Project

General

Profile

Feature #22579

Support https URLs

Added by Marco Mambelli 5 months ago. Updated 16 days ago.

Status:
Feedback
Priority:
Urgent
Assignee:
Category:
-
Target version:
Start date:
05/10/2019
Due date:
% Done:

0%

Estimated time:
Stakeholders:

Fermilab

Duration:

Description

As requested by Fermilab, Frontend and Factory should support also https

Frontend and Factory use their web servers for the staging and monitoring pages
  • staging must continue to use http, otherwise caching is not possible. Even if the files are small, the number of glideins is high and caching is essential
  • monitoring pages shoud use https by default

This means that:
- Apache configuration should be changed accordingly
- Should be possible to keep http for sites that desire so (provide instructions and/or alternative/commented config file)

The initial request from Fermilab was to move to https, but a move of everything is not possible for the reasons expressed above

History

#1 Updated by Marco Mambelli 3 months ago

Even if small in sizes, the files from the Factory and Frontend are downloaded by thousands of glideins. They rely heavily on HTTP Proxies. Https would increase the load on the server and the latency for all jobs. We found no way to cache the files with https. Proxies are considered to be Man In The Middle attacker.

Only the monitoring pages should be moved to https.
Https should be enabled and the http requests for the monitoring area should be redirected to https.

An exemption should be requested for the staging area

#2 Updated by Marco Mambelli 3 months ago

  • Assignee set to Dennis Box

#3 Updated by Marco Mambelli about 2 months ago

  • Target version changed from v3_5_1 to v3_6_1

#4 Updated by Marco Mambelli 30 days ago

  • Assignee changed from Dennis Box to Lorena Lobato Pardavila

#5 Updated by Marco Mambelli 29 days ago

  • Priority changed from Normal to Urgent

#6 Updated by Marco Mambelli 29 days ago

  • Description updated (diff)

#7 Updated by Lorena Lobato Pardavila 27 days ago

  • Status changed from New to Work in progress

#8 Updated by Lorena Lobato Pardavila 16 days ago

  • Assignee changed from Lorena Lobato Pardavila to Dennis Box
  • Status changed from Work in progress to Feedback

Changed done in v35/22579.

Now HTTPS connection is enabled for monitoring pages.

llobato@mac-126950:~/gwms_redmine_v36/glideinwms$ curl -I https://fermicloud332.fnal.gov/factory/monitor/
HTTP/1.1 200 OK
Date: Sat, 28 Sep 2019 22:53:52 GMT
Server: Apache/2.2.15 (Scientific Linux)
Last-Modified: Fri, 20 Sep 2019 22:45:59 GMT
ETag: "8008b-1793-59303d575b7c0" 
Accept-Ranges: bytes
Content-Length: 6035
Connection: close
Content-Type: text/html; charset=UTF-8

And also it's automatically redirected if typing http:

llobato@mac-126950:~/gwms_redmine_v36/glideinwms$ curl -I http://fermicloud332.fnal.gov/factory/monitor/
HTTP/1.1 301 Moved Permanently
Date: Sat, 28 Sep 2019 22:53:47 GMT
Server: Apache/2.2.15 (Scientific Linux)
Location: https://fermicloud332.fnal.gov/factory/monitor/
Connection: close
Content-Type: text/html; charset=iso-8859-1

Tested also in the web browsers Safari and Chrome (especially in incognito windows to double-check possible cache issues)

Instructions to enable or disable HTTPS connections are in https://glideinwms.fnal.gov/doc.prd/components/prerequisites.html#system_httpd

Notice that module mod_ssl must be installed in advance to have https working. Also, due to issues with modules oversteps (and to make things easier for the installation), the mod_ssl load must be commented in ssl.conf as it's coming by default in the gwms-service.conf.



Also available in: Atom PDF