解决iframe嵌入VMware vRops提示SAMEORIGIN错误-UU技术社区

Prospect:

VMware vRealize Operations is a cloud-based IT operations management software that provides automated, intelligent and collaborative IT operations management to promote business persistence while providing better system performance, reliability and security.
VMware vRealize Operations provides industry-leading performance and capacity management, as well as cloud planning and optimization capabilities with the following capabilities:
1. Multi-cloud management: Provides comprehensive real-time performance monitoring of multiple cloud environments (including VMware, AWS, Azure, etc.), and supports cloud planning and optimized management.
2. Intelligent and automated: intelligently analyze data and perform automated operations to reduce repetitive tasks for operation and maintenance personnel.
3. Capacity Management: Can monitor system capacity, generate reports and predict upcoming needs.
4. Performance optimization: Provide analysis tools to monitor system health in real time and discover and solve potential problems.
5. Collaborative operation and maintenance: Bring faster solutions, achieve cross-department and cross-functional collaborative work, and save time and labor costs.
VMware vRealize Operations also provides cost optimization, security and compliance functions and is a comprehensive performance management and collaboration management software designed for enterprise IT operations management.

Brief description:

When using an iframe to embed a dashboard shared by VMware vRops (vRealize Operations Manager), an error message "xxx rejected our connection request" appears on the page. Check the console prompt "Refused to display 'https://***/' in a frame because it set 'X-Frame-Options' to 'sameorigin'."

This error is due to the fact that VMware vRealize Operations sets the X-Frame-Options header information to SAMEORIGIN by default, which prevents pages under other domain names from embedding this page, so the shared dashboard cannot be embedded in an iframe. This is for security reasons to avoid unnecessary cross-site scripting attacks (XSS attacks). You can try the following methods to resolve this issue:

Set vROps' X-Frame-Options to ALLOW-FROM to allow specific websites or domains to embed vROps shared dashboards in iframes.
Try using a reverse proxy service, such as Nginx or Apache, to embed the vROps shared dashboard into your website.
Another solution is to use a browser plug-in such as "Ignore X-Frame-Options Header" to ignore the frame policy.

After searching, I noticed that there is another way to modify the dashboard settings by using the REST API (vRealize Ops API) of VMware vRealize Operations, and use the curl command to access the REST API of vRealize Operations. Specify the ID of the dashboard to be updated, the Authentication Token, and the settings to be changed in the curl command. However, this method seems to be more cumbersome. Here it is introduced. Friends who like to toss can refer to it. The documentation of vRealize Ops API can be accessed.https://vRopsIPaddress/suite-api/docs/rest/internal_index.htmlYou can also refer to VMware’s official documentation.vRealize Operations Manager API Programming Guide

Example given by the smart assistant:

curl -i -X PUT -H "Content-Type: application/json" -H "Authorization: Basic $(echo -n 'admin:your_password' | base64)" -d '{"allowedOrigins":["https://your-domain.com"]}' https://localhost/suite-api/api/settings/security/same-origin

It's important to note that these workarounds may increase security risks, so carefully weigh the pros and cons before implementing them.

Text:

1. Use plug-ins

Through testing, using the plug-in can indeed directly ignore the X-Frame-Options header information security settings set by the server. The recommended plug-in name is: "Allow X-Frame-Options" Version: "0.1.0" Edge can directly search for the extension installation in the app store, Chrome You can also use Edge to install the plug-in first and then "transfer it" to Chrome. The Edge extension directory is usually inC:UsersAdministratorAppDataLocalMicrosoftEdgeUser DataDefaultExtensions

After installation, click the plug-in icon to open it to test whether X-Frame-Options can be blocked.

Using plug-ins is simple and effective, but it may not achieve the goal for different applications or projects. The solution once and for all is to modify the server security configuration↓

2. Modify server configuration

Please note: This method is only available invRealize-Operations-Manager-8.5.0.18255622andvRealize-Operations-Manager-8.2.0.16949153After testing, other versions or similar products may require different configuration files to be modified.

You should keep a backup before modifying any configuration, preferably by creating a snapshot or clone of the management VM! ! !

Since it uses the Apache+Tomcat architecture, it has been modified after testing./usr/lib/vmware-vcops/tomcat-web-app/webapps/ui/WEB-INFThe web.xml file in the directory can achieve the purpose

Openweb.xmlfile to edit. exist<web-app>Add the following code inside the tag:

Editingweb.xmlFile, you need to pay attention to retain the default configuration items. Depending on the version of Tomcat used, there may be different default configurations. If you are not familiar with the operation of configuration files, be sure to modifyweb.xmlPerform a backup before editing the file.

The content here has been hidden, please refresh the page to view after commenting.

This code will use Apache Tomcat’s ownHttpHeaderSecurityFilterfilter, disable X-Frame-Options, and allow all sources to embed vROps shared dashboards. Please note that this change is a security risk as it makes your site vulnerable to clickjacking attacks. If you need more security, use more secure settings.

Save the changes and restart the VMware vRealize Operations virtual machine to test whether they take effect. Although it is possible to passsystemctl restart httpd or service vmware-vcops --full-restart Wait for the command to restart the service. It is recommended to restart the vRops virtual machine after the modification is completed to verify the modification. Simply restarting the service sometimes does not take effect and errors are found.

Updated on May 25, 2023:

By modifyingweb.xmlAfter running for a period of time, the X-Frame-Options SAMEORIGIN error will appear again on the iframe embedded page. Restarting VMware vRealize Operations can restore it. Students who know JAVA can decompile it./usr/lib/vmware-vcops/tomcat-web-app/webapps/ui/WEB-INFui.war in the directory to try to solve this problem.

Extra:

1. How to share the dashboard:

Log in to vRealize Operations Manager and click "Dashboard". Click the dashboard that needs to be shared in the list on the left. After clicking and opening it, a sharing button will be displayed in the upper right corner of the right side of the page. Click this button to generate a sharing connection and set the corresponding sharing method. and validity period.

2.vRealize-Operations-Manager-Appliance deployment file

Include:

vRealize-Operations-Manager-Appliance-8.2.0.16949153_OVF10.ova

vRealize-Operations-Manager-Appliance-8.5.0.18255622_OVF10.ova

Download address:

The content here has been hidden, please pay to view it

Copyright Notice 1 Website name:UU technical community
2 Website URL:https://www.cnuu.net
3 Some of the content of the articles on this website may come from the Internet and are for your study and reference only. If there is any infringement, please contact the webmaster QQ943271422for deletion.
4 All resources on this website do not represent the position of this website, nor does it mean that this website agrees with its views and is responsible for its authenticity.
5 This site is strictly prohibited from publishing or reproducing any illegal information in any way. Visitors who find any information please report it to the webmaster.
6 Most of the resources on this site are stored in cloud disks. If you find that the link is invalid, please contact us and we will update it as soon as possible.

THE END