Merge pull request #10 from ganto/https

Update patches for HTTPS support
debops-contrib · Jun 23, 2016 · 141cf6c · 141cf6c
2 parents 68572e0 + 1bcb818
commit 141cf6c
Show file tree

Hide file tree

Showing 5 changed files with 104 additions and 14 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -29,8 +29,10 @@ checkmk_server__site_update: False
 #
 # Custom patches to apply after installing Check_MK package
 checkmk_server__patches:
-  - patch: 'check-mk-raw-1.2.6p15-set-https-proxy-header.patch'
-    file: '/omd/versions/default/skel/etc/apache/apache-own.conf'
+  - patch: 'check-mk-raw-1.2.8-set-https-proxy-header.patch'
+    file: '/omd/versions/{{ checkmk_server__version_label }}/skel/etc/apache/apache-own.conf'
+  - patch: 'check-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch'
+    file: '/omd/versions/{{ checkmk_server__version_label }}/skel/etc/apache/conf.d/omd.conf'
 
 
 # .. envvar:: checkmk_server__dependencies

diff --git a/files/check-mk-raw-1.2.6p15-set-https-proxy-header.patch b/files/check-mk-raw-1.2.6p15-set-https-proxy-header.patch
diff --git a/files/check-mk-raw-1.2.8-read-X-Forwarded-Port-header.patch b/files/check-mk-raw-1.2.8-read-X-Forwarded-Port-header.patch
@@ -0,0 +1,34 @@
+Author: Reto Gantenbein <[email protected]>
+Date:   Wed Jun 22 04:38:21 2016 +0200
+
+    Read rewrite port from X-Forwarded-Port header (v2)
+
+    In some situations using %{SERVER_PORT} doesn't properly
+    work. Especially when using a HTTPS reverse proxy for
+    accessing the site. Consider a 'X-Forwarded-Port' header
+    as indication how to properly rewrite the URL.
+
+    v2: - Fix default port assignment
+        - Also fix RedirectMatch when site URL is called
+          without trailing /
+
+--- /omd/versions/1.2.8.cre/skel/etc/apache/conf.d/omd.conf.orig  2016-06-21 06:32:04.067171120 +0200
++++ /omd/versions/1.2.8.cre/skel/etc/apache/conf.d/omd.conf       2016-06-22 04:32:27.580578035 +0200
+@@ -12,11 +12,13 @@
+ RewriteCond %{HTTPS} =on
+ RewriteRule ^/###SITE###/?$ - [env=proto:https]
+
+-RewriteRule ^/###SITE###/?$ %{ENV:proto}://%{SERVER_NAME}:%{SERVER_PORT}/###SITE###/omd/ [R=302]
++SetEnv port %{SERVER_PORT}
+
+-# Keep original redirect as fallback, rewrite rules do no work in shared apache mode
+-RedirectMatch ^/###SITE###$  /###SITE###/omd/
+-RedirectMatch ^/###SITE###/$ /###SITE###/omd/
++RewriteCond %{HTTP:X-Forwarded-Port} >1
++RewriteRule ^/###SITE###/?$ - [env=port:%{HTTP:X-Forwarded-Port}]
++
++RewriteRule ^/###SITE###/?$ %{ENV:proto}://%{SERVER_NAME}:%{ENV:port}/###SITE###/omd/ [R=302]
++RedirectMatch ^/###SITE###$ %{ENV:proto}://%{SERVER_NAME}:%{ENV:port}/###SITE###/omd/
+
+ <Directory "###ROOT###/share/omd/htdocs">
+
diff --git a/files/check-mk-raw-1.2.8-set-https-proxy-header.patch b/files/check-mk-raw-1.2.8-set-https-proxy-header.patch
@@ -0,0 +1,29 @@
+Author: Reto Gantenbein <[email protected]>
+Date:   Tue Jun 21 06:51:23 2016 +0200
+
+    Set X-Forwarded headers when accessed via HTTPS
+
+    The Apache httpd of the OMD site uses various
+    rewrites for accessing the individual applications.
+    Define the necessary headers so this can work
+    properly when the proxy httpd is configured for
+    HTTPS.
+
+    Note: If the HTTP(S) port is not 80(443) this won't
+    work correctly. Attempts to use the httpd variable
+    %{SERVER_PORT} in in the X-Forwarded-Port header
+    failed because it seemed to be undefined "(null)".
+
+--- /omd/versions/default/skel/etc/apache/apache-own.conf.orig  2016-05-13 19:19:07.000000000 +0200
++++ /omd/versions/default/skel/etc/apache/apache-own.conf       2016-06-21 06:50:03.169171120 +0200
+@@ -11,6 +11,10 @@
+   ProxyRequests Off
+   ProxyPreserveHost On
+
++  # Indicate when the site was accessed via HTTPS
++  RequestHeader set X-Forwarded-Proto https env=HTTPS
++  RequestHeader set X-Forwarded-Port 443 env=HTTPS
++
+   # Include file created by 'omd config', which 
+   # sets the TCP port of the site local webserver
+   Include ###ROOT###/etc/apache/proxy-port.conf
diff --git a/files/check-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch b/files/check-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch
@@ -0,0 +1,37 @@
+Author: Reto Gantenbein <[email protected]>
+Date:   Wed Jun 22 07:20:38 2016 +0200
+
+    Read rewrite port from X-Forwarded-Port header (v3)
+
+    It might happen that a HTTP reverse proxy is not
+    listening on the default port. In this case it
+    can write the port to the 'X-Forwarded-Port' header
+    which then can be used for a proper rewrite.
+
+    v2: - Fix default port assignment
+        - Also fix RedirectMatch when site URL is called
+          without trailing /
+    v3: - Rebase to v1.2.8p4
+        - Patch not strictly necessary for HTTPS to
+          work correctly anymore
+
+--- /omd/versions/1.2.8p4.cre/skel/etc/apache/conf.d/omd.conf.orig  2016-06-06 17:59:17.000000000 +0200
++++ /omd/versions/1.2.8p4.cre/skel/etc/apache/conf.d/omd.conf       2016-06-22 05:18:35.331361324 +0200
+@@ -12,11 +12,13 @@
+ RewriteCond %{HTTPS} =on
+ RewriteRule ^/###SITE###/?$ - [env=proto:https]
+
+-RewriteRule ^/###SITE###/?$ %{ENV:proto}://%{SERVER_NAME}/###SITE###/omd/ [R=302]
++SetEnv port %{SERVER_PORT}
+
+-# Keep original redirect as fallback, rewrite rules do no work in shared apache mode
+-RedirectMatch ^/###SITE###$  /###SITE###/omd/
+-RedirectMatch ^/###SITE###/$ /###SITE###/omd/
++RewriteCond %{HTTP:X-Forwarded-Port} >1
++RewriteRule ^/###SITE###/?$ - [env=port:%{HTTP:X-Forwarded-Port}]
++
++RewriteRule ^/###SITE###/?$ %{ENV:proto}://%{SERVER_NAME}:%{ENV:port}/###SITE###/omd/ [R=302]
++RedirectMatch ^/###SITE###$ %{ENV:proto}://%{SERVER_NAME}:%{ENV:port}/###SITE###/omd/
+
+ <Directory "###ROOT###/share/omd/htdocs">
+