3. Enable Reverse Proxy

The reverse proxy will proxy a request to any specified host and port through IP sockets. This can be used to connect to Jupyter notebook servers, RStudio servers, VNC servers, and more… This is disabled by default as it can be a security risk if not properly setup using a good host_regex.

You can read more about how this works in Open OnDemand under Configure Reverse Proxy.

3.1. Requirements

  • a regular expression that best describes all the hosts that you would want a user to connect to through the proxy (e.g., [\w.-]+\.osc\.edu)

  • confirm that if you run the command hostname from a compute node it will return a string that matches the above regular expression

    $ hostname
    n0001.ten.osc.edu
    

    Note

    If the hostname command gives you a value that cannot be used to connect to the compute node from the OnDemand host, then you can override it in the cluster config with a bash command that will work, e.g.:

    # /etc/ood/config/clusters.d/cluster1.yml
    ---
    v2:
      metadata:
        title: "Cluster 1"
      login:
        host: "cluster1.my_center.edu"
      job:
        adapter: "..."
        ...
      batch_connect:
        basic:
          script_wrapper: |
            module purge
            %s
          set_host: "host=$(hostname -A | awk '{print $1}')"
        vnc:
          script_wrapper: |
            module purge
            export PATH="/usr/local/turbovnc/bin:$PATH"
            export WEBSOCKIFY_CMD="/usr/local/websockify/run"
            %s
          set_host: "host=$(hostname -A | awk '{print $1}')"
    

3.2. Steps to Enable in Apache

  1. We will update the Apache configuration file by adding Location directives that will be used for the reverse proxy. This requires modifying the configuration file for the ood-portal-generator.

    cd ~/ood/src/ood-portal-generator
    
  2. Configuration is handled by editing the config.yml as such:

    # ~/ood/src/ood-portal-generator/config.yml
    ---
    servername: webdev05.hpc.osc.edu
    ssl:
      - 'SSLCertificateFile "/etc/pki/tls/certs/webdev05.hpc.osc.edu.crt"'
      - 'SSLCertificateKeyFile "/etc/pki/tls/private/webdev05.hpc.osc.edu.key"'
      - 'SSLCertificateChainFile "/etc/pki/tls/certs/webdev05.hpc.osc.edu-interm.crt"'
    auth:
      - 'AuthType Basic'
      - 'AuthName "private"'
      - 'AuthBasicProvider ldap'
      - 'AuthLDAPURL "ldaps://openldap1.infra.osc.edu:636/ou=People,ou=hpc,o=osc?uid" SSL'
      - 'AuthLDAPGroupAttribute memberUid'
      - 'AuthLDAPGroupAttributeIsDN off'
      - 'RequestHeader unset Authorization'
      - 'Require valid-user'
    
    host_regex: '[\w.-]+\.osc\.edu'
    node_uri: '/node'
    rnode_uri: '/rnode'
    

    You can read more about these options under Configure Reverse Proxy.

    Tip

    What if my site foregos the FQDN in the host names for compute nodes, and we have compute names that give their hosts as:

    • ab001ab100 (for the AB cluster)
    • pn001pn500 (for the PN cluster)
    • xy001xy125 (for the XY cluster)

    You could then use the following regular expression in your configuration file:

    host_regex: '(ab|pn|xy)\d+'
    node_uri: '/node'
    rnode_uri: '/rnode'
    

    Warning

    Do not add start (^, A) or end ($, Z) of string/line anchors as this regular expression will be inserted into another regular expression.

    Danger

    Failing to add an appropriate regular expression to the Reverse Proxy opens you up to possible phishing attacks. As a malicious party could send links to unsuspecting users as:

    https://ondemand.center.edu/rnode/phishing.site.com/80/...
    

    And users will implicitly trust the link since it points to the trusting domain of ondemand.center.edu.

  3. Re-build the Apache config:

    $ scl enable rh-ruby22 -- rake
    mkdir -p build
    rendering templates/ood-portal.conf.erb => build/ood-portal.conf
    
  4. Copy it over to the default location:

    $ sudo scl enable rh-ruby22 -- rake install
    cp build/ood-portal.conf /opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf
    
  5. Restart the Apache server:

    $ sudo service httpd24-httpd restart
    

    Warning

    If using RHEL 7 you will need to replace the above command with:

    $ sudo systemctl restart httpd24-httpd
    

3.3. Verify it Works

We can test that the reverse proxy is now functional by starting up a simple server on a compute node and connecting to it through the proxy with our browser.

  1. SSH to any compute node that matches the regular expression above:

    $ ssh n0001.ten.osc.edu
    
  2. Start up a very simple listening server on a high number port:

    $ nc -l 5432
    
  3. In your browser navigate to this server using the Apache reverse proxy with the following URL format:

    http://ondemand.my_center.edu/node/<host>/<port>/...
    

    So for our simplified case lets use:

    http://ondemand.my_center.edu/node/n0001.ten.osc.edu/5432/
    
  4. Go back to your SSH session and verify that it received the browser request:

    $ nc -l 5432
    GET /node/n0691.ten.osc.edu/5432/ HTTP/1.1
    Host: n0691.ten.osc.edu:5432
    Upgrade-Insecure-Requests: 1
    ...
    

    Note

    As we don’t have the simple server return anything to the browser, you can ignore any errors or warnings you see in your browser.