Sunstone 401 error + NGINX

Community Support
1

We are getting 401 errors in the sunstone.log. This is a single server setup with Nginx reverse proxy
443 → default

Even checking the “keep me logged in” produces the 401 error after a short while and logs the user out.

Mon Aug 09 11:18:08 2021 [I]: x.x.x.x., x.x.x.x - - [09/Aug/2021:11:18:08 +0000] “GET /group?timeout=false&pool_filter=-2&csrftoken=de1d435d5b63a0fc3hc357a8ea2adc278cafdedf6bbba95a9d2358113197fbc8 HTTP/1.1” 401 - 0.0015

FireEdge is disabled in sunstone-server.conf
Everything else currently seems to work without issues.

OpenNubula version 6.0.0.2
O/S: Ubuntu 20.04

2

Hi @cvccc ,

Are you using the correct credentials. Can you try clearing the browsing cache and logging in again?

Cheers.

3

Hi Ricardo

Yes, this happens to different users on different systems so I don’t think related to user details or browser cache.

This is copy of the nginx config we are currently testing, do you see any issues with this or know of a better working config for the OpenNebula version we are using? We also need to allow noVNC as well.

No squealing.

server_tokens off;

OpenNebula Sunstone upstream

upstream sunstone {
server 127.0.0.1:9869;
}

Added 02/08/2021

upstream websocketproxy {
server 127.0.0.1:29876;
}

XXXXXX HTTP virtual host

server {
listen 80;
server_name XXXXXX;

     ### Permanent redirect to HTTPS (optional)
     return 301 https://$server_name:443;

}

XXXXXX HTTPS virtual host

server {
listen 443 ssl;
server_name XXXXXX;
root /usr/share/nginx/html;

     error_page 404 /404.html;
             location = /40x.html {
     }

     error_page 500 502 503 504 /50x.html;
             location = /50x.html {
     }

     ### SSL Parameters
     #ssl on;
     ssl_certificate /etc/ssl/certs/origin.pem;
     ssl_certificate_key /etc/ssl/private/origin.key;
     ssl_stapling on;

     ### Proxy requests to upstream
     location / {

             # Handle inconsistency in the websockify URLs provided by Sunstone

if ($args ~* “host=.+&port=.+&token=.+&encrypt=.*”) {

rewrite ^/$ /websockify/ last;

}

             proxy_pass http://sunstone;
             proxy_redirect     off;
             log_not_found      off;
             proxy_set_header   X-Real-IP $remote_addr;
             proxy_set_header   Host $http_host;
             proxy_set_header   X-Forwarded-FOR
	 proxy_add_x_forwarded_for;

             #proxy_pass              http://sunstone;
             #proxy_set_header        X-Real-IP $remote_addr;
             #proxy_set_header        X-Forwarded-For
	#proxy_add_x_forwarded_for;
             #proxy_set_header        X-Forwarded-Proto $scheme;
     }

     # addd 02/08/20021

     location /websockify {
             proxy_http_version 1.1;
             proxy_pass https://websocketproxy;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection "upgrade";
             proxy_read_timeout 61s;
             proxy_buffering off;
     }

}

Many thanks for your help on this.
Rgds - Lee

4

Can you share the content of /var/log/one/sunstone.log?

5

Hi, this is a copy of a line from the sunstone.log. Apart from this, these is no other information.

Mon Aug 09 11:18:08 2021 [I]: x.x.x.x., x.x.x.x - - [09/Aug/2021:11:18:08 +0000] “GET /group? timeout=false &pool_filter=-2&csrftoken=de1d435d5b63a0fc3hc357a8ea2adc278cafdedf6bbba95a9d2358113197fbc8 HTTP/1.1” 401 - 0.0015

Logging level is default.

6

Hello.

I have a working configuration for OpenNebula 5.12 on Debian Buster and this configuration produce errors with 6.0.0.2-1.ce when logging to Sunstone.

I can login, I quickly see dashboard and then get logout.

