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found apidoc.war in deployment directory. To trigger deployment create a file called apidoc.war.dodeploy 13:12:44,895 ERROR [org.jboss.as.controller] WFLYCTL0362: Capabilities required by resource '/subsystem=undertow/server=default-server/http-listener=http' are not available: org.wildfly.network.socket-binding.redirect; Possible registration points for this capability: /socket-binding-group=*/socket-binding=* 13:12:44,900 FATAL [org.jboss.as.server] WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. 13:12:44,920 INFO [org.jboss.as] WFLYSRV0050: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) stopped in 13ms
------------------------------
Regards
Hongyu Du
*From:* Greg Sheremeta <gshereme@redhat.com> *Date:* 2019-02-14 04:08 *To:* du_hongyu@yeah.net; Ravi Nori <rnori@redhat.com> *CC:* users <users@ovirt.org> *Subject:* Re: [ovirt-users] access engine by http What are you trying to achieve? SSL is good :)
I suspect you have to disable ssl in the apache server /etc/httpd/conf.d/ssl.conf but I'm not really sure.
And, if you do, I suspect some things that use certificates won't work, either (console, disk upload, etc.)
Ravi might know more.
Greg
On Wed, Feb 13, 2019 at 3:39 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote:
I want to access engine by http, after engine-setup success, I fix /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf
ENGINE_FQDN=localhost.localdomain ENGINE_PROXY_ENABLED=false ENGINE_PROXY_HTTP_PORT=None ENGINE_PROXY_HTTPS_PORT=None ENGINE_AJP_ENABLED=false ENGINE_AJP_PORT=None ENGINE_HTTP_ENABLED=true ENGINE_HTTPS_ENABLED=false ENGINE_HTTP_PORT=8080 ENGINE_HTTPS_PORT=443
but I access http://ip:8080/ovirt-engine , still browser is redirect to https, I should how to disable redirect?
------------------------------
Regards
Hongyu Du _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5K4Z2Y5ORRCA4Q...
--
GREG SHEREMETA
SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX
Red Hat NA
gshereme@redhat.com IRC: gshereme <https://red.ht/sig>
-- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA <https://www.redhat.com/> gshereme@redhat.com IRC: gshereme <https://red.ht/sig>
sorry I describe errror, my /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf ENGINE_FQDN=localhost.localdomain ENGINE_PROXY_ENABLED=false ENGINE_PROXY_HTTP_PORT=None ENGINE_PROXY_HTTPS_PORT=None ENGINE_AJP_ENABLED=false ENGINE_AJP_PORT=None ENGINE_HTTP_ENABLED=true ENGINE_HTTPS_ENABLED=false ENGINE_HTTP_PORT=8080 ENGINE_HTTPS_PORT=8443 I know install ovirt-engine from source in a developer setup, this can visit engine by http. and not apache in the frontend. but I want to visit engine that is installed rpm by http? Besides I realize apache not redirect http to https ovirt jboss redirect http to https? Regards Hongyu Du From: Greg Sheremeta Date: 2019-02-14 19:24 To: du_hongyu@yeah.net CC: Ravi Nori; users Subject: Re: Re: [ovirt-users] access engine by http Sorry, I'm still not understanding what you are trying to achieve. Nothing is on 8843 - ? If you install ovirt-engine from source in a developer setup, it's 8080 http by default and no apache in front. Maybe try that. Greg On Thu, Feb 14, 2019 at 12:14 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote: hi Greg, Ravi thanks, https is ok,when I try to visit http://ip:8080/ovirt-engine but still rediect https://192.168.122.176:8443/tchyp-engine/, I want to know How to redirect to 8843? Besides I try to disable ssl by comment /etc/httpd/conf/httpd.conf #IncludeOptional conf.d/*.conf, But http is still redirect to https, I should how disable redirect? I find this file /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in, I try to delete follow line. but ovirt-engine server is not boot <socket-binding name="redirect" port="{{ HTTPS_PORT }}"/> /var/log/ovirt-engine/boot.log has some error? 13:12:43,144 INFO [org.jboss.as] WFLYSRV0049: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) starting 13:12:44,644 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=native-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,646 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,677 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,677 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'enabled-protocols' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found restapi.war in deployment directory. To trigger deployment create a file called restapi.war.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found engine.ear in deployment directory. To trigger deployment create a file called engine.ear.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found ovirt-web-ui.war in deployment directory. To trigger deployment create a file called ovirt-web-ui.war.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found apidoc.war in deployment directory. To trigger deployment create a file called apidoc.war.dodeploy 13:12:44,895 ERROR [org.jboss.as.controller] WFLYCTL0362: Capabilities required by resource '/subsystem=undertow/server=default-server/http-listener=http' are not available: org.wildfly.network.socket-binding.redirect; Possible registration points for this capability: /socket-binding-group=*/socket-binding=* 13:12:44,900 FATAL [org.jboss.as.server] WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. 13:12:44,920 INFO [org.jboss.as] WFLYSRV0050: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) stopped in 13ms Regards Hongyu Du From: Greg Sheremeta Date: 2019-02-14 04:08 To: du_hongyu@yeah.net; Ravi Nori CC: users Subject: Re: [ovirt-users] access engine by http What are you trying to achieve? SSL is good :) I suspect you have to disable ssl in the apache server /etc/httpd/conf.d/ssl.conf but I'm not really sure. And, if you do, I suspect some things that use certificates won't work, either (console, disk upload, etc.) Ravi might know more. Greg On Wed, Feb 13, 2019 at 3:39 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote: I want to access engine by http, after engine-setup success, I fix /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf ENGINE_FQDN=localhost.localdomain ENGINE_PROXY_ENABLED=false ENGINE_PROXY_HTTP_PORT=None ENGINE_PROXY_HTTPS_PORT=None ENGINE_AJP_ENABLED=false ENGINE_AJP_PORT=None ENGINE_HTTP_ENABLED=true ENGINE_HTTPS_ENABLED=false ENGINE_HTTP_PORT=8080 ENGINE_HTTPS_PORT=443 but I access http://ip:8080/ovirt-engine , still browser is redirect to https, I should how to disable redirect? Regards Hongyu Du _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5K4Z2Y5ORRCA4Q... -- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA gshereme@redhat.com IRC: gshereme -- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA gshereme@redhat.com IRC: gshereme
