Exposing: Pulp 3 apache config issue #402
Conversation
[noissue]
| ProxyPass /pulp/api/v3 http://${pulp-api}/pulp/api/v3 | ||
| ProxyPassReverse /pulp/api/v3 http://${pulp-api}/pulp/api/v3 |
There was a problem hiding this comment.
pulp2 requests were falling here /pulp/api/v2
There was a problem hiding this comment.
this change fixes the problem
| #ProxyPass / http://${pulp-api}/ | ||
| #ProxyPassReverse / http://${pulp-api}/ |
There was a problem hiding this comment.
pulp2 requests were falling here /pulp/api/v2
There was a problem hiding this comment.
it would fix, but how we would address the static files?
There was a problem hiding this comment.
The recent testing showed that if a more specific rule were present that it would take precedence over this rule. So I don't think this line being here is the actual root cause of the issue.
There was a problem hiding this comment.
Current config:
Request for pulp2: /pulp/api/v2 would fall on (1)
ProxyPass /pulp/api http://${pulp-api}/pulp/api
ProxyPassReverse /pulp/api http://${pulp-api}/pulp/api ProxyPass /auth/login/ http://${pulp-api}/auth/login/
ProxyPassReverse /auth/login/ http://${pulp-api}/auth/login/ ProxyPass /pulp/content http://${pulp-content}/pulp/content
ProxyPassReverse /pulp/content http://${pulp-content}/pulp/content
ProxyPass / http://${pulp-api}/
ProxyPassReverse / http://${pulp-api}/Addressing (1), Request for pulp2: /pulp/api/v2 would fall on (4)
ProxyPass /pulp/api/v3 http://${pulp-api}/pulp/api/v3
ProxyPassReverse /pulp/api/v3 http://${pulp-api}/pulp/api/v3 ProxyPass /auth/login/ http://${pulp-api}/auth/login/
ProxyPassReverse /auth/login/ http://${pulp-api}/auth/login/ ProxyPass /pulp/content http://${pulp-content}/pulp/content
ProxyPassReverse /pulp/content http://${pulp-content}/pulp/content
ProxyPass / http://${pulp-api}/
ProxyPassReverse / http://${pulp-api}/There was a problem hiding this comment.
I'm just pointing which rule would match with /pulp/api/v2, in our current config it is (1), fixing (1) it would match rule (4)
There was a problem hiding this comment.
I'm still not understanding. If we have a /pulp/api/v3 rule in pulp3 and a /pulp/api/v2/ rule in pulp2, these routes don't seem conflicting. If we have a /pulp/api/v3 in pulp3 and a /pulp/api/ in pulp2 the "specific routes first" matching causes these also to not be conflicting. Similarly, /pulp/api/v2/ in pulp2 and /pulp/api/ in pulp3. Basically I'm not understanding the root cause of the issue or even what the issue is in practice.
There was a problem hiding this comment.
actually, the pulp2 config is totally different than the pulp3 one, I'm not sure if we have a /pulp/api/ or /pulp/api/v2 rule there. I posted pulp2 config below here: #402 (comment)
The only pulp/api mention I see is:
WSGIScriptAlias /pulp/api /usr/share/pulp/wsgi/webservices.wsgiAnd honestly, I don't know the behavior of WSGIScriptAlias
There was a problem hiding this comment.
actually, the pulp2 config is totally different than the pulp3 one, I'm not sure if we have a
/pulp/api/or/pulp/api/v2rule there. I posted pulp2 config below here: #402 (comment)
The onlypulp/apimention I see is:WSGIScriptAlias /pulp/api /usr/share/pulp/wsgi/webservices.wsgiAnd honestly, I don't know the behavior of
WSGIScriptAlias
That's ok!
The info you've shared is helpful. Can you describe what the experience the user has that is an issue? What error or incorrect behaviour do they experience? Also how can that be reproduced?
