I’ve got a site that I want to supply a static page for the root URL /. What settings do I do this with the ood_portal.yml (and likely in some other conf.d/static_root.conf) do I need to supply. @tdockendorf do you know this offhand?
The only way we did this before was we used a discovery page before we had Keycloak doing CILogon for us. This is what we had in ood_portal.yml:
oidc_discover_uri: '/discover'
oidc_discover_root: '/var/www/ood/discover'
register_uri: '/register'
register_root: '/var/www/ood/register'
These are the repos those pointed to:
This is actually maybe much simpler than I’d thought.
Looks like they’d just need to specify root_uri in ood_portal.yml to this new static page?
According to OSC’s Puppet history, we never changed root_uri from the default. I think it was the responsibility of the discovery page to tell OIDC where to redirect to like just / and then the Apache redirect rules would handle redirecting to root_uri from there . If you change root_uri then I think that would cause issues for PUN startup since you wouldn’t land on dashboard.
They don’t want to land on the dashboard, that’s the whole point. They want to have a static page with some documentation and so on and a link to /pun/sys/dashboard.
Right, that’s what the discovery app is for, they hit that first, then that app redirects them to appropriate places whether that be directly to OnDemand or to some OIDC provider. I’m just going off of what we did years ago. I found inside Puppet’s config file backup one of our old Apache configs (below). We had very different mod_auth_openidc configs too where we had metadata files, having trouble digging those up. I think there were things inside the mod_auth_openidc that redirected to discovery page, since that’s only page not behind authentication. So you go to https://ondemand-test.osc.edu and mod_auth_openidc would redirect you to the /discover URI which would then handle routing you to either Keycloak or CILogon with redirect URI back to OnDemand then once authenticated you’d hit the PUN dashboard URI.
Here is the mod_auth_openidc (found it finally):
OIDCMetadataDir /opt/rh/httpd24/root/etc/httpd/metadata
OIDCDiscoverURL https://ondemand-test.osc.edu/discover
OIDCRedirectURI https://ondemand-test.osc.edu/oidc
OIDCCryptoPassphrase "OMIT"
# Keep sessions alive for 8 hours
OIDCSessionInactivityTimeout 28800
OIDCSessionMaxDuration 28800
# Don't pass claims to backend servers
OIDCPassClaimsAs environment
# Strip out session cookies before passing to backend
OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1
The metadata directory had OIDC metadata like you get from querying IDP like token URLs and what claims to return, it’s how you have one VirtualHost talk to different OIDC endpoints (via the discover page). So we had some metadata for Keycloak and some metadata for CILogon.
Listen 443
Listen 80
# Redirect all http traffic to the https Open OnDemand portal URI
# http://*:443
# #=> https://ondemand-test.osc.edu:443
#
<VirtualHost *:80>
RewriteEngine On
RewriteRule ^(.*) https://ondemand-test.osc.edu:443$1 [R=301,NE,L]
</VirtualHost>
# The Open OnDemand portal VirtualHost
#
<VirtualHost *:443>
ServerName ondemand-test.osc.edu
ErrorLog "logs/ondemand-test.osc.edu_error_ssl.log"
CustomLog "logs/ondemand-test.osc.edu_access_ssl.log" combined
RewriteEngine On
RewriteCond %{HTTP_HOST} !^(ondemand-test.osc.edu(:443)?)?$ [NC]
RewriteRule ^(.*) https://ondemand-test.osc.edu:443$1 [R=301,NE,L]
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/ondemand-test.osc.edu.crt
SSLCertificateKeyFile /etc/pki/tls/private/ondemand-test.osc.edu.key
SSLCertificateChainFile /etc/pki/tls/certs/ondemand-test.osc.edu-interm.crt
# Lua configuration
#
LuaRoot "/opt/ood/mod_ood_proxy/lib"
LogLevel lua_module:info
# Log authenticated user requests (requires min log level: info)
LuaHookLog logger.lua logger
# Authenticated-user to system-user mapping configuration
#
SetEnv OOD_USER_MAP_CMD "/opt/ood/ood_auth_map/bin/ood_auth_map.mapfile"
SetEnv OOD_MAP_FAIL_URI "/register"
# Per-user Nginx (PUN) configuration
# NB: Apache will need sudo privs to control the PUNs
#
SetEnv OOD_PUN_STAGE_CMD "sudo /opt/ood/nginx_stage/sbin/nginx_stage"