Apache uses ajp to communicate with engine on port 8702. You can redirect from Apache with a simple RewriteCond to jboss port 8543 but certificate verification is not going to work which will cause issues with all oVirt tools. More over oVirt SSO is not going to let you access UI on port other than 443 when installed through rpms. You will need to fiddle with the database to update the redirect uris in the sso_clients table. The best you can do is change the proxy port in /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf and keep the AJP in place. Why are you trying to by pass Apache? On Thu, Feb 14, 2019 at 9:25 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote:
sorry I describe errror, my /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf
ENGINE_FQDN=localhost.localdomain ENGINE_PROXY_ENABLED=false ENGINE_PROXY_HTTP_PORT=None ENGINE_PROXY_HTTPS_PORT=None ENGINE_AJP_ENABLED=false ENGINE_AJP_PORT=None ENGINE_HTTP_ENABLED=true ENGINE_HTTPS_ENABLED=false ENGINE_HTTP_PORT=8080 ENGINE_HTTPS_PORT=8443
I know install ovirt-engine from source in a developer setup, this can visit engine by http. and not apache in the frontend. but I want to visit engine that is installed rpm by http?
Besides I realize apache not redirect http to https ovirt jboss redirect http to https?
------------------------------
Regards
Hongyu Du
*From:* Greg Sheremeta <gshereme@redhat.com> *Date:* 2019-02-14 19:24 *To:* du_hongyu@yeah.net *CC:* Ravi Nori <rnori@redhat.com>; users <users@ovirt.org> *Subject:* Re: Re: [ovirt-users] access engine by http Sorry, I'm still not understanding what you are trying to achieve. Nothing is on 8843 - ?
If you install ovirt-engine from source in a developer setup, it's 8080 http by default and no apache in front. Maybe try that.
Greg
On Thu, Feb 14, 2019 at 12:14 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote:
hi Greg, Ravi thanks, https is ok,when I try to visit http://ip:8080/ovirt-engine but still rediect https://192.168.122.176:8443/tchyp-engine/, I want to know How to redirect to 8843? Besides I try to disable ssl by comment /etc/httpd/conf/httpd.conf #IncludeOptional conf.d/*.conf, But http is still redirect to https, I should how disable redirect? I find this file /usr/share/ovirt-engine/services/ovirt-engine/ ovirt-engine.xml.in, I try to delete follow line. but ovirt-engine server is not boot <socket-binding name="redirect" port="{{ HTTPS_PORT }}"/> /var/log/ovirt-engine/boot.log has some error? 13:12:43,144 INFO [org.jboss.as] WFLYSRV0049: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) starting 13:12:44,644 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=native-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,646 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,677 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,677 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'enabled-protocols' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found restapi.war in deployment directory. To trigger deployment create a file called restapi.war.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found engine.ear in deployment directory. To trigger deployment create a file called engine.ear.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found ovirt-web-ui.war in deployment directory. To trigger deployment create a file called ovirt-web-ui.war.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found apidoc.war in deployment directory. To trigger deployment create a file called apidoc.war.dodeploy 13:12:44,895 ERROR [org.jboss.as.controller] WFLYCTL0362: Capabilities required by resource '/subsystem=undertow/server=default-server/http-listener=http' are not available: org.wildfly.network.socket-binding.redirect; Possible registration points for this capability: /socket-binding-group=*/socket-binding=* 13:12:44,900 FATAL [org.jboss.as.server] WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. 13:12:44,920 INFO [org.jboss.as] WFLYSRV0050: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) stopped in 13ms
------------------------------
Regards
Hongyu Du
*From:* Greg Sheremeta <gshereme@redhat.com> *Date:* 2019-02-14 04:08 *To:* du_hongyu@yeah.net; Ravi Nori <rnori@redhat.com> *CC:* users <users@ovirt.org> *Subject:* Re: [ovirt-users] access engine by http What are you trying to achieve? SSL is good :)
I suspect you have to disable ssl in the apache server /etc/httpd/conf.d/ssl.conf but I'm not really sure.
And, if you do, I suspect some things that use certificates won't work, either (console, disk upload, etc.)
Ravi might know more.
Greg
On Wed, Feb 13, 2019 at 3:39 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote:
I want to access engine by http, after engine-setup success, I fix /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf
ENGINE_FQDN=localhost.localdomain ENGINE_PROXY_ENABLED=false ENGINE_PROXY_HTTP_PORT=None ENGINE_PROXY_HTTPS_PORT=None ENGINE_AJP_ENABLED=false ENGINE_AJP_PORT=None ENGINE_HTTP_ENABLED=true ENGINE_HTTPS_ENABLED=false ENGINE_HTTP_PORT=8080 ENGINE_HTTPS_PORT=443
but I access http://ip:8080/ovirt-engine , still browser is redirect to https, I should how to disable redirect?
------------------------------
Regards
Hongyu Du _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5K4Z2Y5ORRCA4Q...
