wido edited a comment on pull request #898:
URL:
https://github.com/apache/cloudstack-primate/pull/898#issuecomment-759444072
I tried this with two management servers from the PCextreme cloud.
<pre>
server {
listen 80;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html;
}
location /api/ams {
# http://127.0.0.1:8080 should be replaced your CloudStack management
# Server's actual URI
proxy_pass https://api.XXXXX.eu/ams3;
}
location /api/haa {
# http://127.0.0.1:8080 should be replaced your CloudStack management
# Server's actual URI
proxy_pass https://api.XXXXX.eu/zone01_haa01;
}
}
</pre>
<pre>
{
"servers": [
{
"name": "Amsterdam",
"apiBase": "/api/ams"
},
{
"name": "Haarlem",
"apiBase": "/api/haa"
}
],
</pre>
I see the requests go to the proper Management server, but my Firefox
console complains that *sessionkey* cookie expires right away.
The calls which I see:
<pre>
172.17.0.1 - - [13/Jan/2021:13:18:15 +0000] "POST /api/haa/ HTTP/1.1" 200
323 "http://localhost:8181/"; "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0)
Gecko/20100101 Firefox/84.0" "-"
172.17.0.1 - - [13/Jan/2021:13:18:15 +0000] "GET
/api/haa/?listall=true&command=listZones&response=json HTTP/1.1" 401 126
"http://localhost:8181/"; "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0)
Gecko/20100101 Firefox/84.0" "-"
172.17.0.1 - - [13/Jan/2021:13:18:15 +0000] "GET
/api/haa/?username=admin&command=listUsers&response=json HTTP/1.1" 401 126
"http://localhost:8181/"; "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0)
Gecko/20100101 Firefox/84.0" "-"
172.17.0.1 - - [13/Jan/2021:13:18:15 +0000] "GET
/api/haa/?command=listApis&response=json HTTP/1.1" 401 125
"http://localhost:8181/"; "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0)
Gecko/20100101 Firefox/84.0" "-"
</pre>
So some calls work, but others get back a *401 Unauthorized*. Still unclear
to me what is breaking it here.
Both API endpoints and up at the management servers:
<pre>
wido@wido-laptop:~$ curl -I http://localhost:8181/api/ams
HTTP/1.1 401 Unauthorized
Server: nginx/1.19.6
Date: Wed, 13 Jan 2021 13:22:08 GMT
Content-Type: text/xml;charset=utf-8
Content-Length: 211
Connection: keep-alive
X-Content-Type-Options: nosniff
X-XSS-Protection: 1;mode=block
content-security-policy: 1
content-security-policy: default-src=none
content-security-policy: script-src=self
content-security-policy: connect-src=self
content-security-policy: img-src=self
content-security-policy: style-src=self
X-Xss-Protection: 1; mode=block
wido@wido-laptop:~$ curl -I http://localhost:8181/api/haa
HTTP/1.1 401 Unauthorized
Server: nginx/1.19.6
Date: Wed, 13 Jan 2021 13:22:11 GMT
Content-Type: text/xml;charset=utf-8
Content-Length: 211
Connection: keep-alive
X-Content-Type-Options: nosniff
X-XSS-Protection: 1;mode=block
content-security-policy: 1
content-security-policy: default-src=none
content-security-policy: script-src=self
content-security-policy: connect-src=self
content-security-policy: img-src=self
content-security-policy: style-src=self
X-Xss-Protection: 1; mode=block
X-Xss-Protection: 1; mode=block
wido@wido-laptop:~$
</pre>
I also checked the management server logs:
<pre>
2021-01-13 14:26:34,987 DEBUG [c.c.a.ApiServlet]
(qtp979294118-71298:ctx-a4c4892a) (logid:a706fe0b) ===START=== 92.XXX.170.138
-- POST
2021-01-13 14:26:34,988 DEBUG [c.c.a.ApiServlet]
(qtp979294118-71298:ctx-a4c4892a) (logid:a706fe0b) Session cookie is marked
secure!
2021-01-13 14:26:34,993 DEBUG [c.c.u.AccountManagerImpl]
(qtp979294118-71298:ctx-a4c4892a) (logid:a706fe0b) Attempting to log in user:
admin in domain 1
2021-01-13 14:26:34,995 DEBUG [o.a.c.s.a.PBKDF2UserAuthenticator]
(qtp979294118-71298:ctx-a4c4892a) (logid:a706fe0b) Retrieving user: admin
2021-01-13 14:26:35,316 DEBUG [c.c.u.AccountManagerImpl]
(qtp979294118-71298:ctx-a4c4892a) (logid:a706fe0b) CIDRs from which account
'Acct[ae43e7cb-abe2-11ea-8f22-d8252d74bd58-admin]' is allowed to perform API
calls: 0.0.0.0/0,::/0
2021-01-13 14:26:35,316 DEBUG [c.c.u.AccountManagerImpl]
(qtp979294118-71298:ctx-a4c4892a) (logid:a706fe0b) User: admin in domain 1 has
successfully logged in
2021-01-13 14:26:35,329 INFO [c.c.a.ApiServer]
(qtp979294118-71298:ctx-a4c4892a) (logid:a706fe0b) Current user logged in under
UTC timezone
2021-01-13 14:26:35,329 INFO [c.c.a.ApiServer]
(qtp979294118-71298:ctx-a4c4892a) (logid:a706fe0b) Timezone offset from UTC is:
0.0
2021-01-13 14:26:35,333 DEBUG [c.c.a.ApiServlet]
(qtp979294118-71298:ctx-a4c4892a) (logid:a706fe0b) ===END=== 92.XXX.170.138 --
POST
2021-01-13 14:26:35,387 DEBUG [c.c.a.ApiServlet]
(qtp979294118-64148:ctx-2355cc41) (logid:343a1d0e) ===START=== 92.XXX.170.138
-- GET listall=true&command=listZones&response=json
2021-01-13 14:26:35,387 DEBUG [c.c.a.ApiServer]
(qtp979294118-64148:ctx-2355cc41 ctx-c0c8312c) (logid:343a1d0e) Expired
session, missing signature, or missing apiKey -- ignoring request. Signature:
null, apiKey: null
2021-01-13 14:26:35,389 DEBUG [c.c.a.ApiServlet]
(qtp979294118-64148:ctx-2355cc41 ctx-c0c8312c) (logid:343a1d0e) ===END===
92.xxx.170.138 -- GET listall=true&command=listZones&response=json</pre>
Noticed how these values are **null**:
- apiKey
- signature
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
