With the announcement of the Spanish forums on forums.opensuse.org this morning, we have new users trying to log in, and it looks like there's an issue with the IdP authentication system - users are reporting 504 Gateway Timeout errors (I'm able to reproduce this in an incognito session). Can someone take a look? Thanks!
Hello, Am Donnerstag, 28. Oktober 2021, 18:14:29 CEST schrieb Jim Henderson:
With the announcement of the Spanish forums on forums.opensuse.org this morning, we have new users trying to log in, and it looks like there's an issue with the IdP authentication system - users are reporting 504 Gateway Timeout errors (I'm able to reproduce this in an incognito session).
Can someone take a look?
Lars and I looked at the issue - both on the login proxy and the apache log on the forums server. Unfortunately we didn't find any obvious problems, and ran out of ideas what could cause the breakage :-( The interesting part is that logging in to other services that also use the login proxy (like the wikis and progress.o.o) works without problems. Actually I just found a workaround: - login on progress.opensuse.org or one of the wikis - go to forums.opensuse.org, and you are logged in That doesn't solve the issue, but at least it's a workaround - and maybe it gives someone an idea where to look for the real issue. Regards, Christian Boltz --
Glaub mir, die Schrott-Quote bei den ATA/Billig-SATA ist enorm, die meisten merken's halt nur nicht. ;) PS. Wir handeln u.a. mit sowas und die Rücklaufrate ist (sehr) hoch. Du bist Schrotthaendler? ;-) [> Mirko Richter und Thomas Hertweck in suse-linux]
Thanks, Christian. On Thu, Oct 28, 2021 at 2:26 PM Christian Boltz <opensuse@cboltz.de> wrote:
Lars and I looked at the issue - both on the login proxy and the apache log on the forums server. Unfortunately we didn't find any obvious problems, and ran out of ideas what could cause the breakage :-(
The interesting part is that logging in to other services that also use the login proxy (like the wikis and progress.o.o) works without problems.
Actually I just found a workaround: - login on progress.opensuse.org or one of the wikis - go to forums.opensuse.org, and you are logged in
That doesn't solve the issue, but at least it's a workaround - and maybe it gives someone an idea where to look for the real issue.
That's very strange. I've been trying off and on today, between meetings, to see if I could get in - I had tried logging into Bugzilla (for example), and actually was able to log in once, but after that first time, upon submitting username/password, I was just getting bounced back to the login page. I just tried that again, and got logged into Bugzilla, but it didn't carry the login over to the forums. What I see when I run a trace is that the authentication goes to https://forums.opensuse.org/ICSLogin/auth-up after entering credentials on the page at https://forums.opensuse.org/ICSLogin/auth-up?url=%2F (after clicking the login link), and it sits on that auth-up page for about 2-3 minutes before the gateway times out. So it seems that whatever is happening behind the scenes at that auth-up URL is not responding. Trying to trace the authentication flow itself (I use a Chrome plugin called "rcFederation Tracer", which traces SAML, OAuth/OIDC, and WS-* protocols), I don't see any data at all. Logging into the wiki first does work for me. I don't know a lot about how the forum authentication configuration is set up - it's not something that is done through the forum admin control panel, and I wasn't involved in that piece of the configuration. Can either of you see where the auth-up URL is supposed to be trying to connect to?
I found the problem on daffy1 curl -6v https://login2.opensuse.org failed because its own IPv6 addr had changed, but /etc/hosts still contained the old 2620:113:80c0:8::161 IP for login2. The difference to wiki probably lies in these macro calls in /etc/apache2/vhosts.d/forums.opensuse.org.conf Use buildserver forums.opensuse.org forums https://login2-ucs.opensuse.org/ opensuse.org http://forum.infra.opensuse.org:80 http://forum.infra.opensuse.org:80 ... vs Use buildserver en.opensuse.org en https://login2-ucs.opensuse.org/ opensuse.org http://proxy-opensuse-ha.login.infra.opensuse.org:80 http://proxy-opensuse-ha.login.infra.opensuse.org:80 The last 2 params probably matter. They are named $proxyurl $redirurl used in RewriteRule ^/((?!error|ICSLogin|cmd/ICSLogout|ICHAINLogout).*) $redirurl/$1 [P,L] <Proxy $proxyurl>
participants (3)
-
Bernhard M. Wiedemann -
Christian Boltz -
Jim Henderson