--
GREG SHEREMETA
SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX
Red Hat NA
gshereme@redhat.com IRC: gshereme <https://red.ht/sig>
--
GREG SHEREMETA
SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX
Red Hat NA
gshereme@redhat.com IRC: gshereme <https://red.ht/sig>
thanks Ravi, because my engine certification is signed by myself, when I visit my ovirt-engine by browser, browser need add security exception, so I want to engine by http. I realise /etc/httpd/conf.d/z-ovirt-engine-proxy.conf redirect /ovirt-engine to 127.0.0.1:8702 , but I do not know how to redirect https , I do not find some redirect https info. I fix "ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600 retry=5" to "ProxyPassMatch ajp://127.0.0.1:8543 timeout=3600 retry=5"? Regards Hongyu Du From: Ravi Shankar Nori Date: 2019-02-14 23:16 To: du_hongyu@yeah.net CC: Greg Sheremeta; users Subject: Re: Re: [ovirt-users] access engine by http Apache uses ajp to communicate with engine on port 8702. You can redirect from Apache with a simple RewriteCond to jboss port 8543 but certificate verification is not going to work which will cause issues with all oVirt tools. More over oVirt SSO is not going to let you access UI on port other than 443 when installed through rpms. You will need to fiddle with the database to update the redirect uris in the sso_clients table. The best you can do is change the proxy port in /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf and keep the AJP in place. Why are you trying to by pass Apache? On Thu, Feb 14, 2019 at 9:25 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote: sorry I describe errror, my /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf ENGINE_FQDN=localhost.localdomain ENGINE_PROXY_ENABLED=false ENGINE_PROXY_HTTP_PORT=None ENGINE_PROXY_HTTPS_PORT=None ENGINE_AJP_ENABLED=false ENGINE_AJP_PORT=None ENGINE_HTTP_ENABLED=true ENGINE_HTTPS_ENABLED=false ENGINE_HTTP_PORT=8080 ENGINE_HTTPS_PORT=8443 I know install ovirt-engine from source in a developer setup, this can visit engine by http. and not apache in the frontend. but I want to visit engine that is installed rpm by http? Besides I realize apache not redirect http to https ovirt jboss redirect http to https? Regards Hongyu Du From: Greg Sheremeta Date: 2019-02-14 19:24 To: du_hongyu@yeah.net CC: Ravi Nori; users Subject: Re: Re: [ovirt-users] access engine by http Sorry, I'm still not understanding what you are trying to achieve. Nothing is on 8843 - ? If you install ovirt-engine from source in a developer setup, it's 8080 http by default and no apache in front. Maybe try that. Greg On Thu, Feb 14, 2019 at 12:14 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote: hi Greg, Ravi thanks, https is ok,when I try to visit http://ip:8080/ovirt-engine but still rediect https://192.168.122.176:8443/tchyp-engine/, I want to know How to redirect to 8843? Besides I try to disable ssl by comment /etc/httpd/conf/httpd.conf #IncludeOptional conf.d/*.conf, But http is still redirect to https, I should how disable redirect? I find this file /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in, I try to delete follow line. but ovirt-engine server is not boot <socket-binding name="redirect" port="{{ HTTPS_PORT }}"/> /var/log/ovirt-engine/boot.log has some error? 13:12:43,144 INFO [org.jboss.as] WFLYSRV0049: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) starting 13:12:44,644 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=native-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,646 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,677 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,677 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'enabled-protocols' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found restapi.war in deployment directory. To trigger deployment create a file called restapi.war.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found engine.ear in deployment directory. To trigger deployment create a file called engine.ear.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found ovirt-web-ui.war in deployment directory. To trigger deployment create a file called ovirt-web-ui.war.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found apidoc.war in deployment directory. To trigger deployment create a file called apidoc.war.dodeploy 13:12:44,895 ERROR [org.jboss.as.controller] WFLYCTL0362: Capabilities required by resource '/subsystem=undertow/server=default-server/http-listener=http' are not available: org.wildfly.network.socket-binding.redirect; Possible registration points for this capability: /socket-binding-group=*/socket-binding=* 13:12:44,900 FATAL [org.jboss.as.server] WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. 13:12:44,920 INFO [org.jboss.as] WFLYSRV0050: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) stopped in 13ms Regards Hongyu Du From: Greg Sheremeta Date: 2019-02-14 04:08 To: du_hongyu@yeah.net; Ravi Nori CC: users Subject: Re: [ovirt-users] access engine by http What are you trying to achieve? SSL is good :) I suspect you have to disable ssl in the apache server /etc/httpd/conf.d/ssl.conf but I'm not really sure. And, if you do, I suspect some things that use certificates won't work, either (console, disk upload, etc.) Ravi might know more. Greg On Wed, Feb 13, 2019 at 3:39 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote: I want to access engine by http, after engine-setup success, I fix /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf ENGINE_FQDN=localhost.localdomain ENGINE_PROXY_ENABLED=false ENGINE_PROXY_HTTP_PORT=None ENGINE_PROXY_HTTPS_PORT=None ENGINE_AJP_ENABLED=false ENGINE_AJP_PORT=None ENGINE_HTTP_ENABLED=true ENGINE_HTTPS_ENABLED=false ENGINE_HTTP_PORT=8080 ENGINE_HTTPS_PORT=443 but I access http://ip:8080/ovirt-engine , still browser is redirect to https, I should how to disable redirect? Regards Hongyu Du _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5K4Z2Y5ORRCA4Q... -- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA gshereme@redhat.com IRC: gshereme -- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA gshereme@redhat.com IRC: gshereme
