feat: Add apache config to accept connections only from proxy

94662ff1 · Eesaan Atluri · 6ad59da4 · 94662ff1 · 94662ff1 · 94662ff1
Commit 94662ff1 authored 2 months ago by Eesaan Atluri
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -92,3 +92,7 @@

 # CentOS Repo
  centos_base_url: "http://vault.centos.org"
+
+# ood_config
+  ood_internal_ip: OOD_INTERNAL_IP
+  ood_hostname: ood-gpfs5
--- a/ansible/roles/ood_config/tasks/main.yml
+++ b/ansible/roles/ood_config/tasks/main.yml
+---
+- name: Add apache config to accept connections only from proxy
+  ansible.builtin.template:
+    src: ood_proxy.conf.j2
+    dest: /opt/rh/httpd24/root/etc/httpd/conf.d/ood-proxy.conf
+
--- a/ansible/roles/ood_config/templates/ood_proxy.conf.j2
+++ b/ansible/roles/ood_config/templates/ood_proxy.conf.j2
+#
+# Open OnDemand Portal
+#
+# Generated using ood-portal-generator version 0.8.0
+#
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+# !!                                    !!
+# !!     DO NOT EDIT THIS FILE          !!
+# !!                                    !!
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+#
+# This file is auto-generated by ood-portal-generator and will be over-written
+# in future updates.
+#
+# 1. To modify this file, first update the global configuration file:
+#
+#      /etc/ood/config/ood_portal.yml
+#
+#    You can find more information about the ood-portal-generator configuration
+#    at:
+#
+#      https://osc.github.io/ood-documentation/master/infrastructure/ood-portal-generator.html
+#
+# 2. Then build/install the updated Apache config with:
+#
+#      sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal
+#
+# 3. Finally, restart Apache to have the changes take effect:
+#
+#      # For CentOS 6
+#      sudo service httpd24-httpd condrestart
+#      sudo service httpd24-htcacheclean condrestart
+#
+#      # For CentOS 7
+#      sudo systemctl try-restart httpd24-httpd.service httpd24-htcacheclean.service
+#
+
+
+
+# The Open OnDemand portal VirtualHost
+#
+<VirtualHost {{ ood_internal_ip }}:80>
+  ServerName {{ ood_hostname }}
+
+  ErrorLog  "logs/SERVER_HOSTNAME_error.log"
+  CustomLog "logs/SERVER_HOSTNAME_access.log" combined
+
+  RewriteEngine On
+  RewriteCond %{HTTP_HOST} !^(rc.uab.edu(:80)?)?$ [NC]
+  RewriteRule ^(.*) http://rc.uab.edu:80$1 [R=301,NE,L]
+
+
+  # Lua configuration
+  #
+  LuaRoot "/opt/ood/mod_ood_proxy/lib"
+  LogLevel lua_module:info
+
+  # Log authenticated user requests (requires min log level: info)
+  LuaHookLog logger.lua logger
+
+  # Authenticated-user to system-user mapping configuration
+  #
+  SetEnv OOD_USER_MAP_CMD "/opt/ood/ood_auth_map/bin/user_auth.py"
+  SetEnv OOD_USER_ENV "REMOTE_USER"
+  SetEnv OOD_MAP_FAIL_URI "/account"
+
+  # Per-user Nginx (PUN) configuration
+  # NB: Apache will need sudo privs to control the PUNs
+  #
+  SetEnv OOD_PUN_STAGE_CMD "sudo /opt/ood/nginx_stage/sbin/nginx_stage"
+
+  #
+  # Below is used for sub-uri's this Open OnDemand portal supports
+  #
+
+  # Serve up publicly available assets from local file system:
+  #
+  #     http://SERVER_HOSTNAME:80/public/favicon.ico
+  #     #=> /var/www/ood/public/favicon.ico
+  #
+  Alias "/public" "/var/www/ood/public"
+  <Directory "/var/www/ood/public">
+    Options Indexes FollowSymLinks
+    AllowOverride None
+    Require all granted
+  </Directory>
+
+  # Reverse proxy traffic to backend webserver through IP sockets:
+  #
+  #     http://SERVER_HOSTNAME:80/node/HOST/PORT/index.html
+  #     #=> http://HOST:PORT/node/HOST/PORT/index.html
+  #
+  <LocationMatch "^/node/(?<host>c\d+)/(?<port>\d+)">
+    RewriteCond %{IS_SUBREQ} ^false$
+    RewriteCond %{HTTP:Proxy-user} "([^!]+?)(@uab.edu)?$"
