Project

General

Profile

Bug #9989

Smart-Proxy listens on 127.0.0.1 only

Added by Roderick Day over 7 years ago. Updated over 7 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

https://groups.google.com/forum/#!topic/foreman-users/5fhXp7e_u5Q - Original report

https://github.com/sinatra/sinatra/commit/0f9a959253bdf0c39422ffb9b60278df46ef0248 - suspected root problem, credit to Pete Harvey on Foreman-Users Google Group for finding this

I too am having this issue.

Settings.yml:

# cat /etc/foreman-proxy/settings.yml
---
#replace default location of "settings.d" 
:settings_directory: /etc/foreman-proxy/settings.d

# SSL Setup
# If enabled, all communication would be verified via SSL
# NOTE that both certificates need to be signed by the same CA in order for this to work
# see http://theforeman.org/projects/smart-proxy/wiki/SSL for more information
:ssl_certificate: /var/lib/puppet/ssl/certs/foreman-proxy.<REDACTED>.pem
:ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem
:ssl_private_key: /var/lib/puppet/ssl/private_keys/foreman-proxy.<REDACTED>.pem

# Hosts which the proxy accepts connections from
# commenting the following lines would mean every verified SSL connection allowed
#:trusted_hosts:
#- foreman.prod.domain
#- foreman.dev.domain
#to deny access to all hosts use:
#:trusted_hosts: []

#:foreman_url: http://127.0.0.1:3000

# SSL settings for client authentication against Foreman. If undefined, the values
# from general SSL options are used instead. Mainly useful when Foreman uses
# different certificates for its web UI and for smart-proxy requests.
#:foreman_ssl_ca: ssl/certs/ca.pem
#:foreman_ssl_cert: ssl/certs/fqdn.pem
#:foreman_ssl_key: ssl/private_keys/fqdn.pem

# by default smart_proxy runs in the foreground. To enable running as a daemon, uncomment 'daemon' setting
:daemon: true
# Only used when 'daemon' is set to true.
# Uncomment and modify if you want to change the default pid file '/var/run/foreman-proxy/foreman-proxy.pid'
:daemon_pid: /var/run/foreman-proxy/foreman-proxy.pid

# HTTP ports configuration
# http is disabled by default. To enable, uncomment 'http_port' setting
#:http_port: 8000
# https is enabled if certificate, CA certificate, and private key are present in locations specifed by
# ssl_certificate, ssl_ca_file, and ssl_private_key correspondingly
# default values for https_port is 8443
:https_port: 8443

# Shared options for virsh DNS/DHCP provider
:virsh_network: default

# Log configuration
# Uncomment and modify if you want to change the location of the log file or use STDOUT
:log_file: /var/log/foreman-proxy/proxy.log
# Uncomment and modify if you want to change the log level
# WARN, DEBUG, ERROR, FATAL, INFO, UNKNOWN
:log_level: DEBUG

Looking at listeners on port 8443:

# lsof -n -i4 -a -P -p `cat /var/run/foreman-proxy/foreman-proxy.pid`
COMMAND  PID          USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
ruby    5811 foreman-proxy    5u  IPv4 27769254      0t0  TCP 127.0.0.1:8443 (LISTEN)

Potential workarounds:

  • add export RACK_ENV='production' to init script
  • add proxy FQDN to hosts entry for 127.0.0.1
    • this assumes the foreman is on the same machine
    • this allows foreman to connect and import classes/environments

Related issues

Is duplicate of Smart Proxy - Feature #8905: Add host configure option for binding the TCP portClosed2015-01-12

History

#1 Updated by Dominic Cleal over 7 years ago

  • Is duplicate of Feature #8905: Add host configure option for binding the TCP port added

#2 Updated by Dominic Cleal over 7 years ago

  • Status changed from New to Duplicate

Thanks for the report, and sorry for not replying to that foreman-users thread, I missed it.

We added a new :bind_host option into 1.8.0 which allows you to override the bind address, but it isn't available in the 1.7.x series. I'd recommend either downgrading rack or using the 1.8.0-RC for the smart proxy for the time being.

I spoke to somebody on IRC yesterday who hit this despite using packages (which should all be older rack versions) as there was a locally installed rack 1.6.0 gem. gem list and gem uninstall -v 1.6.0 rack fixed the problem there.

#3 Updated by Roderick Day over 7 years ago

Confirmed gem uninstall -v 1.6.0 rack works

Thanks!

Dominic Cleal wrote:

Thanks for the report, and sorry for not replying to that foreman-users thread, I missed it.

We added a new :bind_host option into 1.8.0 which allows you to override the bind address, but it isn't available in the 1.7.x series. I'd recommend either downgrading rack or using the 1.8.0-RC for the smart proxy for the time being.

I spoke to somebody on IRC yesterday who hit this despite using packages (which should all be older rack versions) as there was a locally installed rack 1.6.0 gem. gem list and gem uninstall -v 1.6.0 rack fixed the problem there.

Also available in: Atom PDF