Authentication errors for requests through Apache HTTPS proxy


#1

Hi,

I’m trying to proxy the connection to chef-server with Apache and
mod_proxy. The proxy seems to work, I get the Chef server API front
page displayed correctly and for example “knife client list” works.
Uploading new data or updating existing data however doesn’t work and
I’m 403 errors. Example:

$ knife role from file roles/base.rb
ERROR: You authenticated successfully to https://my.chef.server.com as
liuhtonen but you are not authorized for this action
Response:

403 Forbidden

Forbidden

You don't have permission to access /roles/base on this server.

or with verbose output:

$ knife role from file roles/base.rb -VV
DEBUG: Using configuration from /home/liuhtonen/.chef/knife.rb
DEBUG: Signing the request as liuhtonen
DEBUG: Sending HTTP Request via PUT to my.chef.server.com:443/roles/base
/usr/lib/ruby/1.8/net/http.rb:2105:in error!': 403 "Forbidden" (Net::HTTPServerException) from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/rest.rb:245:inapi_request’
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/rest.rb:296:in
retriable_rest_request' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/rest.rb:226:inapi_request’
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/rest.rb:130:in put_rest' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/role.rb:282:insave’
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife/role_from_file.rb:41:in
run' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife/role_from_file.rb:38:ineach’
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife/role_from_file.rb:38:in
run' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife.rb:391:inrun_with_pretty_exceptions’
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife.rb:166:in run' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/application/knife.rb:128:inrun’
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/bin/knife:25
from /usr/bin/knife:19:in `load’
from /usr/bin/knife:19

Apache configuration:

<VirtualHost *:443>
ServerName my.chef.server.com

DocumentRoot /usr/lib64/ruby/gems/1.8/gems/chef-server-api-0.10.8/public

SSLEngine on
SSLCertificateFile /etc/certs/chef/chef-server.crt
SSLCertificateKeyFile /etc/certs/chef/chef-server.key
RequestHeader set X_FORWARDED_PROTO ‘https’

AllowEncodedSlashes on

RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ http://127.0.0.1:4000/$1 [P]

ErrorLog logs/chef_error_log
TransferLog logs/chef_access_log
LogLevel info

Using chef server with port 4000 directly works without any problems.

Any clues what might cause this?


#2

I see a bit different rewrite rule in my configuration, may be this is the cause?

RewriteRule ^/(.*)$ http://127.0.0.1:4000%{REQUEST_URI} [P,QSA,L]

On May 15, 2012, at 11:52 AM, Janne Liuhtonen wrote:

Hi,

I’m trying to proxy the connection to chef-server with Apache and
mod_proxy. The proxy seems to work, I get the Chef server API front
page displayed correctly and for example “knife client list” works.
Uploading new data or updating existing data however doesn’t work and
I’m 403 errors. Example:

Apache configuration:

<VirtualHost *:443>
ServerName my.chef.server.com

DocumentRoot /usr/lib64/ruby/gems/1.8/gems/chef-server-api-0.10.8/public

SSLEngine on
SSLCertificateFile /etc/certs/chef/chef-server.crt
SSLCertificateKeyFile /etc/certs/chef/chef-server.key
RequestHeader set X_FORWARDED_PROTO ‘https’

AllowEncodedSlashes on

RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ http://127.0.0.1:4000/$1 [P]

ErrorLog logs/chef_error_log
TransferLog logs/chef_access_log
LogLevel info

Using chef server with port 4000 directly works without any problems.

Any clues what might cause this?


Vladimir Girnet
Infrastructure Engineer
Tacit Knowledge
http://www.tacitknowledge.com


#3

Hi,

We have a slightly different setup. This may or may not help. We
actually proxy both the web and the API servers through the same
apache instance.

HTH


ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all

RewriteEngine On

Are we making an API request?

RewriteCond %{HTTP:X-Ops-Timestamp} .
RewriteRule ^/(.*) http://localhost:4000/$1 [P,L]

No, it’s a WebUI request

RewriteRule ^/(.*) http://localhost:4040/$1 [P,L]

On Tue, May 15, 2012 at 6:52 PM, Janne Liuhtonen
janne.liuhtonen@gmail.com wrote:

Hi,

I’m trying to proxy the connection to chef-server with Apache and
mod_proxy. The proxy seems to work, I get the Chef server API front
page displayed correctly and for example “knife client list” works.
Uploading new data or updating existing data however doesn’t work and
I’m 403 errors. Example:

$ knife role from file roles/base.rb
ERROR: You authenticated successfully to https://my.chef.server.com as
liuhtonen but you are not authorized for this action
Response:

403 Forbidden

Forbidden

You don't have permission to access /roles/base on this server.

or with verbose output:

$ knife role from file roles/base.rb -VV
DEBUG: Using configuration from /home/liuhtonen/.chef/knife.rb
DEBUG: Signing the request as liuhtonen
DEBUG: Sending HTTP Request via PUT to my.chef.server.com:443/roles/base
/usr/lib/ruby/1.8/net/http.rb:2105:in error!': 403 "Forbidden" (Net::HTTPServerException) from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/rest.rb:245:inapi_request’
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/rest.rb:296:in
retriable_rest_request' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/rest.rb:226:inapi_request’
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/rest.rb:130:in put_rest' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/role.rb:282:insave’
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife/role_from_file.rb:41:in
run' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife/role_from_file.rb:38:ineach’
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife/role_from_file.rb:38:in
run' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife.rb:391:inrun_with_pretty_exceptions’
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife.rb:166:in run' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/application/knife.rb:128:inrun’
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/bin/knife:25
from /usr/bin/knife:19:in `load’
from /usr/bin/knife:19

Apache configuration:

<VirtualHost *:443>
ServerName my.chef.server.com

DocumentRoot /usr/lib64/ruby/gems/1.8/gems/chef-server-api-0.10.8/public

SSLEngine on
SSLCertificateFile /etc/certs/chef/chef-server.crt
SSLCertificateKeyFile /etc/certs/chef/chef-server.key
RequestHeader set X_FORWARDED_PROTO ‘https’

AllowEncodedSlashes on

RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ http://127.0.0.1:4000/$1 [P]

ErrorLog logs/chef_error_log
TransferLog logs/chef_access_log
LogLevel info

Using chef server with port 4000 directly works without any problems.

Any clues what might cause this?


Cheers,

Peter Donald