hi Ravi sorry, I do not understand when I visit http:192.168.122.176:80/ovirt-engine still redirect to https:192.168.122.176:443/ovirt-engine, I already fix sso_clients table; who redirect http to https?? thanks engine=# select * from sso_clients engine-# ; id | client_id | client_secret | callback_prefix | certificate_location | notification_callback | description | email | scope | trusted | notification_callback_protocol | notification_callback_verify_host | notification_callback_verify_chain ----+--------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------+-----------------------------------------+------------------------------------- ---+-------------------------------------------------------------+--------------------+-------+----------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------+---------+--------------------------------+-----------------------------------+------------------------------------ 1 | ovirt-engine-core | eyJhcnRpZmFjdCI6IkVudmVsb3BlUEJFIiwic2FsdCI6ImRSc3Y1bnNCR2F0b3M1WTNNOHhiQktGaDlSbEd4SnpjWWxmdzY3NmNUaFk9Iiwic2VjcmV0IjoicE5RM2E0TXQ2aU40MU5YVVY3R0ZMZjcvVnZBMWlWWnN oOE1ERXozQkIwZz0iLCJ2ZXJzaW9uIjoiMSIsIml0ZXJhdGlvbnMiOiI0MDAwIiwiYWxnb3JpdGhtIjoiUEJLREYyV2l0aEhtYWNTSEExIn0= | http://192.168.122.176:80/ovirt-engine/ | /etc/pki/ovirt-engine/certs/engine.c er | http:/192.168.122.176:80/ovirt-engine/services/sso-callback | oVirt Engine | | openid ovirt-app-portal ovirt-app-admin ovirt-app-api ovirt-ext=auth:identity ovirt-ext=token: password-access ovirt-ext=auth:sequence-priority ovirt-ext=token:login-on-behalf ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovir t-ext=revoke:revoke-all | t | TLS | f | t 2 | ovirt-provider-ovn | eyJhcnRpZmFjdCI6IkVudmVsb3BlUEJFIiwic2FsdCI6Ikh0Zlp5eFJEUXB2RmVaOTJCeU83NUxISXR3Uk9Nd05YUWYzd2wyS2lvSkE9Iiwic2VjcmV0IjoiOVlMZldRSHRiZDdBbVVQdnRNcTgwdndzWG8xMzN6a1V 5WXN2dEJxVEttWT0iLCJ2ZXJzaW9uIjoiMSIsIml0ZXJhdGlvbnMiOiI0MDAwIiwiYWxnb3JpdGhtIjoiUEJLREYyV2l0aEhtYWNTSEExIn0= | http://192.168.122.176:80/ovirt-engine/ | /etc/pki/ovirt-engine/certs/engine.c er | http:/192.168.122.176:80/ovirt-engine/services/sso-callback | ovirt-provider-ovn | | ovirt-app-api ovirt-ext=token-info:validate ovirt-ext=token-info:public-authz-search | t | TLS | f | t (2 rows) Regards Hongyu Du From: du_hongyu@yeah.net Date: 2019-02-14 23:32 To: Ravi Nori CC: users Subject: [ovirt-users] Re: access engine by http thanks Ravi, because my engine certification is signed by myself, when I visit my ovirt-engine by browser, browser need add security exception, so I want to engine by http. I realise /etc/httpd/conf.d/z-ovirt-engine-proxy.conf redirect /ovirt-engine to 127.0.0.1:8702 , but I do not know how to redirect https , I do not find some redirect https info. I fix "ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600 retry=5" to "ProxyPassMatch ajp://127.0.0.1:8543 timeout=3600 retry=5"? Regards Hongyu Du From: Ravi Shankar Nori Date: 2019-02-14 23:16 To: du_hongyu@yeah.net CC: Greg Sheremeta; users Subject: Re: Re: [ovirt-users] access engine by http Apache uses ajp to communicate with engine on port 8702. You can redirect from Apache with a simple RewriteCond to jboss port 8543 but certificate verification is not going to work which will cause issues with all oVirt tools. More over oVirt SSO is not going to let you access UI on port other than 443 when installed through rpms. You will need to fiddle with the database to update the redirect uris in the sso_clients table. The best you can do is change the proxy port in /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf and keep the AJP in place. Why are you trying to by pass Apache? On Thu, Feb 14, 2019 at 9:25 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote: sorry I describe errror, my /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf ENGINE_FQDN=localhost.localdomain ENGINE_PROXY_ENABLED=false ENGINE_PROXY_HTTP_PORT=None ENGINE_PROXY_HTTPS_PORT=None ENGINE_AJP_ENABLED=false ENGINE_AJP_PORT=None ENGINE_HTTP_ENABLED=true ENGINE_HTTPS_ENABLED=false ENGINE_HTTP_PORT=8080 ENGINE_HTTPS_PORT=8443 I know install ovirt-engine from source in a developer setup, this can visit engine by http. and not apache in the frontend. but I want to visit engine that is installed rpm by http? Besides I realize apache not redirect http to https ovirt jboss redirect http to https? Regards Hongyu Du From: Greg Sheremeta Date: 2019-02-14 19:24 To: du_hongyu@yeah.net CC: Ravi Nori; users Subject: Re: Re: [ovirt-users] access engine by http Sorry, I'm still not understanding what you are trying to achieve. Nothing is on 8843 - ? If you install ovirt-engine from source in a developer setup, it's 8080 http by default and no apache in front. Maybe try that. Greg On Thu, Feb 14, 2019 at 12:14 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote: hi Greg, Ravi thanks, https is ok,when I try to visit http://ip:8080/ovirt-engine but still rediect https://192.168.122.176:8443/tchyp-engine/, I want to know How to redirect to 8843? Besides I try to disable ssl by comment /etc/httpd/conf/httpd.conf #IncludeOptional conf.d/*.conf, But http is still redirect to https, I should how disable redirect? I find this file /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in, I try to delete follow line. but ovirt-engine server is not boot <socket-binding name="redirect" port="{{ HTTPS_PORT }}"/> /var/log/ovirt-engine/boot.log has some error? 