Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C4F3B18666 for ; Mon, 8 Jun 2015 13:55:55 +0000 (UTC) Received: (qmail 63038 invoked by uid 500); 8 Jun 2015 13:55:49 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 62987 invoked by uid 500); 8 Jun 2015 13:55:49 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 62974 invoked by uid 99); 8 Jun 2015 13:55:49 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Jun 2015 13:55:48 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id DCF2FDFF67; Mon, 8 Jun 2015 13:55:48 +0000 (UTC) From: vadimkim To: dev@cloudstack.apache.org Reply-To: dev@cloudstack.apache.org References: In-Reply-To: Subject: [GitHub] cloudstack pull request: Reinstate working sessions in browser Content-Type: text/plain Message-Id: <20150608135548.DCF2FDFF67@git1-us-west.apache.org> Date: Mon, 8 Jun 2015 13:55:48 +0000 (UTC) Github user vadimkim commented on the pull request: https://github.com/apache/cloudstack/pull/308#issuecomment-110004148 @rsafonseca Thank you for explanation. I will try to put my points here: 1. For public cloud HTTPS must be used (this is not an option) and external SSL offload (proxy) should not brake entire logic. 2. While I have found, that most of the logic works just perfect behind the proxy there are 2 issues that need to be fixed * login procedure somewhere uses direct path (not relative) and tried to call /client/api?command directly. I have fixed it by 1 rewrite rule (see below). Otherwise login is not possible -- 404 response. * F5 brakes session if I work over HTTPS proxy. Hope we will fix it together. I am using very simple nginx conf. Pure proxy: ``` server { listen 443 ssl; server_name kickcloud.net; ssl_certificate /usr/local/etc/ssl/my.crt; ssl_certificate_key /usr/local/etc/ssl/my.key; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; access_log /var/log/nginx/kickckloud.net.log; location / { rewrite /client(.*) $1 last; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://x.x.x.x:8080/client/; proxy_redirect default; proxy_read_timeout 90; } } ``` x.x.x.x -- backend server where Cloudstack runs public name that you can access and check *cloudStack.js* is here: https://kickcloud.net/. I have some more redirects from ports 8080 and 80 to 443, but they are not relevant here I assume. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastructure@apache.org or file a JIRA ticket with INFRA. ---