[BlueOnyx:22011] Re: Issues with default web site 5209R

Sven.VanDorpe Sven.VanDorpe at portima.com
Fri May 4 14:42:03 -05 2018 

Hi Michael,

> I saw your ticket last night, but didn't get to it any sooner than this.
> So let's talk about it here.

Yes, I thought that I was maybe not the only one with the behavior change. 😉

Thanks for the information about the config change, I placed the " PerlConfigRequire /etc/httpd/conf.perl/00-default-vsite.pl" line into comment and my default site behavior returned to normal.

Now I still have some questions as I presume that yum updates will reactivate the default site behavior. 
I am currently not impacted by the issues that you discuss. Our webhosting server is rather small.

The possibilities that I see are the following:
	1. Comment out the specific default site line in httpd.conf:
		This procedure will have to be performed whenever yum updates the environment, maybe once a month.
		The drawback is that in future developments it could occur that the line can no longer be commented out, the future will show.

	2. Modify the default GUI site behavior so that http (TCP-80) and eventual HTTPS (TCP-443) calls are redirected towards the cloacked redirect script.
		Our clients do not use the Blueonyx GUI for management, and our system administrators use the ssl based TCP-81 port for management purposes.
		Drawback, Yum updates will also require validation of the config or reactivation of the specific rewrite rules.

Do you see any other possible options that I could use to deactivate the behavior or to alter the behavior to site1 ?

You may close the support ticket as we are discussing the behavior via the mailing list.

With kind regards,

Sven Van Dorpe
System/Network Engineer

T +32 2 661 41 13 | M +32 475 38 19 20
W www.portima.com

  

Disclaimer |Address | Think before you print




-----Original Message-----
From: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of Michael Stauber
Sent: Friday, May 4, 2018 19:48
To: blueonyx at mail.blueonyx.it
Subject: [BlueOnyx:22010] Re: Issues with default web site 5209R

Hi Sven,

I saw your ticket last night, but didn't get to it any sooner than this.
So let's talk about it here.

> We have *site1* that was acting as default Web site.
> 
> The site has a cgi/perl script that performs Cloacked URL redirects 
> for URLs supported by the script (using MySQL Db). Since the yum 
> update this no longer works, these URLS are redirected towards the 
> BlueOnyx GUI Login page.

Correct. This is the new default behavior on BlueOnyx. We were having tons of issues with Apache recently where HTTPS and HTTP requests were arbitrarily ending up at where they shouldn't end up in first place.

Part of this is due to SNI, which allows us to use SSL on multiple Vsites on the same IP. Now if someone uses HTTPS to connect to a Vsite that doesn't have HTTPS, then the server will serve the certificate of one of the Vsites that has SSL enabled on that IP. Depending on how redirects are handled, it might even redirect the connection to the other Vsites. It gets even more fishy if the first Vsite doesn't have SSL enabled, but a later Vsite on the same IP does.

At the end of the day you end up with a real clusterfuck that's really confusing the hell out of everyone and makes nobody happy.

That's why that update was introduced back then. In httpd.conf you now do have this line:

PerlConfigRequire /etc/httpd/conf.perl/00-default-vsite.pl

That Perl script generates <VirtualHost> containers on the fly, which are loaded before any other <VirtualHost> containers and therefore take precedence.

On 5207R/5208R you get two new <VirtualHost> containers:

1.) A primary <VirtualHost> for HTTP that redirects to the GUI.

2.) A primary <VirtualHost> for HTTPS that redirects to the GUI.

On 5209R you also get new primary <VirtualHost>'s (HTTP and HTTPS) for every IP that's bound to the server. All of them redirect to the GUI.

That way we get a new standard-behavior: Direct IP access? Redirect to GUI. HTTPS access to a VSite that has no SSL enabled? Redirect to the GUI.

No more confusion, as we now have a defined standard-behavior.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list