13:12:43,144 INFO [org.jboss.as] WFLYSRV0049: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) starting 13:12:44,644 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=native-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,646 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,677 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,677 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'enabled-protocols' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found restapi.war in deployment directory. To trigger deployment create a file called restapi.war.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found engine.ear in deployment directory. To trigger deployment create a file called engine.ear.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found ovirt-web-ui.war in deployment directory. To trigger deployment create a file called ovirt-web-ui.war.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found apidoc.war in deployment directory. To trigger deployment create a file called apidoc.war.dodeploy 13:12:44,895 ERROR [org.jboss.as.controller] WFLYCTL0362: Capabilities required by resource '/subsystem=undertow/server=default-server/http-listener=http' are not available: org.wildfly.network.socket-binding.redirect; Possible registration points for this capability: /socket-binding-group=*/socket-binding=* 13:12:44,900 FATAL [org.jboss.as.server] WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. 13:12:44,920 INFO [org.jboss.as] WFLYSRV0050: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) stopped in 13ms Regards Hongyu Du From: Greg Sheremeta Date: 2019-02-14 04:08 To: du_hongyu@yeah.net; Ravi Nori CC: users Subject: Re: [ovirt-users] access engine by http What are you trying to achieve? SSL is good :) I suspect you have to disable ssl in the apache server /etc/httpd/conf.d/ssl.conf but I'm not really sure. And, if you do, I suspect some things that use certificates won't work, either (console, disk upload, etc.) Ravi might know more. Greg On Wed, Feb 13, 2019 at 3:39 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote: I want to access engine by http, after engine-setup success, I fix /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf ENGINE_FQDN=localhost.localdomain ENGINE_PROXY_ENABLED=false ENGINE_PROXY_HTTP_PORT=None ENGINE_PROXY_HTTPS_PORT=None ENGINE_AJP_ENABLED=false ENGINE_AJP_PORT=None ENGINE_HTTP_ENABLED=true ENGINE_HTTPS_ENABLED=false ENGINE_HTTP_PORT=8080 ENGINE_HTTPS_PORT=443 but I access http://ip:8080/ovirt-engine , still browser is redirect to https, I should how to disable redirect? Regards Hongyu Du _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5K4Z2Y5ORRCA4Q... -- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA gshereme@redhat.com IRC: gshereme -- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA gshereme@redhat.com IRC: gshereme
I am not sure we can do what you are asking for. A lot of stuff is not going to work. AFAIK you will need a dedicated machine to run ovirt engine on the default ports. On Thu, Feb 14, 2019 at 10:29 PM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote:
hi Ravi sorry, I do not understand when I visit http: 192.168.122.176:80/ovirt-engine still redirect to https: 192.168.122.176:443/ovirt-engine, I already fix sso_clients table; who redirect http to https?? thanks
engine=# select * from sso_clients engine-# ; id | client_id |
client_secret
| callback_prefix | certificate_location | notification_callback | description | email |
scope
| trusted | notification_callback_protocol | notification_callback_verify_host | notification_callback_verify_chain
----+--------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------+-----------------------------------------+-------------------------------------
---+-------------------------------------------------------------+--------------------+-------+-----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
------------------------+---------+--------------------------------+-----------------------------------+------------------------------------ 1 | ovirt-engine-core | eyJhcnRpZmFjdCI6IkVudmVsb3BlUEJFIiwic2FsdCI6ImRSc3Y1bnNCR2F0b3M1WTNNOHhiQktGaDlSbEd4SnpjWWxmdzY3NmNUaFk9Iiwic2VjcmV0IjoicE5RM2E0TXQ2aU40MU5YVVY3R0ZMZjcvVnZBMWlWWnN oOE1ERXozQkIwZz0iLCJ2ZXJzaW9uIjoiMSIsIml0ZXJhdGlvbnMiOiI0MDAwIiwiYWxnb3JpdGhtIjoiUEJLREYyV2l0aEhtYWNTSEExIn0= | http://192.168.122.176:80/ovirt-engine/ | /etc/pki/ovirt-engine/certs/engine.c er | http:/192.168.122.176:80/ovirt-engine/services/sso-callback | oVirt Engine | | openid ovirt-app-portal ovirt-app-admin ovirt-app-api ovirt-ext=auth:identity ovirt-ext=token: password-access ovirt-ext=auth:sequence-priority ovirt-ext=token:login-on-behalf ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovir t-ext=revoke:revoke-all | t | TLS | f | t 2 | ovirt-provider-ovn | eyJhcnRpZmFjdCI6IkVudmVsb3BlUEJFIiwic2FsdCI6Ikh0Zlp5eFJEUXB2RmVaOTJCeU83NUxISXR3Uk9Nd05YUWYzd2wyS2lvSkE9Iiwic2VjcmV0IjoiOVlMZldRSHRiZDdBbVVQdnRNcTgwdndzWG8xMzN6a1V 5WXN2dEJxVEttWT0iLCJ2ZXJzaW9uIjoiMSIsIml0ZXJhdGlvbnMiOiI0MDAwIiwiYWxnb3JpdGhtIjoiUEJLREYyV2l0aEhtYWNTSEExIn0= | http://192.168.122.176:80/ovirt-engine/ | /etc/pki/ovirt-engine/certs/engine.c er | http:/192.168.122.176:80/ovirt-engine/services/sso-callback | ovirt-provider-ovn | | ovirt-app-api ovirt-ext=token-info:validate ovirt-ext=token-info:public-authz-search
| t | TLS | f | t (2 rows)
------------------------------
Regards
Hongyu Du
*From:* du_hongyu@yeah.net *Date:* 2019-02-14 23:32 *To:* Ravi Nori <rnori@redhat.com> *CC:* users <users@ovirt.org> *Subject:* [ovirt-users] Re: access engine by http thanks Ravi, because my engine certification is signed by myself, when I visit my ovirt-engine by browser, browser need add security exception, so I want to engine by http.
