Discussion:
[PacketFence-users] portal not reachable
Bebbet van Dinges
2017-05-07 17:30:53 UTC
Permalink
Hello all,

I've done a fresh PF install of 7.0.0. Since then i've got issues trying
to reach the portal (status/unreg).

I've uncovered that the iptables had no 'hole' to allow the management
vlan/interface to reach the input-portal-if chain. Assigning another
role to the management interface (additional services: portal) this
'restriction' is gone, and tcpdump shows incoming connections and ack's.
Yet there is no service*** enabled on port 80 or 443.

Ok, there is a httpd.portal service working but only 127.0.0.1. After
some digging my understanding is that in
/usr/local/pf/conf/httpd.conf.d/httpd.portal.tt a foreach section
exists, that generates the url/ips to listen on. After a little more
digging i found sub vhosts in
/usr/local/pf/lib/pf/services/manager/httpd_portal.pm.

sub vhosts {
my ($self) = @_;
if ($cluster_enabled) {
return
[
uniq map {
defined $_->{'Tvip'} && $_->{'Tvip'} ne '' ?
$_->{'Tvip'} : $_->{'Tip'}
} @internal_nets, @portal_ints
];
} else {
return ["127.0.0.1"];
}
}


My setup is not cluster enabled, so the else statement is true, and
127.0.0.1 is the output of vhosts. which in turn only enables the portal
on localhost.

How do i enable more vhosts, or did i uncover some kind of bug/loophole?

Hope to hear soon from you,
Your sincerely,
Bebbet
Durand fabrice
2017-05-07 17:55:30 UTC
Permalink
Hello Bebbet,

haproxy is in front of the apache portal , so have a look at haproxy and
restart it.

Regards

Fabrice
Post by Bebbet van Dinges
Hello all,
I've done a fresh PF install of 7.0.0. Since then i've got issues trying
to reach the portal (status/unreg).
I've uncovered that the iptables had no 'hole' to allow the management
vlan/interface to reach the input-portal-if chain. Assigning another
role to the management interface (additional services: portal) this
'restriction' is gone, and tcpdump shows incoming connections and ack's.
Yet there is no service*** enabled on port 80 or 443.
Ok, there is a httpd.portal service working but only 127.0.0.1. After
some digging my understanding is that in
/usr/local/pf/conf/httpd.conf.d/httpd.portal.tt a foreach section
exists, that generates the url/ips to listen on. After a little more
digging i found sub vhosts in
/usr/local/pf/lib/pf/services/manager/httpd_portal.pm.
sub vhosts {
if ($cluster_enabled) {
return
[
uniq map {
defined $_->{'Tvip'} && $_->{'Tvip'} ne '' ?
$_->{'Tvip'} : $_->{'Tip'}
];
} else {
return ["127.0.0.1"];
}
}
My setup is not cluster enabled, so the else statement is true, and
127.0.0.1 is the output of vhosts. which in turn only enables the portal
on localhost.
How do i enable more vhosts, or did i uncover some kind of bug/loophole?
Hope to hear soon from you,
Your sincerely,
Bebbet
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
Bebbet van Dinges
2017-05-07 18:23:09 UTC
Permalink
Hello Fabrice,

Firstly, thanks!

On the admin panel, haproxy i down. When i try to start it i get some
non-descriptive error

May 07 20:20:35 networklogon.desaad.nl haproxy-systemd-wrapper[19157]:
[ALERT] 126/202035 (19159) : Fatal errors found in configuration.

Any hint on where to look next? I'll try and get some better error, when
i succeed, i'll let you know.

Bebbet
Post by Durand fabrice
Hello Bebbet,
haproxy is in front of the apache portal , so have a look at haproxy and
restart it.
Regards
Fabrice
Post by Bebbet van Dinges
Hello all,
I've done a fresh PF install of 7.0.0. Since then i've got issues trying
to reach the portal (status/unreg).
I've uncovered that the iptables had no 'hole' to allow the management
vlan/interface to reach the input-portal-if chain. Assigning another
role to the management interface (additional services: portal) this
'restriction' is gone, and tcpdump shows incoming connections and ack's.
Yet there is no service*** enabled on port 80 or 443.
Ok, there is a httpd.portal service working but only 127.0.0.1. After
some digging my understanding is that in
/usr/local/pf/conf/httpd.conf.d/httpd.portal.tt a foreach section
exists, that generates the url/ips to listen on. After a little more
digging i found sub vhosts in
/usr/local/pf/lib/pf/services/manager/httpd_portal.pm.
sub vhosts {
if ($cluster_enabled) {
return
[
uniq map {
defined $_->{'Tvip'} && $_->{'Tvip'} ne '' ?
$_->{'Tvip'} : $_->{'Tip'}
];
} else {
return ["127.0.0.1"];
}
}
My setup is not cluster enabled, so the else statement is true, and
127.0.0.1 is the output of vhosts. which in turn only enables the portal
on localhost.
How do i enable more vhosts, or did i uncover some kind of bug/loophole?
Hope to hear soon from you,
Your sincerely,
Bebbet
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
Durand fabrice
2017-05-07 18:30:05 UTC
Permalink
What happen when you do that:

/usr/sbin/haproxy -f /usr/local/pf/var/conf/haproxy.conf

Also can you paste the generate haproxy configuration ?