There was a problem hiding this comment.
it is here: #402 (comment)
pulp2 requests go to pulp3
|
|
WARNING!!! This PR is not attached to an issue. In most cases this is not advisable. Please see our PR docs for more information about how to attach this PR to an issue. |
(pulp) [vagrant@pulp2-nightly-pulp3-source-centos7 ~]$ cat /etc/httpd/conf.d/pulp.conf
# Apache configuration file for pulp web services and repositories (compatible with >= apache2.4)
#
# Copyright © 2010 Red Hat, Inc.
#
# This software is licensed to you under the GNU General Public License,
# version 2 (GPLv2). There is NO WARRANTY for this software, express or
# implied, including the implied warranties of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
# along with this software; if not, see
# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
#
# Red Hat trademarks are not licensed under GPLv2. No permission is
# granted to use or replicate Red Hat trademarks that are incorporated
# in this software or its documentation.
AddType application/x-pkcs7-crl .crl
AddType application/x-x509-ca-cert .crt
# Example ssl cert and key files to get you started.
# This MUST match /etc/pulp/server.conf [security] 'cacert'.
SSLCACertificateFile /etc/pki/pulp/ca.crt
# allow older yum clients to connect, see bz 647828
SSLInsecureRenegotiation on
WSGIProcessGroup pulp
WSGIApplicationGroup pulp
WSGIDaemonProcess pulp user=apache group=apache processes=3 display-name=%{GROUP}
# DEBUG - uncomment the next 2 lines to enable debugging
#WSGIRestrictStdin Off
#WSGIRestrictStdout Off
WSGISocketPrefix run/wsgi
WSGIScriptAlias /pulp/api /usr/share/pulp/wsgi/webservices.wsgi
WSGIImportScript /usr/share/pulp/wsgi/webservices.wsgi process-group=pulp application-group=pulp
<Directory /usr/share/pulp/wsgi>
Require all granted
</Directory>
<Files webservices.wsgi>
WSGIPassAuthorization On
WSGIProcessGroup pulp
WSGIApplicationGroup pulp
SSLRenegBufferSize 1048576
SSLRequireSSL
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData
SSLVerifyClient optional
</Files>
<VirtualHost *:80>
IncludeOptional /etc/pulp/vhosts80/*.conf
</VirtualHost>
Alias /pulp/static /var/lib/pulp/static
<Location /pulp/static>
SSLRequireSSL
Options +Indexes
Require all granted
</Location>
# Change the maximum number of times a TCP connection can be reused for HTTP
# requests from 100 (the default) to 10,000 when HTTP Keep-Alive is enabled.
# Note that when Keep-Alive requests are made, only the first request (the
# one that opened the connection) counts when calculating the
# MaxRequestsPerChild value. See Apache's documentation for more information.
#
# This configuration does mean it is cheaper for clients to make many
# requests, so it does increase the server's susceptibility to denial of
# service attacks. If this is a concern, consider lowering the value.
#
# If, on the other hand, DoS attacks are not a concern, consider setting this
# to 0 (unlimited re-use) and potentially tweaking `KeepAliveTimeout`.
MaxKeepAliveRequests 10000
# Authentication
#
# If you want to authenticate against an external source, the best approach is
# to use an apache authentication plugin. Most deployments will only use a
# third-party authentication source for the login call, and then use pulp's
# certificate-based auth for successive calls. It is, however, possible to use
# an apache authentication plugin for the entire REST API.
#
# You are responsible for ensuring that a user gets created in pulp prior to
# any login attempt. Pulp does not support auto-creation of users that exist in
# your external source.
#
# Below is a "basic" example that works for demos, but a stronger mechanism is
# recommended. The .htaccess file must be created using the "htpasswd" command.
#<Location /pulp/api/v2/actions/login>
# AuthType Basic
# AuthName "Pulp Login"
# AuthUserFile /var/lib/pulp/.htaccess
# Require valid-user
#</Location> |
|
Issue filed: https://pulp.plan.io/issues/7481 |
[noissue]