I realise /etc/httpd/conf.d/z-ovirt-engine-proxy.conf redirect /ovirt-engine to 127.0.0.1:8702 , but I do not know how to redirect https , I do not find some redirect https info.
I fix "ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600 retry=5" to "ProxyPassMatch ajp://127.0.0.1:8543 timeout=3600 retry=5"?
------------------------------
Regards
Hongyu Du
*From:* Ravi Shankar Nori <rnori@redhat.com> *Date:* 2019-02-14 23:16 *To:* du_hongyu@yeah.net *CC:* Greg Sheremeta <gshereme@redhat.com>; users <users@ovirt.org> *Subject:* Re: Re: [ovirt-users] access engine by http Apache uses ajp to communicate with engine on port 8702. You can redirect from Apache with a simple RewriteCond to jboss port 8543 but certificate verification is not going to work which will cause issues with all oVirt tools.
More over oVirt SSO is not going to let you access UI on port other than 443 when installed through rpms. You will need to fiddle with the database to update the redirect uris in the sso_clients table.
The best you can do is change the proxy port in /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf and keep the AJP in place.
Why are you trying to by pass Apache?
On Thu, Feb 14, 2019 at 9:25 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote:
sorry I describe errror, my /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf
ENGINE_FQDN=localhost.localdomain ENGINE_PROXY_ENABLED=false ENGINE_PROXY_HTTP_PORT=None ENGINE_PROXY_HTTPS_PORT=None ENGINE_AJP_ENABLED=false ENGINE_AJP_PORT=None ENGINE_HTTP_ENABLED=true ENGINE_HTTPS_ENABLED=false ENGINE_HTTP_PORT=8080 ENGINE_HTTPS_PORT=8443
I know install ovirt-engine from source in a developer setup, this can visit engine by http. and not apache in the frontend. but I want to visit engine that is installed rpm by http?
Besides I realize apache not redirect http to https ovirt jboss redirect http to https?
------------------------------
Regards
Hongyu Du
*From:* Greg Sheremeta <gshereme@redhat.com> *Date:* 2019-02-14 19:24 *To:* du_hongyu@yeah.net *CC:* Ravi Nori <rnori@redhat.com>; users <users@ovirt.org> *Subject:* Re: Re: [ovirt-users] access engine by http Sorry, I'm still not understanding what you are trying to achieve. Nothing is on 8843 - ?
If you install ovirt-engine from source in a developer setup, it's 8080 http by default and no apache in front. Maybe try that.
Greg
On Thu, Feb 14, 2019 at 12:14 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote:
hi Greg, Ravi thanks, https is ok,when I try to visit http://ip:8080/ovirt-engine but still rediect https://192.168.122.176:8443/tchyp-engine/, I want to know How to redirect to 8843? Besides I try to disable ssl by comment /etc/httpd/conf/httpd.conf #IncludeOptional conf.d/*.conf, But http is still redirect to https, I should how disable redirect? I find this file /usr/share/ovirt-engine/services/ovirt-engine/ ovirt-engine.xml.in, I try to delete follow line. but ovirt-engine server is not boot <socket-binding name="redirect" port="{{ HTTPS_PORT }}"/> /var/log/ovirt-engine/boot.log has some error? 13:12:43,144 INFO [org.jboss.as] WFLYSRV0049: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) starting 13:12:44,644 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=native-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,646 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,677 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,677 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'enabled-protocols' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found restapi.war in deployment directory. To trigger deployment create a file called restapi.war.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found engine.ear in deployment directory. To trigger deployment create a file called engine.ear.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found ovirt-web-ui.war in deployment directory. To trigger deployment create a file called ovirt-web-ui.war.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found apidoc.war in deployment directory. To trigger deployment create a file called apidoc.war.dodeploy 13:12:44,895 ERROR [org.jboss.as.controller] WFLYCTL0362: Capabilities required by resource '/subsystem=undertow/server=default-server/http-listener=http' are not available: org.wildfly.network.socket-binding.redirect; Possible registration points for this capability: /socket-binding-group=*/socket-binding=* 13:12:44,900 FATAL [org.jboss.as.server] WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. 13:12:44,920 INFO [org.jboss.as] WFLYSRV0050: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) stopped in 13ms
------------------------------
Regards
Hongyu Du
*From:* Greg Sheremeta <gshereme@redhat.com> *Date:* 2019-02-14 04:08 *To:* du_hongyu@yeah.net; Ravi Nori <rnori@redhat.com> *CC:* users <users@ovirt.org> *Subject:* Re: [ovirt-users] access engine by http What are you trying to achieve? SSL is good :)
I suspect you have to disable ssl in the apache server /etc/httpd/conf.d/ssl.conf but I'm not really sure.
And, if you do, I suspect some things that use certificates won't work, either (console, disk upload, etc.)
Ravi might know more.
Greg
On Wed, Feb 13, 2019 at 3:39 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote:
I want to access engine by http, after engine-setup success, I fix /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf
ENGINE_FQDN=localhost.localdomain ENGINE_PROXY_ENABLED=false ENGINE_PROXY_HTTP_PORT=None ENGINE_PROXY_HTTPS_PORT=None ENGINE_AJP_ENABLED=false ENGINE_AJP_PORT=None ENGINE_HTTP_ENABLED=true ENGINE_HTTPS_ENABLED=false ENGINE_HTTP_PORT=8080 ENGINE_HTTPS_PORT=443
but I access http://ip:8080/ovirt-engine , still browser is redirect to https, I should how to disable redirect?
------------------------------
Regards
Hongyu Du _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5K4Z2Y5ORRCA4Q...
