Hi,
I’m trying to proxy the connection to chef-server with Apache and
mod_proxy. The proxy seems to work, I get the Chef server API front
page displayed correctly and for example “knife client list” works.
Uploading new data or updating existing data however doesn’t work and
I’m 403 errors. Example:
$ knife role from file roles/base.rb
ERROR: You authenticated successfully to https://my.chef.server.com as
liuhtonen but you are not authorized for this action
Response:
403 Forbidden
Forbidden
You don't have permission to access /roles/base
on this server.
or with verbose output:
$ knife role from file roles/base.rb -VV
DEBUG: Using configuration from /home/liuhtonen/.chef/knife.rb
DEBUG: Signing the request as liuhtonen
DEBUG: Sending HTTP Request via PUT to my.chef.server.com:443/roles/base
/usr/lib/ruby/1.8/net/http.rb:2105:in error!': 403 "Forbidden" (Net::HTTPServerException) from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/rest.rb:245:in
api_request’
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/rest.rb:296:in
retriable_rest_request' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/rest.rb:226:in
api_request’
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/rest.rb:130:in put_rest' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/role.rb:282:in
save’
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife/role_from_file.rb:41:in
run' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife/role_from_file.rb:38:in
each’
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife/role_from_file.rb:38:in
run' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife.rb:391:in
run_with_pretty_exceptions’
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife.rb:166:in run' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/application/knife.rb:128:in
run’
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/bin/knife:25
from /usr/bin/knife:19:in `load’
from /usr/bin/knife:19
Apache configuration:
<VirtualHost *:443>
ServerName my.chef.server.com
DocumentRoot /usr/lib64/ruby/gems/1.8/gems/chef-server-api-0.10.8/public
SSLEngine on
SSLCertificateFile /etc/certs/chef/chef-server.crt
SSLCertificateKeyFile /etc/certs/chef/chef-server.key
RequestHeader set X_FORWARDED_PROTO ‘https’
AllowEncodedSlashes on
RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ http://127.0.0.1:4000/$1 [P]
ErrorLog logs/chef_error_log
TransferLog logs/chef_access_log
LogLevel info
Using chef server with port 4000 directly works without any problems.
Any clues what might cause this?
I see a bit different rewrite rule in my configuration, may be this is the cause?
RewriteRule ^/(.*)$ http://127.0.0.1:4000%{REQUEST_URI} [P,QSA,L]
On May 15, 2012, at 11:52 AM, Janne Liuhtonen wrote:
Hi,
I'm trying to proxy the connection to chef-server with Apache and
mod_proxy. The proxy seems to work, I get the Chef server API front
page displayed correctly and for example "knife client list" works.
Uploading new data or updating existing data however doesn't work and
I'm 403 errors. Example:
Apache configuration:
<VirtualHost *:443>
ServerName my.chef.server.com
DocumentRoot /usr/lib64/ruby/gems/1.8/gems/chef-server-api-0.10.8/public
SSLEngine on
SSLCertificateFile /etc/certs/chef/chef-server.crt
SSLCertificateKeyFile /etc/certs/chef/chef-server.key
RequestHeader set X_FORWARDED_PROTO 'https'
AllowEncodedSlashes on
RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ http://127.0.0.1:4000/$1 [P]
ErrorLog logs/chef_error_log
TransferLog logs/chef_access_log
LogLevel info
Using chef server with port 4000 directly works without any problems.
Any clues what might cause this?
--
Vladimir Girnet
Infrastructure Engineer
Tacit Knowledge
Hi,
We have a slightly different setup. This may or may not help. We
actually proxy both the web and the API servers through the same
apache instance.
HTH
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
RewriteEngine On
Are we making an API request?
RewriteCond %{HTTP:X-Ops-Timestamp} .
RewriteRule ^/(.*) http://localhost:4000/$1 [P,L]
No, it's a WebUI request
On Tue, May 15, 2012 at 6:52 PM, Janne Liuhtonen
janne.liuhtonen@gmail.com wrote:
Hi,
I'm trying to proxy the connection to chef-server with Apache and
mod_proxy. The proxy seems to work, I get the Chef server API front
page displayed correctly and for example "knife client list" works.
Uploading new data or updating existing data however doesn't work and
I'm 403 errors. Example:
$ knife role from file roles/base.rb
ERROR: You authenticated successfully to https://my.chef.server.com as
liuhtonen but you are not authorized for this action
Response:
403 Forbidden
Forbidden
You don't have permission to access /roles/base
on this server.
or with verbose output:
$ knife role from file roles/base.rb -VV
DEBUG: Using configuration from /home/liuhtonen/.chef/knife.rb
DEBUG: Signing the request as liuhtonen
DEBUG: Sending HTTP Request via PUT to my.chef.server.com:443/roles/base
/usr/lib/ruby/1.8/net/http.rb:2105:in error!': 403 "Forbidden" (Net::HTTPServerException) from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/rest.rb:245:in
api_request'
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/rest.rb:296:in
retriable_rest_request' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/rest.rb:226:in
api_request'
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/rest.rb:130:in put_rest' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/role.rb:282:in
save'
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife/role_from_file.rb:41:in
run' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife/role_from_file.rb:38:in
each'
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife/role_from_file.rb:38:in
run' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife.rb:391:in
run_with_pretty_exceptions'
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/knife.rb:166:in run' from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/lib/chef/application/knife.rb:128:in
run'
from /usr/lib/ruby/gems/1.8/gems/chef-0.10.8/bin/knife:25
from /usr/bin/knife:19:in `load'
from /usr/bin/knife:19
Apache configuration:
<VirtualHost *:443>
ServerName my.chef.server.com
DocumentRoot /usr/lib64/ruby/gems/1.8/gems/chef-server-api-0.10.8/public
SSLEngine on
SSLCertificateFile /etc/certs/chef/chef-server.crt
SSLCertificateKeyFile /etc/certs/chef/chef-server.key
RequestHeader set X_FORWARDED_PROTO 'https'
AllowEncodedSlashes on
RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ http://127.0.0.1:4000/$1 [P]
ErrorLog logs/chef_error_log
TransferLog logs/chef_access_log
LogLevel info
Using chef server with port 4000 directly works without any problems.
Any clues what might cause this?
--
Cheers,
Peter Donald