]> git-server-git.apps.pok.os.sepia.ceph.com Git - ceph.git/commitdiff
projects / ceph.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 407f9cc)
mgr/cephadm: redirect browser to correct port by identity provider 68712/head
authorYonatan Zaken <yzaken@redhat.com>
Fri, 1 May 2026 08:41:46 +0000 (11:41 +0300)
committerYonatan Zaken <yzaken@redhat.com>
Fri, 1 May 2026 08:41:46 +0000 (11:41 +0300)
After authentication, the external identity provider was redirecting
to the correct dashboard address but omitting the external port causing
the browser to redirect to the default https port (443) which isn't
used since an external port was configured in mgmt-gateway spec file.

The nginx external_server_conf.j2 file was changed to use $http_host
instead of $host in order for the oauth2-proxy service to correctly
construct the dashboard URL including the non-standard port.

Fixes: https://tracker.ceph.com/issues/74024
Signed-off-by: Yonatan Zaken <yzaken@redhat.com>
src/pybind/mgr/cephadm/templates/services/mgmt-gateway/external_server.conf.j2 patch | blob | history
src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py patch | blob | history

diff --git a/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/external_server.conf.j2 b/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/external_server.conf.j2
index 3db1a1142b35d9adc10d2c00351d7ca3e298a834..0e5115f128a4c6579f31a652370a7cb117aa3a62 100644 (file)
--- a/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/external_server.conf.j2
+++ b/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/external_server.conf.j2
@@ -55,17 +55,17 @@ server {
 {% if enable_oauth2_proxy %}
     location /oauth2/ {
         proxy_pass https://oauth2_proxy_servers;
-        proxy_set_header Host $host;
+        proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Scheme $scheme;
         # Check for original-uri header
-        proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+        proxy_set_header X-Auth-Request-Redirect $scheme://$http_host$request_uri;
     }
 
     location = /oauth2/auth {
         internal;
         proxy_pass https://oauth2_proxy_servers;
-        proxy_set_header Host $host;
+        proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Scheme $scheme;
         # nginx auth_request includes headers but not body
@@ -97,12 +97,12 @@ server {
         auth_request_set $auth_cookie $upstream_http_set_cookie;
         add_header Set-Cookie $auth_cookie;
 
-        proxy_set_header Host $host;
+        proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Host $host:80;
-        proxy_set_header X-Forwarded-Port 80;
-        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header X-Forwarded-Server $http_host;
         proxy_set_header X-Forwarded-Groups $groups;
 
         proxy_http_version 1.1;
@@ -134,7 +134,7 @@ server {
         # Pass role header to Grafana
         proxy_set_header X-WEBAUTH-ROLE $http_x_auth_request_role;
 
-        proxy_set_header Host $host;
+        proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
diff --git a/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py b/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py
index 63fdef636d6794915f9bd343593c0775f9f31227..78c96039b532f9eedcd0e223de14eb5f0ac9bc4a 100644 (file)
--- a/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py
+++ b/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py
@@ -437,17 +437,17 @@ class TestMgmtGateway:
 
                                                  location /oauth2/ {
                                                      proxy_pass https://oauth2_proxy_servers;
-                                                     proxy_set_header Host $host;
+                                                     proxy_set_header Host $http_host;
                                                      proxy_set_header X-Real-IP $remote_addr;
                                                      proxy_set_header X-Scheme $scheme;
                                                      # Check for original-uri header
-                                                     proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+                                                     proxy_set_header X-Auth-Request-Redirect $scheme://$http_host$request_uri;
                                                  }
 
                                                  location = /oauth2/auth {
                                                      internal;
                                                      proxy_pass https://oauth2_proxy_servers;
-                                                     proxy_set_header Host $host;
+                                                     proxy_set_header Host $http_host;
                                                      proxy_set_header X-Real-IP $remote_addr;
                                                      proxy_set_header X-Scheme $scheme;
                                                      # nginx auth_request includes headers but not body
@@ -476,12 +476,12 @@ class TestMgmtGateway:
                                                      auth_request_set $auth_cookie $upstream_http_set_cookie;
                                                      add_header Set-Cookie $auth_cookie;
 
-                                                     proxy_set_header Host $host;
+                                                     proxy_set_header Host $http_host;
                                                      proxy_set_header X-Real-IP $remote_addr;
                                                      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                                                     proxy_set_header X-Forwarded-Host $host:80;
-                                                     proxy_set_header X-Forwarded-Port 80;
-                                                     proxy_set_header X-Forwarded-Server $host;
+                                                     proxy_set_header X-Forwarded-Host $http_host;
+                                                     proxy_set_header X-Forwarded-Port $server_port;
+                                                     proxy_set_header X-Forwarded-Server $http_host;
                                                      proxy_set_header X-Forwarded-Groups $groups;
 
                                                      proxy_http_version 1.1;
@@ -509,7 +509,7 @@ class TestMgmtGateway:
                                                      # Pass role header to Grafana
                                                      proxy_set_header X-WEBAUTH-ROLE $http_x_auth_request_role;
 
-                                                     proxy_set_header Host $host;
+                                                     proxy_set_header Host $http_host;
                                                      proxy_set_header X-Real-IP $remote_addr;
                                                      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                                                      proxy_set_header X-Forwarded-Proto $scheme;
Unnamed repository; edit this file 'description' to name the repository.