--
GREG SHEREMETA
SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX
Red Hat NA
gshereme@redhat.com IRC: gshereme <https://red.ht/sig>
--
GREG SHEREMETA
SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX
Red Hat NA
gshereme@redhat.com IRC: gshereme <https://red.ht/sig>
I agree with Ravi. If your use case is that you just don't want to be nagged by the browser about your self-signed certificate, why not just import the CA into your browser? Like this: https://www.ovirt.org/documentation/intro-vm-portal/What_is_the_VM_Portal.ht... On Fri, Feb 15, 2019 at 9:21 AM Ravi Shankar Nori <rnori@redhat.com> wrote:
I am not sure we can do what you are asking for. A lot of stuff is not going to work. AFAIK you will need a dedicated machine to run ovirt engine on the default ports.
On Thu, Feb 14, 2019 at 10:29 PM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote:
hi Ravi sorry, I do not understand when I visit http: 192.168.122.176:80/ovirt-engine still redirect to https: 192.168.122.176:443/ovirt-engine, I already fix sso_clients table; who redirect http to https?? thanks
I do not want custemer to add self-signed certificate. I only want to visit ovirt-engine with http. I try more attempts but not success, I hope you can help me. thanks Regards Hongyu Du From: Greg Sheremeta Date: 2019-02-15 23:28 To: du_hongyu@yeah.net CC: users; Ravi Shankar Nori Subject: Re: [ovirt-users] Re: access engine by http I agree with Ravi. If your use case is that you just don't want to be nagged by the browser about your self-signed certificate, why not just import the CA into your browser? Like this: https://www.ovirt.org/documentation/intro-vm-portal/What_is_the_VM_Portal.ht... On Fri, Feb 15, 2019 at 9:21 AM Ravi Shankar Nori <rnori@redhat.com> wrote: I am not sure we can do what you are asking for. A lot of stuff is not going to work. AFAIK you will need a dedicated machine to run ovirt engine on the default ports. On Thu, Feb 14, 2019 at 10:29 PM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote: hi Ravi sorry, I do not understand when I visit http:192.168.122.176:80/ovirt-engine still redirect to https:192.168.122.176:443/ovirt-engine, I already fix sso_clients table; who redirect http to https?? thanks
thanks Ravi, can I visit engine that is installed by RPM with http? I strongly want to visit ovirt engine with http. and ovirt-engine is installed RPM. is this solution available? Regards Hongyu Du From: Ravi Shankar Nori Date: 2019-02-15 22:15 To: du_hongyu@yeah.net CC: users Subject: Re: [ovirt-users] Re: access engine by http I am not sure we can do what you are asking for. A lot of stuff is not going to work. AFAIK you will need a dedicated machine to run ovirt engine on the default ports. On Thu, Feb 14, 2019 at 10:29 PM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote: hi Ravi sorry, I do not understand when I visit http:192.168.122.176:80/ovirt-engine still redirect to https:192.168.122.176:443/ovirt-engine, I already fix sso_clients table; who redirect http to https?? thanks engine=# select * from sso_clients engine-# ; id | client_id | client_secret | callback_prefix | certificate_location | notification_callback | description | email | scope | trusted | notification_callback_protocol | notification_callback_verify_host | notification_callback_verify_chain ----+--------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------+-----------------------------------------+------------------------------------- ---+-------------------------------------------------------------+--------------------+-------+----------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------+---------+--------------------------------+-----------------------------------+------------------------------------ 1 | ovirt-engine-core | eyJhcnRpZmFjdCI6IkVudmVsb3BlUEJFIiwic2FsdCI6ImRSc3Y1bnNCR2F0b3M1WTNNOHhiQktGaDlSbEd4SnpjWWxmdzY3NmNUaFk9Iiwic2VjcmV0IjoicE5RM2E0TXQ2aU40MU5YVVY3R0ZMZjcvVnZBMWlWWnN oOE1ERXozQkIwZz0iLCJ2ZXJzaW9uIjoiMSIsIml0ZXJhdGlvbnMiOiI0MDAwIiwiYWxnb3JpdGhtIjoiUEJLREYyV2l0aEhtYWNTSEExIn0= | http://192.168.122.176:80/ovirt-engine/ | /etc/pki/ovirt-engine/certs/engine.c er | http:/192.168.122.176:80/ovirt-engine/services/sso-callback | oVirt Engine | | openid ovirt-app-portal ovirt-app-admin ovirt-app-api ovirt-ext=auth:identity ovirt-ext=token: password-access ovirt-ext=auth:sequence-priority ovirt-ext=token:login-on-behalf ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovir t-ext=revoke:revoke-all | t | TLS | f | t 2 | ovirt-provider-ovn | eyJhcnRpZmFjdCI6IkVudmVsb3BlUEJFIiwic2FsdCI6Ikh0Zlp5eFJEUXB2RmVaOTJCeU83NUxISXR3Uk9Nd05YUWYzd2wyS2lvSkE9Iiwic2VjcmV0IjoiOVlMZldRSHRiZDdBbVVQdnRNcTgwdndzWG8xMzN6a1V 5WXN2dEJxVEttWT0iLCJ2ZXJzaW9uIjoiMSIsIml0ZXJhdGlvbnMiOiI0MDAwIiwiYWxnb3JpdGhtIjoiUEJLREYyV2l0aEhtYWNTSEExIn0= | http://192.168.122.176:80/ovirt-engine/ | /etc/pki/ovirt-engine/certs/engine.c er | http:/192.168.122.176:80/ovirt-engine/services/sso-callback | ovirt-provider-ovn | | ovirt-app-api ovirt-ext=token-info:validate ovirt-ext=token-info:public-authz-search | t | TLS | f | t (2 rows) Regards Hongyu Du From: du_hongyu@yeah.net Date: 2019-02-14 23:32 To: Ravi Nori CC: users Subject: [ovirt-users] Re: access engine by http thanks Ravi, because my engine certification is signed by myself, when I visit my ovirt-engine by browser, browser need add security exception, so I want to engine by http. I realise /etc/httpd/conf.d/z-ovirt-engine-proxy.conf redirect /ovirt-engine to 127.0.0.1:8702 , but I do not know how to redirect https , I do not find some redirect https info. I fix "ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600 