how to use a different https port other than 443

Question

how to use a different https port other than 443

Opened this issue 5 months ago · 2 comments

We are deploying a k8s based ingress (https://rubin-panda-iam-dev.slac.stanford.edu:8443/login). It's using port 8443, instead of 443 because of some limitations. Some instructions are set following the instructions. The system can work. However, it just automatically redirect users to port 443, instead of 8443. For example, when logging in https://rubin-panda-iam-dev.slac.stanford.edu:8443/login with CILogon, it will redirect user to https://rubin-panda-iam-dev.slac.stanford.edu. Then if I update the URL in web browser to https://rubin-panda-iam-dev.slac.stanford.edu:8443, the CILogon information are correctly filled.

root@iam-dev-main-0:/indigo-iam# env|grep IAM|grep URL IAM_LOGO_URL=https://atlpan.web.cern.ch/atlpan/PanDA-rev-logo-300.jpg IAM_BASE_URL=https://rubin-panda-iam-dev.slac.stanford.edu:8443 root@iam-dev-main-0:/indigo-iam# env|grep IAM|grep FORWARD IAM_FORWARD_HEADERS_STRATEGY=native root@iam-dev-main-0:/indigo-iam# env|grep IAM|grep ISSUER IAM_ISSUER=https://rubin-panda-iam-dev.slac.stanford.edu:8443 IAM_REGISTRATION_OIDC_ISSUER=https://cilogon.org

Here are some logs, o.apache.catalina.valves.RemoteIpValve switches it to use port 443 when switching from http to https.

`2024-04-29 13:29:07.768 DEBUG 7 --- [nio-8443-exec-4] o.a.coyote.http11.Http11InputBuffer : Received [GET /openid_connect_login?iss=https://dex.slac.stanford.edu HTTP/1.1
Host: rubin-panda-iam-dev.slac.stanford.edu:8443
X-Request-ID: 4efe37837b11978a06432359c9ce6711
X-Real-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: rubin-panda-iam-dev.slac.stanford.edu:8443
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Scheme: https
X-Scheme: https
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108", "Google Chrome";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: same-origin
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
referer: https://rubin-panda-iam-dev.slac.stanford.edu:8443/login
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
cookie: _ga_2BMBCFJ72S=GS1.1.1692014408.1.0.1692014414.0.0.0; _ga_7FEJNFK38V=GS1.1.1692014408.1.0.1692014414.0.0.0; _ga_FSPQX43WTK=GS1.1.1692014260.1.1.1692014448.0.0.0; _ga=GA1.1.1151464042.1692014453; __utmc=65936753; __utma=65936753.1151464042.1692014453.1692014497.1696944689.2; _ga_T6JVWSNVP1=GS1.1.1709202447.2.0.1709203242.0.0.0; _ga_935PE62XQW=GS1.1.1713970794.1.1.1713971244.0.0.0; _ga_4TNTC7E7PN=GS1.1.1713970794.3.1.1713971244.0.0.0; JSESSIONID=46EC0DD82D83AC26E92D6C65A4BA9F7A

]
2024-04-29 13:29:07.769 DEBUG 7 --- [nio-8443-exec-4] o.a.t.util.http.Rfc6265CookieProcessor : Cookies: Parsing b[]: _ga_2BMBCFJ72S=GS1.1.1692014408.1.0.1692014414.0.0.0; _ga_7FEJNFK38V=GS1.1.1692014408.1.0.1692014414.0.0.0; _ga_FSPQX43WTK=GS1.1.1692014260.1.1.1692014448.0.0.0; _ga=GA1.1.1151464042.1692014453; __utmc=65936753; __utma=65936753.1151464042.1692014453.1692014497.1696944689.2; _ga_T6JVWSNVP1=GS1.1.1709202447.2.0.1709203242.0.0.0; _ga_935PE62XQW=GS1.1.1713970794.1.1.1713971244.0.0.0; _ga_4TNTC7E7PN=GS1.1.1713970794.3.1.1713971244.0.0.0; JSESSIONID=46EC0DD82D83AC26E92D6C65A4BA9F7A
2024-04-29 13:29:07.769 DEBUG 7 --- [nio-8443-exec-4] o.a.catalina.connector.CoyoteAdapter : Requested cookie session id is 46EC0DD82D83AC26E92D6C65A4BA9F7A
2024-04-29 13:29:07.769 DEBUG 7 --- [nio-8443-exec-4] o.apache.catalina.valves.RemoteIpValve : Host value [rubin-panda-iam-dev.slac.stanford.edu:8443] in HTTP header [X-Forwarded-Host] included a port number which will be ignored
2024-04-29 13:29:07.769 DEBUG 7 --- [nio-8443-exec-4] o.apache.catalina.valves.RemoteIpValve : Incoming request /openid_connect_login with originalRemoteAddr [192.168.52.192], originalRemoteHost=[192.168.52.192], originalSecure=[false], originalScheme=[http], originalServerName=[rubin-panda-iam-dev.slac.stanford.edu], originalServerPort=[8443] will be seen as newRemoteAddr=[127.0.0.1], newRemoteHost=[127.0.0.1], newSecure=[true], newScheme=[https], newServerName=[rubin-panda-iam-dev.slac.stanford.edu], newServerPort=[443]
`

Answer 1 · 2024-05-02T14:16:49.000Z

Hi, I guess this is linked to #586. Port 8443 is a special one which brings to the behavior that you have described. Is it possible by chance to change the ingress port to something like 8444?

Answer 2 · 2024-05-02T14:35:00.000Z

we cannot update the ingress port. It's managed by others. The new https port is returned by this class 'o.apache.catalina.valves.RemoteIpValve'. It seems it's somehow hardcoded if IAM doesn't overwrite it.