Skip to content

Commit

Permalink
webui: update docs on RUCIO_WEBUI_SERVER_CA_BUNDLE
Browse files Browse the repository at this point in the history 
When SSL is enabled, the outbound requests from NodeJS will validate the host certificates of the server. The common CAs are pre-configured in NodeJS. However, in cases like Atlas, where the CERN CA is used, we need to explicitly provide the CA bundle that can verify the host ceritifates of the rucio server and the rucio auth server.

The documentation has been updated to reflect this behaviour.
  • Loading branch information
@maany
maany committed Jul 18, 2024
1 parent a3d6acd commit 8c20f90
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 17 deletions.
31 changes: 16 additions & 15 deletions webui/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ docker run --rm --name rucio-webui \
-e RUCIO_WEBUI_VO_DEFAULT=def \
-e RUCIO_WEBUI_VO_DEF_NAME=default \
-e RUCIO_WEBUI_VO_DEF_LOGO=https://ep-news.web.cern.ch/sites/ep-news.web.cern.ch/files/RUCIO1.jpg \
-e NODE_EXTRA_CA_CERTS=/etc/grid-security/ca.pem \
-e RUCIO_WEBUI_SERVER_CA_BUNDLE=/etc/grid-security/ca.pem \
-e RUCIO_WEBUI_OIDC_ENABLED=false \
-p 80:80 \
-p 443:443 \
Expand All @@ -76,18 +76,19 @@ The following sections list the available configuration variables:

The following environment variables are used to configure the NextJS App. As a convention, the environment variables are prefixed with `RUCIO_WEBUI_` and are generated by the [env-generator](https://github.com/rucio/webui/tree/master/tools/env-generator) tool , which creates the environment file used by the NextJS application. When running the container, the `-e` flag must specify the `FULL_NAME` of the corresponding environment variable.

| Variable Name | Full Name | Description | Example | Default |
| --------------- | --------------------------- | ------------------------------------------------------------------------------------ | ------------------------------ | ------- |
| RUCIO_HOST | RUCIO_WEBUI_RUCIO_HOST | URL for the Rucio Server | https://rucio-lb-prod.cern.ch | |
| RUCIO_AUTH_HOST | RUCIO_WEBUI_RUCIO_AUTH_HOST | URL for the Rucio authentication server | https://rucio-auth-host.ch:443 | |
| HOSTNAME | RUCIO_WEBUI_HOSTNAME | Public HOSTNAME at which Rucio WebUI will be accessible. It may include port number. | rucio-ui.cern.ch | |
| ENABLE_SSL | RUCIO_WEBUI_ENABLE_SSL | Enable or Disable TLS Termination (true or false) | true | false |
| PROJECT_URL | RUCIO_WEBUI_PROJECT_URL | Public URL for your project | https://atlas.cern.ch | |
| VO_DEFAULT | RUCIO_WEBUI_VO_DEFAULT | Short name for the default VO used for authentication | def | def |
| VO_LIST | RUCIO_WEBUI_VO_LIST | CSV string containing the list of supported VOs | def, atl, cms | def |
| MULTIVO_ENABLED | RUCIO_WEBUI_MULTIVO_ENABLED | Whether to enable multi-VO config (true or false) | true | |
| OIDC_ENABLED | RUCIO_WEBUI_OIDC_ENABLED | Enable or Disable OIDC Authentication (true or false) | true | |
| OIDC_PROVIDERS | RUCIO_WEBUI_OIDC_PROVIDERS | CSV string containing names of OIDC Providers | cern, indigo | |
| Variable Name | Full Name | Description | Example | Default |
| ---------------- | ---------------------------- | ------------------------------------------------------------------------------------ | ------------------------------ | ------- |
| RUCIO_HOST | RUCIO_WEBUI_RUCIO_HOST | URL for the Rucio Server | https://rucio-lb-prod.cern.ch | |
| RUCIO_AUTH_HOST | RUCIO_WEBUI_RUCIO_AUTH_HOST | URL for the Rucio authentication server | https://rucio-auth-host.ch:443 | |
| HOSTNAME | RUCIO_WEBUI_HOSTNAME | Public HOSTNAME at which Rucio WebUI will be accessible. It may include port number. | rucio-ui.cern.ch | |
| ENABLE_SSL | RUCIO_WEBUI_ENABLE_SSL | Enable or Disable TLS Termination (true or false) | true | false |
| SERVER_CA_BUNDLE | RUCIO_WEBUI_SERVER_CA_BUNDLE | A CA that can verify the certificate of your Rucio Server | | |
| PROJECT_URL | RUCIO_WEBUI_PROJECT_URL | Public URL for your project | https://atlas.cern.ch | |
| VO_DEFAULT | RUCIO_WEBUI_VO_DEFAULT | Short name for the default VO used for authentication | def | def |
| VO_LIST | RUCIO_WEBUI_VO_LIST | CSV string containing the list of supported VOs | def, atl, cms | def |
| MULTIVO_ENABLED | RUCIO_WEBUI_MULTIVO_ENABLED | Whether to enable multi-VO config (true or false) | true | |
| OIDC_ENABLED | RUCIO_WEBUI_OIDC_ENABLED | Enable or Disable OIDC Authentication (true or false) | true | |
| OIDC_PROVIDERS | RUCIO_WEBUI_OIDC_PROVIDERS | CSV string containing names of OIDC Providers | cern, indigo | |

