Setting Default Application in Openshift Nodes
Background
The default behavior of Openshift nodes is to redirect requests for unknown applications to host/getting_started.html, usually causing endless redirect loop.
On some cases we might want this behavior to be changed, for example when we want a default page (Application not found) to show up. Or when tools such as Acunetix scanning tool incorrectly detected such redirect as medium vulnerability because the redirect uses the injected host header.
The Openshift Origin platform in use for this article is Origin Release 4, with the nodes using apache-mod-rewrite frontent plugin (rubygem-openshift-origin-frontend-apache-mod-rewrite-0.7.1.1-1.el6.noarch).
Mechanism
As we can see, routes are loaded from openshift_route.include.
The file is full of route rules, but the interesting part are the RewriteMap clauses in the top of the file :
Nodes and aliases are loaded from DBM files : nodes.db, aliases.db. These files are created from nodes.txt and aliases.txt.
Solution Strategy
To implement default routes for unknown application, we are going to add a __default__ route in the bottom of routes.txt, inspired from Openshift comprehensive deployment guide (https://docs.openshift.org/origin-m4/oo_deployment_guide_comprehensive.html#apache-mod-rewrite-plugin) :
[ Reference ]
cat </tmp/nodes.broker_routes.txt __default__ REDIRECT:/console __default__/console TOHTTPS:127.0.0.1:8118/console __default__/broker TOHTTPS:127.0.0.1:8080/broker EOF
From the reference above, we understand that the __default__ keyword could be used in the left hand side. For the right hand side, seek the application that we are going to use as the default application.
[ /etc/httpd/conf.d/openshift/nodes.txt ]
testmed54-test.aon.telkom.co.id 127.12.87.130:8080|550d80da98988b065b000002|550d80da98988b065b000002
testmed54-test.aon.telkom.co.id/health HEALTH|550d80da98988b065b000002|550d80da98988b065b000002
testmed54-test.aon.telkom.co.id/haproxy-status 127.12.87.131:8080/|550d80da98988b065b000002|550d80da98988b065b000002
Choose the line without health nor haproxy-status, which is the first line. Copy the right hand side.
Backup the nodes.txt and nodes.db file before changing anything.
In the last nodes.txt line, append a new line, combining __default__ in the left hand side with 127.12.87.130:8080|550d80da98988b065b000002|550d80da98988b065b000002 in the right hand side :
__default__ 127.12.87.130:8080|550d80da98988b065b000002|550d80da98988b065b00000
Convert nodes.txt to nodes.db :
httxt2dbm -f DB -i /etc/httpd/conf.d/openshift/nodes.txt -o /etc/httpd/conf.d/openshift/nodes.db
It might be necessary to restart httpd after the conversion.
Result
After the change outlined above, the node will direct requests with unknown applications to the default application (for example, testmed54-test).
Comments