From 8c20f908e64b084dbe68038f64227ec5a6281c68 Mon Sep 17 00:00:00 2001 From: maany Date: Thu, 18 Jul 2024 14:38:10 +0200 Subject: [PATCH] webui: update docs on `RUCIO_WEBUI_SERVER_CA_BUNDLE` When SSL is enabled, the outbound requests from NodeJS will validate the host certificates of the server. The common CAs are pre-configured in NodeJS. However, in cases like Atlas, where the CERN CA is used, we need to explicitly provide the CA bundle that can verify the host ceritifates of the rucio server and the rucio auth server. The documentation has been updated to reflect this behaviour. --- webui/README.md | 31 ++++++++++++++++--------------- webui/rucio.conf.j2 | 4 ++-- 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/webui/README.md b/webui/README.md index 371f5eb..b65d7e3 100644 --- a/webui/README.md +++ b/webui/README.md @@ -55,7 +55,7 @@ docker run --rm --name rucio-webui \ -e RUCIO_WEBUI_VO_DEFAULT=def \ -e RUCIO_WEBUI_VO_DEF_NAME=default \ -e RUCIO_WEBUI_VO_DEF_LOGO=https://ep-news.web.cern.ch/sites/ep-news.web.cern.ch/files/RUCIO1.jpg \ - -e NODE_EXTRA_CA_CERTS=/etc/grid-security/ca.pem \ + -e RUCIO_WEBUI_SERVER_CA_BUNDLE=/etc/grid-security/ca.pem \ -e RUCIO_WEBUI_OIDC_ENABLED=false \ -p 80:80 \ -p 443:443 \ @@ -76,18 +76,19 @@ The following sections list the available configuration variables: The following environment variables are used to configure the NextJS App. As a convention, the environment variables are prefixed with `RUCIO_WEBUI_` and are generated by the [env-generator](https://github.com/rucio/webui/tree/master/tools/env-generator) tool , which creates the environment file used by the NextJS application. When running the container, the `-e` flag must specify the `FULL_NAME` of the corresponding environment variable. -| Variable Name | Full Name | Description | Example | Default | -| --------------- | --------------------------- | ------------------------------------------------------------------------------------ | ------------------------------ | ------- | -| RUCIO_HOST | RUCIO_WEBUI_RUCIO_HOST | URL for the Rucio Server | https://rucio-lb-prod.cern.ch | | -| RUCIO_AUTH_HOST | RUCIO_WEBUI_RUCIO_AUTH_HOST | URL for the Rucio authentication server | https://rucio-auth-host.ch:443 | | -| HOSTNAME | RUCIO_WEBUI_HOSTNAME | Public HOSTNAME at which Rucio WebUI will be accessible. It may include port number. | rucio-ui.cern.ch | | -| ENABLE_SSL | RUCIO_WEBUI_ENABLE_SSL | Enable or Disable TLS Termination (true or false) | true | false | -| PROJECT_URL | RUCIO_WEBUI_PROJECT_URL | Public URL for your project | https://atlas.cern.ch | | -| VO_DEFAULT | RUCIO_WEBUI_VO_DEFAULT | Short name for the default VO used for authentication | def | def | -| VO_LIST | RUCIO_WEBUI_VO_LIST | CSV string containing the list of supported VOs | def, atl, cms | def | -| MULTIVO_ENABLED | RUCIO_WEBUI_MULTIVO_ENABLED | Whether to enable multi-VO config (true or false) | true | | -| OIDC_ENABLED | RUCIO_WEBUI_OIDC_ENABLED | Enable or Disable OIDC Authentication (true or false) | true | | -| OIDC_PROVIDERS | RUCIO_WEBUI_OIDC_PROVIDERS | CSV string containing names of OIDC Providers | cern, indigo | | +| Variable Name | Full Name | Description | Example | Default | +| ---------------- | ---------------------------- | ------------------------------------------------------------------------------------ | ------------------------------ | ------- | +| RUCIO_HOST | RUCIO_WEBUI_RUCIO_HOST | URL for the Rucio Server | https://rucio-lb-prod.cern.ch | | +| RUCIO_AUTH_HOST | RUCIO_WEBUI_RUCIO_AUTH_HOST | URL for the Rucio authentication server | https://rucio-auth-host.ch:443 | | +| HOSTNAME | RUCIO_WEBUI_HOSTNAME | Public HOSTNAME at which Rucio WebUI will be accessible. It may include port number. | rucio-ui.cern.ch | | +| ENABLE_SSL | RUCIO_WEBUI_ENABLE_SSL | Enable or Disable TLS Termination (true or false) | true | false | +| SERVER_CA_BUNDLE | RUCIO_WEBUI_SERVER_CA_BUNDLE | A CA that can verify the certificate of your Rucio Server | | | +| PROJECT_URL | RUCIO_WEBUI_PROJECT_URL | Public URL for your project | https://atlas.cern.ch | | +| VO_DEFAULT | RUCIO_WEBUI_VO_DEFAULT | Short name for the default VO used for authentication | def | def | +| VO_LIST | RUCIO_WEBUI_VO_LIST | CSV string containing the list of supported VOs | def, atl, cms | def | +| MULTIVO_ENABLED | RUCIO_WEBUI_MULTIVO_ENABLED | Whether to enable multi-VO config (true or false) | true | | +| OIDC_ENABLED | RUCIO_WEBUI_OIDC_ENABLED | Enable or Disable OIDC Authentication (true or false) | true | | +| OIDC_PROVIDERS | RUCIO_WEBUI_OIDC_PROVIDERS | CSV string containing names of OIDC Providers | cern, indigo | | For each `VO` specified in the `VO_LIST` variable, additional variables need to be specified. These variables should be added in the following format: `RUCIO_WEBUI_VO__=`. An example for the default VO is shown below: @@ -126,8 +127,8 @@ The following environment variables are used to configure the rucio specific asp | `RUCIO_HTTPD_LOG_DIR` | If `RUCIO_ENABLE_LOGS` is set use this variable to change the default logfile output directory. | | | `RUCIO_CA_REVOCATION_CHECK` | Sets the `SSLCARevocationCheck` variable for Apache | Default: `chain` | | `RUCIO_HTTPD_ADDITIONAL_PROXY_CONF` | Sets the ProxyPass and ProxyPassReverse directives for Apache. | | -| `RUCIO_HTTPD_PROXY_PROTOCOL_ENABLED` | Enable Proxy Protocol. Useful if your Apache is itself behind a Loadbalancer that uses Proxy Protocol to forward traffic | | -| `RUCIO_HTTPD_PROXY_PROTOCOL_EXCEPTIONS` | The URLs that must not be proxied. Sets the `RemoteIPProxyProtocolExceptions` directive in apache config. | | +| `RUCIO_HTTPD_PROXY_PROTOCOL_ENABLED` | Enable Proxy Protocol. Useful if your Apache is itself behind a Loadbalancer that uses Proxy Protocol to forward traffic | | +| `RUCIO_HTTPD_PROXY_PROTOCOL_EXCEPTIONS` | The URLs that must not be proxied. Sets the `RemoteIPProxyProtocolExceptions` directive in apache config. | | The following environment variables are used to configure the Apache Web Server. Please take a look at `httpd.conf.j2` for more information. diff --git a/webui/rucio.conf.j2 b/webui/rucio.conf.j2 index d098c3a..2054827 100644 --- a/webui/rucio.conf.j2 +++ b/webui/rucio.conf.j2 @@ -1,6 +1,6 @@ {% macro common_virtual_host_config(port) %} -{% if RUCIO_HOSTNAME is defined %} - ServerName {{ RUCIO_HOSTNAME }}:{{ port }} +{% if RUCIO_WEBUI_HOSTNAME is defined %} + ServerName {{ RUCIO_WEBUI_HOSTNAME }}:{{ port }} {% endif %} ServerAdmin {{ RUCIO_SERVER_ADMIN | default('rucio-admin@cern.ch')}} {% if enable_ssl == 'True' %}