Fabrice
Post by Bebbet van Dinges
Hello Fabrice,
Firstly, thanks!
On the admin panel, haproxy i down. When i try to start it i get some
non-descriptive error
[ALERT] 126/202035 (19159) : Fatal errors found in configuration.
Any hint on where to look next? I'll try and get some better error, when
i succeed, i'll let you know.
Bebbet
Post by Durand fabrice
Hello Bebbet,
haproxy is in front of the apache portal , so have a look at haproxy and
restart it.
Regards
Fabrice
Post by Bebbet van Dinges
Hello all,
I've done a fresh PF install of 7.0.0. Since then i've got issues trying
to reach the portal (status/unreg).
I've uncovered that the iptables had no 'hole' to allow the management
vlan/interface to reach the input-portal-if chain. Assigning another
role to the management interface (additional services: portal) this
'restriction' is gone, and tcpdump shows incoming connections and ack's.
Yet there is no service*** enabled on port 80 or 443.
Ok, there is a httpd.portal service working but only 127.0.0.1. After
some digging my understanding is that in
/usr/local/pf/conf/httpd.conf.d/httpd.portal.tt a foreach section
exists, that generates the url/ips to listen on. After a little more
digging i found sub vhosts in
/usr/local/pf/lib/pf/services/manager/httpd_portal.pm.
sub vhosts {
if ($cluster_enabled) {
return
[
uniq map {
defined $_->{'Tvip'} && $_->{'Tvip'} ne '' ?
$_->{'Tvip'} : $_->{'Tip'}
];
} else {
return ["127.0.0.1"];
}
}
My setup is not cluster enabled, so the else statement is true, and
127.0.0.1 is the output of vhosts. which in turn only enables the portal
on localhost.
How do i enable more vhosts, or did i uncover some kind of bug/loophole?
Hope to hear soon from you,
Your sincerely,
Bebbet
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
Bebbet van Dinges
2017-05-07 18:32:03 UTC
Permalink
[***@networklogon conf]# haproxy -f /usr/local/pf/var/conf/haproxy.conf
[ALERT] 126/202619 (19690) : parsing
[/usr/local/pf/var/conf/haproxy.conf:110] : 'bind 172.16.230.3:443' :
unable to load SSL private key from PEM file
'/usr/local/pf/conf/ssl/server.pem'.
[ALERT] 126/202619 (19690) : parsing
[/usr/local/pf/var/conf/haproxy.conf:156] : 'bind 172.16.200.3:443' :
unable to load SSL private key from PEM file
'/usr/local/pf/conf/ssl/server.pem'.
[ALERT] 126/202619 (19690) : parsing
[/usr/local/pf/var/conf/haproxy.conf:202] : 'bind 172.16.20.220:443' :
unable to load SSL private key from PEM file
'/usr/local/pf/conf/ssl/server.pem'.
[ALERT] 126/202619 (19690) : Error(s) found in configuration file :
/usr/local/pf/var/conf/haproxy.conf
[WARNING] 126/202619 (19690) : Proxy 'stats': in multi-process mode,
stats will be limited to process assigned to the current request.
[ALERT] 126/202619 (19690) : Proxy 'portal-https-172.16.230.3': no SSL
certificate specified for bind '172.16.230.3:443' at
[/usr/local/pf/var/conf/haproxy.conf:110] (use 'crt').
[ALERT] 126/202619 (19690) : Proxy 'portal-https-172.16.200.3': no SSL
certificate specified for bind '172.16.200.3:443' at
[/usr/local/pf/var/conf/haproxy.conf:156] (use 'crt').
[ALERT] 126/202619 (19690) : Proxy 'portal-https-172.16.20.220': no SSL
certificate specified for bind '172.16.20.220:443' at
[/usr/local/pf/var/conf/haproxy.conf:202] (use 'crt').
[ALERT] 126/202619 (19690) : Fatal errors found in configuration.



Seems like the same error from Hans Johnson.

cat /usr/local/pf/conf/ssl/server.crt /usr/local/pf/conf/ssl/server.key
/usr/local/pf/conf/ssl/server.pem
worked for me aswell, seems working now!

Thanks for helping out! If more trouble arises, i'll let you know.

Yours sincerely,
Bebbet
Hello Bebbet,
haproxy is in front of the apache portal , so have a look at haproxy and
restart it.
Regards
Fabrice
Post by Bebbet van Dinges
Hello all,
I've done a fresh PF install of 7.0.0. Since then i've got issues trying
to reach the portal (status/unreg).
I've uncovered that the iptables had no 'hole' to allow the management
vlan/interface to reach the input-portal-if chain. Assigning another
role to the management interface (additional services: portal) this
'restriction' is gone, and tcpdump shows incoming connections and ack's.
Yet there is no service*** enabled on port 80 or 443.
Ok, there is a httpd.portal service working but only 127.0.0.1. After
some digging my understanding is that in
/usr/local/pf/conf/httpd.conf.d/httpd.portal.tt a foreach section
exists, that generates the url/ips to listen on. After a little more
digging i found sub vhosts in
/usr/local/pf/lib/pf/services/manager/httpd_portal.pm.
sub vhosts {
if ($cluster_enabled) {
return
[
uniq map {
defined $_->{'Tvip'} && $_->{'Tvip'} ne '' ?
$_->{'Tvip'} : $_->{'Tip'}
];
} else {
return ["127.0.0.1"];
}
}
My setup is not cluster enabled, so the else statement is true, and
127.0.0.1 is the output of vhosts. which in turn only enables the portal
on localhost.
How do i enable more vhosts, or did i uncover some kind of bug/loophole?
Hope to hear soon from you,
Your sincerely,
Bebbet
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
Continue reading on narkive:
Loading...