Foglight SAML metadata uses the wrong port when Foglight is behind a proxy or load balancer.
For example, Foglight and the load balancer are configured to listen for HTTPS on port 8443.
When accessing Foglight via the load balancer URL (E.g.: https://foglight.yourdomain.com:8443/console/saml2/metadata.xml), the metadata uses the default HTTPS port (443) which can cause problems with SAML authentication due to a mismatch in the ports.
<?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="YYYY-MM-DDThh:mm:ssZ" cacheDuration="PT604800S" entityID="https://foglight.yourdomain.com:443/console/saml2/metadata.xml" ...
The port is correct when accessing via the Foglight server URL instead of the load balancer.
CAUSE 1
The default port for the protocol is being used because the port is not specified in the Host
header of the request.
Refer to Host - HTTP | MDN for additional information on the HTTP header.
CAUSE 2
For Foglight 6.3.0 and higher, the default port for the protocol is being used when headers x-forwarded-proto: https
or x-forwarded-proto: http
are present in the request.
This issue has been logged as defect Id. FOG-9645.
WORKAROUND 1
If using a non-default HTTP or HTTPS port, the load balancer must be configured to include the port in the Host
header.
WORKAROUND 2
If the x-forwarded-proto
header is included in the request from the load balancer, apply the following changes to Tomcat's configuration in Foglight:
[FMS_HOME]/server/tomcat/server.xml
.RemoteIpValve
configuration to specify the hostHeader
and portHeader
attributes with values of x-forwarded-host
and x-forwarded-port
respectively.
From:
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
proxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto" />
To:
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
proxiesHeader="x-forwarded-by"
hostHeader="x-forwarded-host"
portHeader="x-forwarded-port"
protocolHeader="x-forwarded-proto" />
WORKAROUND 3
Update the configuration on the load balancer and Foglight to use the default port for HTTP or HTTPS (80 or 443).
To update the port in Foglight, refer to How to change Foglight Management Server port after installation? (4271559).
STATUS
This issue has been logged as defect Id. FOG-9645 and it is waiting for a fix in a future release of Foglight.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center