Skip to main content

Hi everyone,

I'm tearing my hair out over a problem…

We’ve got a centreon open source instance on the latest build Centreon 22.10.5 running on CentOS 8.7. I’ve configured https on it, following the official documentation. The vhost for apache is the one shipped in the /usr/share/centreon/examples/centreon.apache.https.conf, just modified to fit the right cert & key paths. Everything works well.

Until today…

I’m trying to access our Centreon from internet behind a Fortigate webvpn. This firewall is able to provide a web portal where users can create bookmarks to access internal ressources with protocols like http, rdp, ssh… We’re using this portal to access some servers like our ITSM over http, or a test server with RDP… no problems. Except with Centreon…

The bookmark set on the webvpn portal is exactly https://centreon.domain.local/centreon/login. When i open the bookmark on the Fortigate, there is a redirect loop on /centreon/login… :

I’ve tried with my autologin link, same thing. I’ve tried without https, same thing.

I cannot find which instruction does this redirection. The only vhost enabled is the one for centreon:

Here is the complete vhost configuration:

//// i wanted to insert it here, but i receive an “unknown error” everytime when i try to save the post…. i think the forum engine doesn’t like the special characters (regex) that are in the vhost configuration… ////

I’ve tried to check in the apache access logs if there is a difference between the http requests of the firewall and from my computer, no difference on the initial request, methods, etc.

This one from my computer private IP:

192.168.26.6 - - r14/Apr/2023:18:00:46 +0200] "GET /centreon/main.php?p=20201&autologin=1&useralias=predacted]&token=oredacted] HTTP/1.1" 200 681 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"

This one from the firewall sNAT IP:

 redacted-firewall-ip] - - <14/Apr/2023:18:00:24 +0200] "GET /centreon/main.php?p=20201&autologin=1&useralias=predacted]&token=oredacted] HTTP/1.1" 200 681 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"

The complete trace of the loop requests. We can see that the redirect loop begin after the request on centreon/static/2372.deae24b1.chunk.js…

aredacted-firewall-ip] - - 14/Apr/2023:18:41:51 +0200] "GET /centreon/login HTTP/1.1" 200 390 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:51 +0200] "GET /centreon/static/main.5879f939.js HTTP/1.1" 200 262 "https://centreon.domain.lan/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:51 +0200] "GET /centreon/static/runtime~main.65587a9f.js HTTP/1.1" 200 4456 "https://centreon.domain.lan/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:51 +0200] "GET /centreon/static/5605.31ff4d84.chunk.js HTTP/1.1" 200 15828 "https://centreon.domain.lan/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:51 +0200] "GET /centreon/static/4662.f8f1c94e.chunk.js HTTP/1.1" 200 32051 "https://centreon.domain.lan/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:51 +0200] "GET /centreon/static/6561.140e87b0.chunk.js HTTP/1.1" 200 46103 "https://centreon.domain.lan/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:51 +0200] "GET /centreon/static/1300.030b4482.chunk.js HTTP/1.1" 200 12712 "https://centreon.domain.lan/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:51 +0200] "GET /centreon/static/7294.b32164f3.chunk.js HTTP/1.1" 200 2626 "https://centreon.domain.lan/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:51 +0200] "GET /centreon/static/3665.3fc8fda3.chunk.js HTTP/1.1" 200 3158 "https://centreon.domain.lan/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:51 +0200] "GET /centreon/static/3935.1b6489ef.chunk.js HTTP/1.1" 200 42946 "https://centreon.domain.lan/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:51 +0200] "GET /centreon/static/9250.b3058b7d.chunk.js HTTP/1.1" 200 14020 "https://centreon.domain.lan/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:51 +0200] "GET /centreon/static/9655.24c5d70f.chunk.js HTTP/1.1" 200 4214 "https://centreon.domain.lan/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:51 +0200] "GET /centreon/static/5242.7e2101ed.chunk.js HTTP/1.1" 200 556 "https://centreon.domain.lan/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:51 +0200] "GET /centreon/static/2248.3aa748f5.chunk.js HTTP/1.1" 200 6864 "https://centreon.domain.lan/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:51 +0200] "GET /centreon/static/2372.deae24b1.chunk.js HTTP/1.1" 200 27709 "https://centreon.domain.lan/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:51 +0200] "GET /centreon/centreon/login HTTP/1.1" 200 390 "https://centreon.domain.lan/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:51 +0200] "GET /centreon/centreon/centreon/login HTTP/1.1" 200 390 "https://centreon.domain.lan/centreon/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:52 +0200] "GET /centreon/centreon/centreon/centreon/login HTTP/1.1" 200 390 "https://centreon.domain.lan/centreon/centreon/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:52 +0200] "GET /centreon/centreon/centreon/centreon/centreon/login HTTP/1.1" 200 390 "https://centreon.domain.lan/centreon/centreon/centreon/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:52 +0200] "GET /centreon/centreon/centreon/centreon/centreon/centreon/login HTTP/1.1" 200 390 "https://centreon.domain.lan/centreon/centreon/centreon/centreon/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:52 +0200] "GET /centreon/centreon/centreon/centreon/centreon/centreon/centreon/login HTTP/1.1" 200 390 "https://centreon.domain.lan/centreon/centreon/centreon/centreon/centreon/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
redacted-firewall-ip] - - f14/Apr/2023:18:41:52 +0200] "GET /centreon/centreon/centreon/centreon/centreon/centreon/centreon/centreon/login HTTP/1.1" 200 390 "https://centreon.domain.lan/centreon/centreon/centreon/centreon/centreon/centreon/centreon/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"

I’ve tried to disable every “rewrite” or “redirect” instruction in the original vhost configuration without success… the only thing i achieve is to brake everything even from my computer!

Do you guys have an idea… ? 

Thanks !!!!!

🤔 are the other apps served through https? maybe define the full base URI in the apache config? or the servername? sorry I am not an expert with Fortigate webvpn to know how it gets handled.


Reply