For each `VO` specified in the `VO_LIST` variable, additional variables need to be specified. These variables should be added in the following format:
`RUCIO_WEBUI_VO_<VO_SHORT_NAME>_<VARIABLE_NAME>=<VARIABLE_VALUE>`. An example for the default VO is shown below:
Expand Down Expand Up @@ -126,8 +127,8 @@ The following environment variables are used to configure the rucio specific asp
| `RUCIO_HTTPD_LOG_DIR` | If `RUCIO_ENABLE_LOGS` is set use this variable to change the default logfile output directory. | |
| `RUCIO_CA_REVOCATION_CHECK` | Sets the `SSLCARevocationCheck` variable for Apache | Default: `chain` |
| `RUCIO_HTTPD_ADDITIONAL_PROXY_CONF` | Sets the ProxyPass and ProxyPassReverse directives for Apache. | |
| `RUCIO_HTTPD_PROXY_PROTOCOL_ENABLED` | Enable Proxy Protocol. Useful if your Apache is itself behind a Loadbalancer that uses Proxy Protocol to forward traffic | |
| `RUCIO_HTTPD_PROXY_PROTOCOL_EXCEPTIONS` | The URLs that must not be proxied. Sets the `RemoteIPProxyProtocolExceptions` directive in apache config. | |
| `RUCIO_HTTPD_PROXY_PROTOCOL_ENABLED` | Enable Proxy Protocol. Useful if your Apache is itself behind a Loadbalancer that uses Proxy Protocol to forward traffic | |
| `RUCIO_HTTPD_PROXY_PROTOCOL_EXCEPTIONS` | The URLs that must not be proxied. Sets the `RemoteIPProxyProtocolExceptions` directive in apache config. | |

The following environment variables are used to configure the Apache Web Server. Please take a look at `httpd.conf.j2` for more information.

Expand Down
4 changes: 2 additions & 2 deletions webui/rucio.conf.j2
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{% macro common_virtual_host_config(port) %}
{% if RUCIO_HOSTNAME is defined %}
ServerName {{ RUCIO_HOSTNAME }}:{{ port }}
{% if RUCIO_WEBUI_HOSTNAME is defined %}
ServerName {{ RUCIO_WEBUI_HOSTNAME }}:{{ port }}
{% endif %}
ServerAdmin {{ RUCIO_SERVER_ADMIN | default('rucio-admin@cern.ch')}}
{% if enable_ssl == 'True' %}
Expand Down

0 comments on commit 8c20f90

Please sign in to comment.