Unable to use reverse proxy on Capsule servers to access WebUI of the Red Hat Satellite after upgrading to 6.15.
Environment
- Red Hat Satellite 6.15.
Issue
-
Unable to access Satellite WebUI using reverse proxy on Capsule servers after upgrading to 6.15
-
Log in fails with error
CSRF protection token expired, please log in again
Resolution
-
The functionality is This content is not included.being phased out in Satellite 6.15 and access to port 8443 on Capsule servers will be This content is not included.removed in Satellite 6.16.
-
For more information, open a This content is not included.support case with
Red Hat Technical Support Team.
Root Cause
-
In Satellite 6.11, we deprecated the use of port 8443, which included its complete access to the Satellite API, and consolidated on port 443. The reverse proxy on port 443 has a limited surface area focused on specific client APIs.
-
On Satellite 6.16, port 8443 is not just deprecated but also disabled by default and Satellite engineering team has no plans to enable it. This all goes back to having some security concerns about:
-
able to access satellite webui via capsule ( acting as reverse proxy ).
-
able to execute any API calls on satellite, though capsules.
and hence, right now, the only API endpoints that are allowed to work through external capsules are the build and registration-related endpoints via 443 and 9090.
-
Diagnostic Steps
-
The following error is reported in the production log during the login process.
2024-01-01T00:00:00 [W|app|0000000] HTTP Origin header (https://proxy.example.com) didn't match request.base_url (https://satellite.example.com)
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.