From: Yonatan Zaken Date: Fri, 1 May 2026 08:41:46 +0000 (+0300) Subject: mgr/cephadm: redirect browser to correct port by identity provider X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=14957354d71691aa52de106f7ff9d252c756941d;p=ceph.git mgr/cephadm: redirect browser to correct port by identity provider After authentication, the external identity provider was redirecting to the correct dashboard address but omitting the external port causing the browser to redirect to the default https port (443) which isn't used since an external port was configured in mgmt-gateway spec file. The nginx external_server_conf.j2 file was changed to use $http_host instead of $host in order for the oauth2-proxy service to correctly construct the dashboard URL including the non-standard port. Fixes: https://tracker.ceph.com/issues/74024 Signed-off-by: Yonatan Zaken --- diff --git a/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/external_server.conf.j2 b/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/external_server.conf.j2 index 3db1a1142b35..0e5115f128a4 100644 --- a/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/external_server.conf.j2 +++ b/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/external_server.conf.j2 @@ -55,17 +55,17 @@ server { {% if enable_oauth2_proxy %} location /oauth2/ { proxy_pass https://oauth2_proxy_servers; - proxy_set_header Host $host; + proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; # Check for original-uri header - proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; + proxy_set_header X-Auth-Request-Redirect $scheme://$http_host$request_uri; } location = /oauth2/auth { internal; proxy_pass https://oauth2_proxy_servers; - proxy_set_header Host $host; + proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; # nginx auth_request includes headers but not body @@ -97,12 +97,12 @@ server { auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; - proxy_set_header Host $host; + proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host:80; - proxy_set_header X-Forwarded-Port 80; - proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Server $http_host; proxy_set_header X-Forwarded-Groups $groups; proxy_http_version 1.1; @@ -134,7 +134,7 @@ server { # Pass role header to Grafana proxy_set_header X-WEBAUTH-ROLE $http_x_auth_request_role; - proxy_set_header Host $host; + proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; diff --git a/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py b/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py index 63fdef636d67..78c96039b532 100644 --- a/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py +++ b/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py @@ -437,17 +437,17 @@ class TestMgmtGateway: location /oauth2/ { proxy_pass https://oauth2_proxy_servers; - proxy_set_header Host $host; + proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; # Check for original-uri header - proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; + proxy_set_header X-Auth-Request-Redirect $scheme://$http_host$request_uri; } location = /oauth2/auth { internal; proxy_pass https://oauth2_proxy_servers; - proxy_set_header Host $host; + proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; # nginx auth_request includes headers but not body @@ -476,12 +476,12 @@ class TestMgmtGateway: auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; - proxy_set_header Host $host; + proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host:80; - proxy_set_header X-Forwarded-Port 80; - proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Server $http_host; proxy_set_header X-Forwarded-Groups $groups; proxy_http_version 1.1; @@ -509,7 +509,7 @@ class TestMgmtGateway: # Pass role header to Grafana proxy_set_header X-WEBAUTH-ROLE $http_x_auth_request_role; - proxy_set_header Host $host; + proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme;