| ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
|
69550
|
Tue Jul 19 12:57:37 2022 |
 | Tamas Gal | tgal@km3net.de | Question | Linux | 3.1.3 | Re: Too many redirects when running behind load balancer? | Yes, I used the empty `passwd` file from example. When I then click on one of the logbooks, I get to the page where I can register a user (see attached screenshot). After clickin on "Save" for the user registration, I again get the redirect error. Once there is a registered user (i.e. a non-empty password file) the redirect issue is persistent. Any idea where the problem might be? I just emptied the password file again, so you can have a one-shot, if you like.
Btw. I have SSL termination in the load balancer, so ELOG does not need to do any SSL related things (the swarm is in a locally isolated network, so all internal communication between the load balancer and the swarm machines are safe). Maybe that's the issue? On the other hand, the main page loads fine and uses SSL termination too, so I don't know, maybe there is logic behind the authentication which collides with the SSL termination.
| Stefan Ritt wrote: |
|
Yes I see the redirects. You say with the example logbook it works, right? Is it the password protection which triggers the problem or anything else? Does it work if you take out the password protection? The key is to identify which setting in your config file triggers the problem, so you can bracket the problem down between the example logbook and your logbook definition.
|
|
| Attachment 1: Screenshot_2022-07-19_at_13.02.19.png
|
|
|
Draft
|
Fri Jan 20 14:08:25 2023 |
 | Tamas Gal | he i | Question | Linux | 3.1.3 | Re: Too many redirects when running behind load balancer? | The issue is still present and now it's quite urgent to move this last service into the Swarm. Does anyone maybe have an idea what's wrong? To sum up: if there is a non-empty password file, the login page chokes in an infinite loop of redirects. I am using the same HAProxy load balancer configuration as for all the other services (running Apache, NGINX, GitLab, XWiki, etc.):
backend be_elog.km3net.de
mode http
option forwardfor except 127.0.0.1
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server-template km3net-elog- 1 km3net-elog_elog:8080 check resolvers docker init-addr libc,none
| Tamas Gal wrote: |
|
Yes, I used the empty `passwd` file from example. When I then click on one of the logbooks, I get to the page where I can register a user (see attached screenshot). After clickin on "Save" for the user registration, I again get the redirect error. Once there is a registered user (i.e. a non-empty password file) the redirect issue is persistent. Any idea where the problem might be? I just emptied the password file again, so you can have a one-shot, if you like.
Btw. I have SSL termination in the load balancer, so ELOG does not need to do any SSL related things (the swarm is in a locally isolated network, so all internal communication between the load balancer and the swarm machines are safe). Maybe that's the issue? On the other hand, the main page loads fine and uses SSL termination too, so I don't know, maybe there is logic behind the authentication which collides with the SSL termination.
| Stefan Ritt wrote: |
|
Yes I see the redirects. You say with the example logbook it works, right? Is it the password protection which triggers the problem or anything else? Does it work if you take out the password protection? The key is to identify which setting in your config file triggers the problem, so you can bracket the problem down between the example logbook and your logbook definition.
|
|
|
|
69623
|
Fri Jan 20 14:11:52 2023 |
| Tamas Gal | tgal@km3net.de | Question | Linux | 3.1.3 | Re: Too many redirects when running behind load balancer? | The issue is still present and now it's quite urgent to move this last service into the Swarm. Does anyone maybe have an idea what's wrong? To sum up: if there is a non-empty password file, the login page chokes in an infinite loop of redirects. I am using the same HAProxy load balancer configuration as for all the other services (running Apache, NGINX, GitLab, XWiki, etc.):
backend be_elog.km3net.de
mode http
option forwardfor except 127.0.0.1
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server-template km3net-elog- 1 km3net-elog_elog:8080 check resolvers docker init-addr libc,none
| Tamas Gal wrote: |
|
Yes, I used the empty `passwd` file from example. When I then click on one of the logbooks, I get to the page where I can register a user (see attached screenshot). After clickin on "Save" for the user registration, I again get the redirect error. Once there is a registered user (i.e. a non-empty password file) the redirect issue is persistent. Any idea where the problem might be? I just emptied the password file again, so you can have a one-shot, if you like.