#
# Below is used for sub-uri's this Open OnDemand portal supports
#
# Serve up publicly available assets from local file system:
#
# https://ondemand-test.osc.edu:443/public/favicon.ico
# #=> /var/www/ood/public/favicon.ico
#
Alias "/public" "/var/www/ood/public"
<Directory "/var/www/ood/public">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
# Reverse proxy traffic to backend webserver through IP sockets:
#
# https://ondemand-test.osc.edu:443/node/HOST/PORT/index.html
# #=> http://HOST:PORT/node/HOST/PORT/index.html
#
<LocationMatch "^/node/(?<host>[\w.-]+\.osc\.edu)/(?<port>\d+)">
AuthType openid-connect
Require valid-user
# ProxyPassReverse implementation
Header edit Location "^[^/]+//[^/]+" ""
# ProxyPassReverseCookieDomain implemenation
Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""
# ProxyPassReverseCookiePath implementation
Header edit* Set-Cookie ";\s*(?i)Path[^;]*" ""
Header edit Set-Cookie "^([^;]+)" "$1; Path=/node/%{MATCH_HOST}e/%{MATCH_PORT}e"
LuaHookFixups node_proxy.lua node_proxy_handler
</LocationMatch>
# Reverse "relative" proxy traffic to backend webserver through IP sockets:
#
# https://ondemand-test.osc.edu:443/rnode/HOST/PORT/index.html
# #=> http://HOST:PORT/index.html
#
<LocationMatch "^/rnode/(?<host>[\w.-]+\.osc\.edu)/(?<port>\d+)(?<uri>/.*|)">
AuthType openid-connect
Require valid-user
# ProxyPassReverse implementation
Header edit Location "^([^/]+//[^/]+)|(?=/)" "/rnode/%{MATCH_HOST}e/%{MATCH_PORT}e"
# ProxyPassReverseCookieDomain implemenation
Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""
# ProxyPassReverseCookiePath implementation
Header edit* Set-Cookie ";\s*(?i)Path[^;]*" ""
Header edit Set-Cookie "^([^;]+)" "$1; Path=/rnode/%{MATCH_HOST}e/%{MATCH_PORT}e"
LuaHookFixups node_proxy.lua node_proxy_handler
</LocationMatch>
# Reverse proxy traffic to backend PUNs through Unix domain sockets:
#
# https://ondemand-test.osc.edu:443/pun/dev/app/simulations/1
# #=> unix:/path/to/socket|http://localhost/pun/dev/app/simulations/1
#
SetEnv OOD_PUN_URI "/pun"
<Location "/pun">
AuthType openid-connect
Require valid-user
ProxyPassReverse "http://localhost/pun"
# ProxyPassReverseCookieDomain implementation (strip domain)
Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""
# ProxyPassReverseCookiePath implementation (less restrictive)
Header edit* Set-Cookie ";\s*(?i)Path\s*=(?-i)(?!\s*/pun)[^;]*" "; Path=/pun"
SetEnv OOD_PUN_SOCKET_ROOT "/var/run/ondemand-nginx"
SetEnv OOD_PUN_MAX_RETRIES "5"
LuaHookFixups pun_proxy.lua pun_proxy_handler
SetEnv OOD_ANALYTICS_TRACKING_URL "http://www.google-analytics.com/collect"
SetEnv OOD_ANALYTICS_TRACKING_ID "OMIT"
LuaHookLog analytics.lua analytics_handler
</Location>
# Control backend PUN for authenticated user:
# NB: See mod_ood_proxy for more details.
#
# https://ondemand-test.osc.edu:443/nginx/stop
# #=> stops the authenticated user's PUN
#
SetEnv OOD_NGINX_URI "/nginx"
<Location "/nginx">
AuthType openid-connect
Require valid-user
LuaHookFixups nginx.lua nginx_handler
</Location>
# Redirect root URI to specified URI
#
# https://ondemand-test.osc.edu:443/
# #=> https://ondemand-test.osc.edu:443/pun/sys/dashboard
#
RedirectMatch ^/$ "/pun/sys/dashboard"
# Redirect logout URI to specified redirect URI
#
# https://ondemand-test.osc.edu:443/logout
# #=> https://ondemand-test.osc.edu:443/oidc?logout=https%3A%2F%2Fondemand-test.osc.edu
#
Redirect "/logout" "/oidc?logout=https%3A%2F%2Fondemand-test.osc.edu"
# OpenID Connect redirect URI:
#
# https://ondemand-test.osc.edu:443/oidc
# #=> handled by mod_auth_openidc
#
<Location "/oidc">
AuthType openid-connect
Require valid-user
</Location>
# Discover URI for OpenID Connect (used for multiple Id Providers):
#
# https://ondemand-test.osc.edu:443/discover
# #=> /var/www/ood/discover/
#
Alias "/discover" "/var/www/ood/discover"
<Directory "/var/www/ood/discover">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
# Register and/or unregister the mapping of an authenticated-user to a system-user
# NB: This is not needed for regular expression mapping
#
# https://ondemand-test.osc.edu:443/register
# #=> /var/www/ood/register/
#
Alias "/register" "/var/www/ood/register"
<Directory "/var/www/ood/register">
Options Indexes FollowSymLinks
AllowOverride None
AuthType openid-connect
Require valid-user
</Directory>
</VirtualHost>