Hi,
A redirect with the openremote/proxy container drops the parameter realm=customer if the login-link starts with https. The redirect with a blank or http in front of the link works perfectly. It is expected that the redirect with https in front of the link, will not drop the realm parameter.
These are the relevant variables in my environment. I used the latest openremote/proxy image from dockerhub.
OR_HOSTNAME="cerebro.cattlewatchafrica.com"
OR_ADDITIONAL_HOSTNAMES="cerebro.cattlewatchafrica.com,vaalharts.cattlewatchafrica.com"
PROXY_HOST_REDIRECT_1_NAME="vaalharts.cattlewatchafrica.com"
PROXY_HOST_REDIRECT_1_TARGET="/manager/?realm=vaalharts"
The following redirects happen:
-
OK redirect: http://vaalharts.cattlewatchafrica.com/ redirects to https://cerebro.cattlewatchafrica.com/manager/?realm=vaalharts
-
OK redirect: http://vaalharts.cattlewatchafrica.com redirects to https://cerebro.cattlewatchafrica.com/manager/?realm=vaalharts
-
NOK redirect: https://vaalharts.cattlewatchafrica.com/ redirects to http://vaalharts.cattlewatchafrica.com/manager
My customers complain they cannot login to the application. That is normal, as they try to login with the realm credentials on the master-realm.
For the sake of completeness, here is the log of curl of the failure case. I am not a haproxy expert. Is there a solution or workaround available for that?
$ curl -v https://vaalharts.cattlewatchafrica.com
* Trying 34.251.122.127:443...
* TCP_NODELAY set
* Connected to vaalharts.cattlewatchafrica.com (34.251.122.127) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=vaalharts.cattlewatchafrica.com
* start date: Aug 24 14:44:03 2023 GMT
* expire date: Nov 22 14:44:02 2023 GMT
* subjectAltName: host "vaalharts.cattlewatchafrica.com" matched cert's "vaalharts.cattlewatchafrica.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: vaalharts.cattlewatchafrica.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< location: http://vaalharts.cattlewatchafrica.com/manager
< content-length: 0
< date: Thu, 24 Aug 2023 20:02:44 GMT
<
* Connection #0 to host vaalharts.cattlewatchafrica.com left intact