Steve Linabery
2009-Mar-19 01:35 UTC
[Ovirt-devel] [PATCH server] Proxy Guest network VirtualHost to Admin network VirtualHost
This change allows mod_auth_kerb to always have the FQDN for authentication.
---
conf/ovirt-server.conf | 30 ++++++++++++++++++++-------
installer/modules/ovirt/manifests/ovirt.pp | 7 ++++++
2 files changed, 29 insertions(+), 8 deletions(-)
diff --git a/conf/ovirt-server.conf b/conf/ovirt-server.conf
index e414f07..bab6f1a 100644
--- a/conf/ovirt-server.conf
+++ b/conf/ovirt-server.conf
@@ -1,5 +1,5 @@
-NameVirtualHost *:80
-<VirtualHost *:80>
+NameVirtualHost GuestNetIpAddress:80
+<VirtualHost GuestNetIpAddress:80>
<Location /ovirt>
RewriteEngine on
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
@@ -7,20 +7,34 @@ NameVirtualHost *:80
</VirtualHost>
NameVirtualHost GuestNetIpAddress:443
-NameVirtualHost AdminNetIpAddress:443
-<VirtualHost GuestNetIpAddress:443 AdminNetIpAddress:443>
+NameVirtualHost AdminNetIpAddress:80
- RequestHeader set X_FORWARDED_PROTO 'https'
+<VirtualHost GuestNetIpAddress:443>
- ErrorLog /etc/httpd/logs/error_log
- TransferLog /etc/httpd/logs/access_log
- LogLevel warn
NSSEngine on
NSSCipherSuite
+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol SSLv3,TLSv1
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
+ ErrorLog /etc/httpd/logs/error_log
+ TransferLog /etc/httpd/logs/access_log
+ LogLevel warn
+
+ ProxyPass /ovirt http://AdminNodeFQDN/ovirt
+ ProxyPassReverse /ovirt http://AdminNodeFQDN/ovirt
+
+</VirtualHost>
+
+<VirtualHost AdminNetIpAddress:80>
+
+ ServerAlias AdminNodeFQDN
+ ServerName AdminNodeFQDN:80
+
+ ErrorLog /etc/httpd/logs/error_log
+ TransferLog /etc/httpd/logs/access_log
+ LogLevel warn
+
ProxyRequests Off
<ProxyMatch ^.*/ovirt/login.*$>
diff --git a/installer/modules/ovirt/manifests/ovirt.pp
b/installer/modules/ovirt/manifests/ovirt.pp
index 723d758..09b1925 100644
--- a/installer/modules/ovirt/manifests/ovirt.pp
+++ b/installer/modules/ovirt/manifests/ovirt.pp
@@ -34,6 +34,13 @@ class ovirt::setup {
require => Package[ovirt-server]
}
+ file_replacement{"ovirt_httpd_config_change_server_fqdn":
+ file => "/etc/httpd/conf.d/ovirt-server.conf",
+ pattern => "AdminNodeFQDN",
+ replacement => "$ovirt_host",
+ require => Package[ovirt-server]
+ }
+
package {"ovirt-server":
ensure => installed,
require => Single_exec[set_pw_expiration]
--
1.6.0.6
Jason Guiditta
2009-Mar-19 02:33 UTC
[Ovirt-devel] [PATCH server] Proxy Guest network VirtualHost to Admin network VirtualHost
On Wed, 2009-03-18 at 20:35 -0500, Steve Linabery wrote:> This change allows mod_auth_kerb to always have the FQDN for authentication. > --- > conf/ovirt-server.conf | 30 ++++++++++++++++++++------- > installer/modules/ovirt/manifests/ovirt.pp | 7 ++++++ > 2 files changed, 29 insertions(+), 8 deletions(-) > > diff --git a/conf/ovirt-server.conf b/conf/ovirt-server.conf > index e414f07..bab6f1a 100644 > --- a/conf/ovirt-server.conf > +++ b/conf/ovirt-server.conf > @@ -1,5 +1,5 @@ > -NameVirtualHost *:80 > -<VirtualHost *:80> > +NameVirtualHost GuestNetIpAddress:80 > +<VirtualHost GuestNetIpAddress:80> > <Location /ovirt> > RewriteEngine on > RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L] > @@ -7,20 +7,34 @@ NameVirtualHost *:80 > </VirtualHost> > > NameVirtualHost GuestNetIpAddress:443 > -NameVirtualHost AdminNetIpAddress:443 > -<VirtualHost GuestNetIpAddress:443 AdminNetIpAddress:443> > +NameVirtualHost AdminNetIpAddress:80 > > - RequestHeader set X_FORWARDED_PROTO 'https' > +<VirtualHost GuestNetIpAddress:443> > > - ErrorLog /etc/httpd/logs/error_log > - TransferLog /etc/httpd/logs/access_log > - LogLevel warn > NSSEngine on > NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > NSSProtocol SSLv3,TLSv1 > NSSNickname Server-Cert > NSSCertificateDatabase /etc/httpd/alias > > + ErrorLog /etc/httpd/logs/error_log > + TransferLog /etc/httpd/logs/access_log > + LogLevel warn > + > + ProxyPass /ovirt http://AdminNodeFQDN/ovirt > + ProxyPassReverse /ovirt http://AdminNodeFQDN/ovirt > + > +</VirtualHost> > + > +<VirtualHost AdminNetIpAddress:80> > + > + ServerAlias AdminNodeFQDN > + ServerName AdminNodeFQDN:80 > + > + ErrorLog /etc/httpd/logs/error_log > + TransferLog /etc/httpd/logs/access_log > + LogLevel warn > + > ProxyRequests Off > > <ProxyMatch ^.*/ovirt/login.*$> > diff --git a/installer/modules/ovirt/manifests/ovirt.pp b/installer/modules/ovirt/manifests/ovirt.pp > index 723d758..09b1925 100644 > --- a/installer/modules/ovirt/manifests/ovirt.pp > +++ b/installer/modules/ovirt/manifests/ovirt.pp > @@ -34,6 +34,13 @@ class ovirt::setup { > require => Package[ovirt-server] > } > > + file_replacement{"ovirt_httpd_config_change_server_fqdn": > + file => "/etc/httpd/conf.d/ovirt-server.conf", > + pattern => "AdminNodeFQDN", > + replacement => "$ovirt_host", > + require => Package[ovirt-server] > + } > + > package {"ovirt-server": > ensure => installed, > require => Single_exec[set_pw_expiration]Well, as I have already manually done this and know that works, ACK. I will do a fresh build in the morning anyway to make sure on the ovirt.pp bit, but I am sure that is fine as well.