Accessing Check_MK via HTTPS doesn't redirect properly

[ganto]

There are multiple issues when running Check_MK with HTTPS enabled:

• When accessing the page via entry link https://<server>/<site> an invalid redirect to https://<server>:80/<site>/omd will be returned. This happens because the CGI environment variable ${SERVER_PORT} in /omd/sites/<site>/etc/apache/conf.d/omd.conf is not properly set to 443.
• When accessing the page via https://<server>/<site>/check_mk a redirect to http://<server>/<site>//check_mk/login.py?_origtarget=index.py will be returned. This still needs some investigation. After being authenticated, the access via HTTPS works.

I didn't check yet, if these issues are known to upstream or if this is specific to our setup.

[ganto]

With #10 the most obvious redirect errors should be fixed. Especially access to https://<server>/<site> is fixed now. 😄

If the default patches don't apply correctly, refer to the check-mk-raw-1.2.8-read-X-Forwarded-Port-header.patch in checkmk_server__patches.

There are still two issues that https://<server>/<site>/omd and https://<server>/<site>/check_mk (without trailing slash) are redirected to the HTTP site.

But I guess it makes more sense to port the currently used HTTP(S) proxy from the embedded Apache httpd to a Nginx managed by the debops.nginx role to have more control about its configuration. Especially when topics such as PNP4Nagios proxying with distributed WATO will become a topic.

[ypid]

Using Nginx is probably ideal. Another way what I just came up with for an existing setup is to install redirects for the http vhost for the global apache like this:

RewriteEngine on
RewriteRule   "^/(site/.*)"  "https://{{ domain }}/$1"  [R,L]
RewriteRule   "."  "https://{{ domain }}/site/check_mk/"  [R,L]

Maybe even change it to HTTP 307. I would try to avoid patching up OMD where possible 😉

I am using:

OMD - Open Monitoring Distribution Version 1.2.6p12.cre

which does quite a few redirects. As you described the current versions seems to do similar things.

Another thing. Since yesterday there is a debops.apache role. Maybe that comes in handy 😉

[ganto]

Thanks a lot for your hint. I'll try that. 👍

I'll also have a look at the debops.apache role. That's great news.