This is a test machine without any SSL, it’s just to test before upgrading our production infrastructure to 6.0.

lsb_release -a 
Distributor ID:	Debian
Description:	Debian GNU/Linux 10 (buster)
Release:	10
Codename:	buster
dpkg -l opennebula* | grep ^ii 
ii  opennebula-common                     6.0.0.2-1.ce all          Common OpenNebula package shared by various components (Community Edition)
ii  opennebula-common-onecfg              6.0.0.2-1.ce all          Helpers for OpenNebula onecfg (Community Edition)
ii  opennebula-fireedge                   6.0.0.2-1.ce amd64        OpenNebula web interface FireEdge (Community Edition)
ii  opennebula-flow                       6.0.0.2-1.ce all          OpenNebula Flow server (Community Edition)
ii  opennebula-gate                       6.0.0.2-1.ce all          OpenNebula Gate server (Community Edition)
ii  opennebula-libs                       6.0.0.2-1.ce all          OpenNebula libraries (Community Edition)
ii  opennebula-node-kvm                   6.0.0.2-1.ce all          Services for OpenNebula KVM node (Community Edition)
ii  opennebula-provision                  6.0.0.2-1.ce all          OpenNebula infrastructure provisioning (Community Edition)
ii  opennebula-provision-data             6.0.0.2-1.ce all          OpenNebula infrastructure provisioning data (Community Edition)
ii  opennebula-rubygems                   6.0.0.2-1.ce all          Ruby dependencies for OpenNebula (Community Edition)
ii  opennebula-sunstone                   6.0.0.2-1.ce all          OpenNebula web interface Sunstone (Community Edition)
ii  opennebula-tools                      6.0.0.2-1.ce all          OpenNebula command line tools (Community Edition)
/etc/nginx/sites-enabled/nebula 
upstream oned {
	server 127.0.0.1:2633;
}

upstream sunstone {
	server unix:/run/one/sunstone.socket;
}

upstream onegate {
	server 127.0.0.1:5030;
}

upstream websocketproxy {
	server 127.0.0.1:29876;
}

# Workaround https://github.com/OpenNebula/addon-context-linux/issues/218
map $http_x_onegate_token $one_frontend {
	"~.+" "onegate";
	default "sunstone";
}

server {
	listen 192.168.230.14:80 default_server;

	root /usr/lib/one/sunstone/public;
	index index.html index.htm;

	server_name grichka.eole.lan;

	access_log  /var/log/nginx/opennebula-sunstone-access.log;
	error_log  /var/log/nginx/opennebula-sunstone-error.log;

	client_max_body_size 50G;
	proxy_hide_header "X-Content-Type-Options";
	underscores_in_headers on;

	location / {
		try_files $uri @sunstone;
	}

	location /RPC2 {
		include proxy_params;
		proxy_pass http://oned;
	}

	location /websockify {
		proxy_pass http://websocketproxy;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_send_timeout 30m;
		proxy_read_timeout 30m;
	}