retry=5" to "ProxyPassMatch ajp://127.0.0.1:8543 timeout=3600 retry=5"? Regards Hongyu Du From: Ravi Shankar Nori Date: 2019-02-14 23:16 To: du_hongyu@yeah.net CC: Greg Sheremeta; users Subject: Re: Re: [ovirt-users] access engine by http Apache uses ajp to communicate with engine on port 8702. You can redirect from Apache with a simple RewriteCond to jboss port 8543 but certificate verification is not going to work which will cause issues with all oVirt tools. More over oVirt SSO is not going to let you access UI on port other than 443 when installed through rpms. You will need to fiddle with the database to update the redirect uris in the sso_clients table. The best you can do is change the proxy port in /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf and keep the AJP in place. Why are you trying to by pass Apache? On Thu, Feb 14, 2019 at 9:25 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote: sorry I describe errror, my /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf ENGINE_FQDN=localhost.localdomain ENGINE_PROXY_ENABLED=false ENGINE_PROXY_HTTP_PORT=None ENGINE_PROXY_HTTPS_PORT=None ENGINE_AJP_ENABLED=false ENGINE_AJP_PORT=None ENGINE_HTTP_ENABLED=true ENGINE_HTTPS_ENABLED=false ENGINE_HTTP_PORT=8080 ENGINE_HTTPS_PORT=8443 I know install ovirt-engine from source in a developer setup, this can visit engine by http. and not apache in the frontend. but I want to visit engine that is installed rpm by http? Besides I realize apache not redirect http to https ovirt jboss redirect http to https? Regards Hongyu Du From: Greg Sheremeta Date: 2019-02-14 19:24 To: du_hongyu@yeah.net CC: Ravi Nori; users Subject: Re: Re: [ovirt-users] access engine by http Sorry, I'm still not understanding what you are trying to achieve. Nothing is on 8843 - ? If you install ovirt-engine from source in a developer setup, it's 8080 http by default and no apache in front. Maybe try that. Greg On Thu, Feb 14, 2019 at 12:14 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote: hi Greg, Ravi thanks, https is ok,when I try to visit http://ip:8080/ovirt-engine but still rediect https://192.168.122.176:8443/tchyp-engine/, I want to know How to redirect to 8843? Besides I try to disable ssl by comment /etc/httpd/conf/httpd.conf #IncludeOptional conf.d/*.conf, But http is still redirect to https, I should how disable redirect? I find this file /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in, I try to delete follow line. but ovirt-engine server is not boot <socket-binding name="redirect" port="{{ HTTPS_PORT }}"/> /var/log/ovirt-engine/boot.log has some error? 13:12:43,144 INFO [org.jboss.as] WFLYSRV0049: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) starting 13:12:44,644 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=native-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,646 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,677 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,677 INFO [org.jboss.as.controller.management-deprecated] WFLYCTL0028: Attribute 'enabled-protocols' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found restapi.war in deployment directory. To trigger deployment create a file called restapi.war.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found engine.ear in deployment directory. To trigger deployment create a file called engine.ear.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found ovirt-web-ui.war in deployment directory. To trigger deployment create a file called ovirt-web-ui.war.dodeploy 13:12:44,840 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0004: Found apidoc.war in deployment directory. To trigger deployment create a file called apidoc.war.dodeploy 13:12:44,895 ERROR [org.jboss.as.controller] WFLYCTL0362: Capabilities required by resource '/subsystem=undertow/server=default-server/http-listener=http' are not available: org.wildfly.network.socket-binding.redirect; Possible registration points for this capability: /socket-binding-group=*/socket-binding=* 13:12:44,900 FATAL [org.jboss.as.server] WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. 13:12:44,920 INFO [org.jboss.as] WFLYSRV0050: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) stopped in 13ms Regards Hongyu Du From: Greg Sheremeta Date: 2019-02-14 04:08 To: du_hongyu@yeah.net; Ravi Nori CC: users Subject: Re: [ovirt-users] access engine by http What are you trying to achieve? SSL is good :) I suspect you have to disable ssl in the apache server /etc/httpd/conf.d/ssl.conf but I'm not really sure. And, if you do, I suspect some things that use certificates won't work, either (console, disk upload, etc.) Ravi might know more. Greg On Wed, Feb 13, 2019 at 3:39 AM du_hongyu@yeah.net <du_hongyu@yeah.net> wrote: I want to access engine by http, after engine-setup success, I fix /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf ENGINE_FQDN=localhost.localdomain ENGINE_PROXY_ENABLED=false ENGINE_PROXY_HTTP_PORT=None ENGINE_PROXY_HTTPS_PORT=None ENGINE_AJP_ENABLED=false ENGINE_AJP_PORT=None ENGINE_HTTP_ENABLED=true ENGINE_HTTPS_ENABLED=false ENGINE_HTTP_PORT=8080 ENGINE_HTTPS_PORT=443 but I access http://ip:8080/ovirt-engine , still browser is redirect to https, I should how to disable redirect? Regards Hongyu Du _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5K4Z2Y5ORRCA4Q... -- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA gshereme@redhat.com IRC: gshereme -- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA gshereme@redhat.com IRC: gshereme
participants (3)
-
du_hongyu@yeah.net -
Greg Sheremeta -
Ravi Shankar Nori