Check MK 2.2.0 Load-Balancer issue

Hello,

We upgraded to version 2.2.0, we are aware that this one is a beta.

We have a setup, where a loadbalancer monitoring.example.com is forwarding traffic to the check-mk instance, to internal ip (docker container).

Since version 2.2.0 we are unable to login through the load balancer anymore. Login is only possible through the internal instance IP.

Problem:

After entering the credentials in the login screen:
Looking at the chrome dev console, it seems the post request is going well to the login.py, its redirecting with 302 to the login.py.

No error message, nothing, just not logged in afterwards.

Currently using docker hub tag: 2.2.0b8

Compare the http headers of a working login attempt with a failed attempt.

I guess some security related headers are now stricter.
Also compare the Cookies, perhaps there is a domain or path mismatch. Something in that direction. Might be that the LB has to append/alter headers to make it work.

BTW, Stable release is available now

Is this set to on for both ?
image

Hello,

Updated to 2.2.0 release. Same issue. MULTISITE seems enabled.
No other changes were made…

#  grep "MULTISITE" etc/ -r
etc/dokuwiki/cookie_auth.php:// Created by OMD hook MULTISITE_COOKIE_AUTH
etc/omd/site.conf:CONFIG_MULTISITE_AUTHORISATION='on'
etc/omd/site.conf:CONFIG_MULTISITE_COOKIE_AUTH='on'
etc/pnp4nagios/config.d/cookie_auth.php:// Created by OMD hook MULTISITE_COOKIE_AUTH

Which version of Checkmk you were using before the upgrade to 2.2 and it worked ?

the one working was: 2.1.0p26

Have you already seen this werk?

I am not 100% sure if this applies to your issue but could be worht a try to run " omd update-apache-config [site]"

running the update-apache config didnt help

Compare the http headers of a working login attempt with a failed attempt.

this was btw mentioned in the initial post, its 302 redirecting to login, nothing special otherwise about the headers

still bugged in 2.2.0p2 …

maybe its relevant, but the loadbalancer has on top htaccess infront…

but why is it bugged in newer versions :frowning:
it was working before and annoyes me… any further ideas?

checkmk 2.2 does not like the “authorization” header, stripping it after the auth on the load balancer, before forwarding the request to check-mk fixes the issue…

Sadly nothing mentioned in the changelog about that.

Have you already checked the below ?

thanks, i solved it with my last message.