	location @sunstone {
		# Admin only connectxon
		# allow 192.168.230.30;
		# deny all;
		include proxy_params;
		proxy_pass_request_headers on;
                # Either Sunstone or onegate based on x_onegate_token header
		proxy_pass http://$one_frontend;
	}
}
/var/log/one/sunstone.log 
Mon Oct 18 16:23:24 2021 [I]: 192.168.230.30 - - [18/Oct/2021:16:23:24 +0200] "GET / HTTP/1.0" 200 - 0.0023
Mon Oct 18 16:23:29 2021 [I]: 192.168.230.30 - - [18/Oct/2021:16:23:29 +0200] "POST /login HTTP/1.0" 204 - 0.3312
Mon Oct 18 16:23:29 2021 [I]: 192.168.230.30 - - [18/Oct/2021:16:23:29 +0200] "GET / HTTP/1.0" 200 - 0.0277
Mon Oct 18 16:23:29 2021 [I]: 192.168.230.30 - - [18/Oct/2021:16:23:29 +0200] "GET /datastore?timeout=true&pool_filter=-2&csrftoken=5fe5974325759231722adccbefa614e34d6af761968418e9134a211203ff9447 HTTP/1.0" 200 - 0.0065
Mon Oct 18 16:23:30 2021 [I]: 192.168.230.30 - - [18/Oct/2021:16:23:30 +0200] "GET /support/check?csrftoken=5fe5974325759231722adccbefa614e34d6af761968418e9134a211203ff9447 HTTP/1.0" 400 - 0.0014
Mon Oct 18 16:23:30 2021 [I]: 192.168.230.30 - - [18/Oct/2021:16:23:30 +0200] "GET /support/check/version?csrftoken=5fe5974325759231722adccbefa614e34d6af761968418e9134a211203ff9447 HTTP/1.0" 401 - 0.0013
Mon Oct 18 16:23:30 2021 [I]: 192.168.230.30 - - [18/Oct/2021:16:23:30 +0200] "GET /vm?timeout=false&pool_filter=-2&csrftoken=5fe5974325759231722adccbefa614e34d6af761968418e9134a211203ff9447 HTTP/1.0" 401 - 0.0011
Mon Oct 18 16:23:30 2021 [I]: 192.168.230.30 - - [18/Oct/2021:16:23:30 +0200] "GET /user?timeout=false&pool_filter=-2&csrftoken=5fe5974325759231722adccbefa614e34d6af761968418e9134a211203ff9447 HTTP/1.0" 401 - 0.0012
Mon Oct 18 16:23:30 2021 [I]: 192.168.230.30 - - [18/Oct/2021:16:23:30 +0200] "GET /group?timeout=false&pool_filter=-2&csrftoken=5fe5974325759231722adccbefa614e34d6af761968418e9134a211203ff9447 HTTP/1.0" 401 - 0.0016
Mon Oct 18 16:23:30 2021 [I]: 192.168.230.30 - - [18/Oct/2021:16:23:30 +0200] "GET /image?timeout=false&pool_filter=-2&csrftoken=5fe5974325759231722adccbefa614e34d6af761968418e9134a211203ff9447 HTTP/1.0" 401 - 0.0014
Mon Oct 18 16:23:30 2021 [I]: 192.168.230.30 - - [18/Oct/2021:16:23:30 +0200] "GET /vnet?timeout=false&pool_filter=-2&csrftoken=5fe5974325759231722adccbefa614e34d6af761968418e9134a211203ff9447 HTTP/1.0" 401 - 0.0013
Mon Oct 18 16:23:30 2021 [I]: 192.168.230.30 - - [18/Oct/2021:16:23:30 +0200] "GET /host?timeout=false&pool_filter=-2&csrftoken=5fe5974325759231722adccbefa614e34d6af761968418e9134a211203ff9447 HTTP/1.0" 401 - 0.0017
Mon Oct 18 16:23:30 2021 [I]: 192.168.230.30 - - [18/Oct/2021:16:23:30 +0200] "GET /cluster?timeout=false&pool_filter=-2&csrftoken=5fe5974325759231722adccbefa614e34d6af761968418e9134a211203ff9447 HTTP/1.0" 401 - 0.0014
Mon Oct 18 16:23:30 2021 [I]: 192.168.230.30 - - [18/Oct/2021:16:23:30 +0200] "GET /user/2?id=2&csrftoken=5fe5974325759231722adccbefa614e34d6af761968418e9134a211203ff9447 HTTP/1.0" 401 - 0.0012
Mon Oct 18 16:23:30 2021 [I]: 192.168.230.30 - - [18/Oct/2021:16:23:30 +0200] "GET /login HTTP/1.0" 200 - 0.0044

Regards.

7

Hello, can you tell me what are the steps to replicate the error?

8

Hello @jlobo.

I made another simpler test and find out that my issue is using unicorn.

It’s working fine using the standard opennebula-sunstone.service.

I’ll try to use passenger.

9

And I finally found my issue ⮕ install memcached with ruby-dalli and configure sunstone to use it 🤦

Sorry for the noise.