Incorrect port in the SAML metadata when Foglight is behind a load balancer (4377193)

Foglight SAML metadata uses the wrong port when Foglight is behind a proxy or load balancer.

For example, Foglight and the load balancer are configured to listen for HTTPS on port 8443.

When accessing Foglight via the load balancer URL (E.g.: https://foglight.yourdomain.com:8443/console/saml2/metadata.xml), the metadata uses the default HTTPS port (443) which can cause problems with SAML authentication due to a mismatch in the ports.

<?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="YYYY-MM-DDThh:mm:ssZ" cacheDuration="PT604800S" entityID="https://foglight.yourdomain.com:443/console/saml2/metadata.xml" ...

The port is correct when accessing via the Foglight server URL instead of the load balancer.

CAUSE 1

The default port for the protocol is being used because the port is not specified in the Host header of the request.

Refer to Host - HTTP | MDN for additional information on the HTTP header.

CAUSE 2

For Foglight 6.3.0 and higher, the default port for the protocol is being used when headers x-forwarded-proto: https or x-forwarded-proto: http are present in the request.

This issue has been logged as defect Id. FOG-9645.

WORKAROUND 1

If using a non-default HTTP or HTTPS port, the load balancer must be configured to include the port in the Host header.

WORKAROUND 2

If the x-forwarded-proto header is included in the request from the load balancer, apply the following changes to Tomcat's configuration in Foglight:

1. Create a backup of the configuration file [FMS_HOME]/server/tomcat/server.xml.
2. Open the file and modify the RemoteIpValve configuration to specify the hostHeader and portHeader attributes with values of x-forwarded-host and x-forwarded-port respectively.

   From:

   <Valve className="org.apache.catalina.valves.RemoteIpValve"
   	   remoteIpHeader="x-forwarded-for"
   	   proxiesHeader="x-forwarded-by"
   	   protocolHeader="x-forwarded-proto" />

   To:

   <Valve className="org.apache.catalina.valves.RemoteIpValve"
   	   remoteIpHeader="x-forwarded-for"
   	   proxiesHeader="x-forwarded-by"
   	   hostHeader="x-forwarded-host"
   	   portHeader="x-forwarded-port"
   	   protocolHeader="x-forwarded-proto" />

3. Restart the Foglight Management Server to apply changes.

WORKAROUND 3

Update the configuration on the load balancer and Foglight to use the default port for HTTP or HTTPS (80 or 443).

To update the port in Foglight, refer to How to change Foglight Management Server port after installation? (4271559).

STATUS

This issue has been logged as defect Id. FOG-9645 and it is waiting for a fix in a future release of Foglight.