+    RewriteRule . - [E=REMOTE_USER:%1]
+
+    # ProxyPassReverse implementation
+    Header edit Location "^[^/]+//[^/]+" ""
+
+    # ProxyPassReverseCookieDomain implemenation
+    Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""
+
+    # ProxyPassReverseCookiePath implementation
+    Header edit* Set-Cookie ";\s*(?i)Path[^;]*" ""
+    Header edit  Set-Cookie "^([^;]+)" "$1; Path=/node/%{MATCH_HOST}e/%{MATCH_PORT}e"
+
+    LuaHookFixups node_proxy.lua node_proxy_handler
+  </LocationMatch>
+
+  # Reverse "relative" proxy traffic to backend webserver through IP sockets:
+  #
+  #     http://SERVER_HOSTNAME:80/rnode/HOST/PORT/index.html
+  #     #=> http://HOST:PORT/index.html
+  #
+  <LocationMatch "^/rnode/(?<host>c\d+)/(?<port>\d+)(?<uri>/.*|)">
+    RewriteCond %{IS_SUBREQ} ^false$
+    RewriteCond %{HTTP:Proxy-user} "([^!]+?)(@uab.edu)?$"
+    RewriteRule . - [E=REMOTE_USER:%1]
+
+    # ProxyPassReverse implementation
+    Header edit Location "^([^/]+//[^/]+)|(?=/)" "/rnode/%{MATCH_HOST}e/%{MATCH_PORT}e"
+
+    # ProxyPassReverseCookieDomain implemenation
+    Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""
+
+    # ProxyPassReverseCookiePath implementation
+    Header edit* Set-Cookie ";\s*(?i)Path[^;]*" ""
+    Header edit  Set-Cookie "^([^;]+)" "$1; Path=/rnode/%{MATCH_HOST}e/%{MATCH_PORT}e"
+
+    LuaHookFixups node_proxy.lua node_proxy_handler
+  </LocationMatch>
+
+  # Reverse proxy traffic to backend PUNs through Unix domain sockets:
+  #
+  #     http://SERVER_HOSTNAME:80/pun/dev/app/simulations/1
+  #     #=> unix:/path/to/socket|http://localhost/pun/dev/app/simulations/1
+  #
+  SetEnv OOD_PUN_URI "/pun"
+  <Location "/pun">
+    RewriteCond %{IS_SUBREQ} ^false$
+    RewriteCond %{HTTP:Proxy-user} "([^!]+?)(@uab.edu)?$"
+    RewriteRule . - [E=REMOTE_USER:%1]
+
+    ProxyPassReverse "http://localhost/pun"
+
+    # ProxyPassReverseCookieDomain implementation (strip domain)
+    Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""
+
+    # ProxyPassReverseCookiePath implementation (less restrictive)
+    Header edit* Set-Cookie ";\s*(?i)Path\s*=(?-i)(?!\s*/pun)[^;]*" "; Path=/pun"
+
+    SetEnv OOD_PUN_SOCKET_ROOT "/var/run/ondemand-nginx"
+    SetEnv OOD_PUN_MAX_RETRIES "5"
+    LuaHookFixups pun_proxy.lua pun_proxy_handler
+
+  </Location>
+
+  # Control backend PUN for authenticated user:
+  # NB: See mod_ood_proxy for more details.
+  #
+  #    http://SERVER_HOSTNAME:80/nginx/stop
+  #    #=> stops the authenticated user's PUN
+  #
+  SetEnv OOD_NGINX_URI "/nginx"
+  <Location "/nginx">
+    RewriteCond %{IS_SUBREQ} ^false$
+    RewriteCond %{HTTP:Proxy-user} "([^!]+?)(@uab.edu)?$"
+    RewriteRule . - [E=REMOTE_USER:%1]
+
+    LuaHookFixups nginx.lua nginx_handler
+  </Location>
+
+  # Redirect root URI to specified URI
+  #
+  #     http://SERVER_HOSTNAME:80/
+  #     #=> http://SERVER_HOSTNAME:80/pun/sys/dashboard
+  #
+  RedirectMatch ^/$ "/pun/sys/dashboard"
+
+  # Redirect logout URI to specified redirect URI
+  #
+  #     http://SERVER_HOSTNAME:80/logout
+  #     #=> http://SERVER_HOSTNAME:80/pun/sys/dashboard/logout
+  #
+  Redirect "/logout" "/pun/sys/dashboard/logout"
+
+
+
+
+  # Register and/or unregister the mapping of an authenticated-user to a system-user
+  # NB: This is not needed for regular expression mapping
+  #
+  #     http://SERVER_HOSTNAME:80/account
+  #     #=> /var/www/ood/register/
+  #
+  Alias "/account" "/var/www/ood/register"
+  <Directory "/var/www/ood/register">
+    Options Indexes FollowSymLinks
+    AllowOverride None
+
+    RewriteCond %{IS_SUBREQ} ^false$
+    RewriteCond %{HTTP:Proxy-user} "([^!]+?)(@uab.edu)?$"
+    RewriteRule . - [E=REMOTE_USER:%1]
+  </Directory>
+</VirtualHost>