Btw. I have SSL termination in the load balancer, so ELOG does not need to do any SSL related things (the swarm is in a locally isolated network, so all internal communication between the load balancer and the swarm machines are safe). Maybe that's the issue? On the other hand, the main page loads fine and uses SSL termination too, so I don't know, maybe there is logic behind the authentication which collides with the SSL termination.
| Stefan Ritt wrote: |
|
Yes I see the redirects. You say with the example logbook it works, right? Is it the password protection which triggers the problem or anything else? Does it work if you take out the password protection? The key is to identify which setting in your config file triggers the problem, so you can bracket the problem down between the example logbook and your logbook definition.
|
|
|
|
69628
|
Wed Jan 25 17:41:30 2023 |
| Giuseppe Cucinotta | giuseppe.cucinotta@unifi.it | Question | Linux | 3.1.3 | ssl certificate | We obtained a certificate from let's encrypt in order to replace the self signed certificate provided with elog. We copied the new certificates replacing the older server.crt
The problem is that when restarted elog raises an error related to the fact it is looking for server.crt and it doesn't find it anymore.
I searched in elog config file in order to find a way to indicate the new certificate but I didn't find how to manage this issue.
Any suggestion? |
|
69631
|
Wed Jan 25 21:44:51 2023 |
| Laurent Jean-Rigaud | lollspam@free.fr | Question | Linux | 3.1.3 | Re: ssl certificate | Hi Giuseppe,
The new certificate files should be copy under ssl folder (/usr/local/elog/ssl or /usr/share/elog/ssl by example, closed to templates and script directories) in place of the embedded (autosigned) certificate files enclosed with ELOG source.
It seems that there is no parameter to set a custom path.
SSL = <0 | 1>
Turn on Secure Socket Layer transport. If SSL is on, one can connect via https://... to the elogd daemon. If the URL = directive is used, make sure to use https://... instead of http://... there. The ELOG distribution contains a simple self-signed certificate in the ssl subdirectory. One can replace this certificate and key with a real ceritficate to avoid browser pop-up windows warning about the self-signed certificate. The default for this option is 0.
| Giuseppe Cucinotta wrote: |
|
We obtained a certificate from let's encrypt in order to replace the self signed certificate provided with elog. We copied the new certificates replacing the older server.crt
The problem is that when restarted elog raises an error related to the fact it is looking for server.crt and it doesn't find it anymore.
I searched in elog config file in order to find a way to indicate the new certificate but I didn't find how to manage this issue.
Any suggestion?
|
|
|
69632
|
Wed Jan 25 22:22:07 2023 |
| Giuseppe Cucinotta | giuseppe.cucinotta@unifi.it | Question | Linux | 3.1.3 | Re: ssl certificate | Hi Laurent,
thanks very much! Probably I've copied the certificate in the wrong directory. I'll try ASAP
| Laurent Jean-Rigaud wrote: |
|
Hi Giuseppe,
The new certificate files should be copy under ssl folder (/usr/local/elog/ssl or /usr/share/elog/ssl by example, closed to templates and script directories) in place of the embedded (autosigned) certificate files enclosed with ELOG source.
It seems that there is no parameter to set a custom path.
SSL = <0 | 1>
Turn on Secure Socket Layer transport. If SSL is on, one can connect via https://... to the elogd daemon. If the URL = directive is used, make sure to use https://... instead of http://... there. The ELOG distribution contains a simple self-signed certificate in the ssl subdirectory. One can replace this certificate and key with a real ceritficate to avoid browser pop-up windows warning about the self-signed certificate. The default for this option is 0.
| Giuseppe Cucinotta wrote: |
|
We obtained a certificate from let's encrypt in order to replace the self signed certificate provided with elog. We copied the new certificates replacing the older server.crt
The problem is that when restarted elog raises an error related to the fact it is looking for server.crt and it doesn't find it anymore.
I searched in elog config file in order to find a way to indicate the new certificate but I didn't find how to manage this issue.
Any suggestion?
|
|
|
|
69651
|
Fri Feb 17 14:29:54 2023 |
| Giuseppe Cucinotta | giuseppe.cucinotta@unifi.it | Question | Linux | 3.1.3 | Re: ssl certificate | Hi I'm here again,
According to my conf file I run elog under a specified user and group different from root. So I copied the .pem file I obtained from certbot in /etc/ssl as well as /urs/local/elog/ssl and ssl folder in the user directory (I will call it <user-dir>) but when I launch elog I receive the error that cannot initialize SSL because the old self signed certificate server.crt in <user-dir>/ssl is not found.
I wonder where in elog.cfg or elsewhere is written that <user-dir>/ssl/server.crt must be usedand how to fix it
Thanks
| Giuseppe Cucinotta wrote: |
|
Hi Laurent,
thanks very much! Probably I've copied the certificate in the wrong directory. I'll try ASAP
| Laurent Jean-Rigaud wrote: |
|
Hi Giuseppe,
The new certificate files should be copy under ssl folder (/usr/local/elog/ssl or /usr/share/elog/ssl by example, closed to templates and script directories) in place of the embedded (autosigned) certificate files enclosed with ELOG source.
It seems that there is no parameter to set a custom path.
SSL = <0 | 1>
Turn on Secure Socket Layer transport. If SSL is on, one can connect via https://... to the elogd daemon. If the URL = directive is used, make sure to use https://... instead of http://... there. The ELOG distribution contains a simple self-signed certificate in the ssl subdirectory. One can replace this certificate and key with a real ceritficate to avoid browser pop-up windows warning about the self-signed certificate. The default for this option is 0.
| Giuseppe Cucinotta wrote: |
|
We obtained a certificate from let's encrypt in order to replace the self signed certificate provided with elog. We copied the new certificates replacing the older server.crt
The problem is that when restarted elog raises an error related to the fact it is looking for server.crt and it doesn't find it anymore.
I searched in elog config file in order to find a way to indicate the new certificate but I didn't find how to manage this issue.
Any suggestion?
|
|
|
|
|
69658
|
Mon Mar 13 16:16:09 2023 |
| Andreas Luedeke | andreas.luedeke@psi.ch | Question | Linux | 3.1.3 | Re: ssl certificate | I do run elog under:
Usr = elog
Grp = elog
But that does not change the location of my certificates: they are in "/usr/local/elog/ssl".
My guess: you just copied the .pem file to the /ssl directory, but did not rename it to server.crt?
And of course you need to overwrite server.key as well.
Kind Regards
Andreas
| Giuseppe Cucinotta wrote: |
|
Hi I'm here again,
According to my conf file I run elog under a specified user and group different from root. So I copied the .pem file I obtained from certbot in /etc/ssl as well as /urs/local/elog/ssl and ssl folder in the user directory (I will call it <user-dir>) but when I launch elog I receive the error that cannot initialize SSL because the old self signed certificate server.crt in <user-dir>/ssl is not found.
I wonder where in elog.cfg or elsewhere is written that <user-dir>/ssl/server.crt must be usedand how to fix it
Thanks
| Giuseppe Cucinotta wrote: |
|
Hi Laurent,
thanks very much! Probably I've copied the certificate in the wrong directory. I'll try ASAP
| Laurent Jean-Rigaud wrote: |
|
Hi Giuseppe,
The new certificate files should be copy under ssl folder (/usr/local/elog/ssl or /usr/share/elog/ssl by example, closed to templates and script directories) in place of the embedded (autosigned) certificate files enclosed with ELOG source.
It seems that there is no parameter to set a custom path.
SSL = <0 | 1>
Turn on Secure Socket Layer transport. If SSL is on, one can connect via https://... to the elogd daemon. If the URL = directive is used, make sure to use https://... instead of http://... there. The ELOG distribution contains a simple self-signed certificate in the ssl subdirectory. One can replace this certificate and key with a real ceritficate to avoid browser pop-up windows warning about the self-signed certificate. The default for this option is 0.
| Giuseppe Cucinotta wrote: |
|
We obtained a certificate from let's encrypt in order to replace the self signed certificate provided with elog. We copied the new certificates replacing the older server.crt
The problem is that when restarted elog raises an error related to the fact it is looking for server.crt and it doesn't find it anymore.
I searched in elog config file in order to find a way to indicate the new certificate but I didn't find how to manage this issue.
Any suggestion?
|
|
|
|
|
|