Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix proxied url hostnames and thus code-submitter urls #59

Merged
merged 4 commits into from
Nov 11, 2023
Merged

Fix proxied url hostnames and thus code-submitter urls #59

merged 4 commits into from
Nov 11, 2023

Conversation

PeterJCLaw
Copy link
Member

@PeterJCLaw PeterJCLaw commented Nov 9, 2023
edited
Loading

Summary

There's been a long-standing issue where the hosted code-submitter emits urls which point at the machine hosting it, leading to users ending up on that domain rather than on our root domain.

The two previously observed failure modes were:

  • the proxied service emits urls to its own domain, sending users away from our user-facing domain; this happens when we're setting a Host header so that nginx on the service machine is happy
  • redirect loops behind the proxy; this happens when not setting a Host header (so that the urls are right) but the service machine's nginx is trying to canonicalise its domain

This PR fixes the issue by:

  • passing through the user-facing domain as the current host
  • configuring nginx on the competitor-services box to allow our user-facing domain as a valid Host for itself

This is approximately the same fix as was attempted in #37, however it seems that that PR didn't work due to the mismatch of types in the secondary_hostnames value (it's now a list, was presumably a string previously).

Code review

Reviewing the changes by commit may be useful.

Testing

  • applied the configuration locally
  • manually validated the new behaviour
TASK [srobo-nginx : Copy our configuration] ******************************************
--- before: /etc/nginx/nginx.conf
+++ after: /home/peter/.ansible/tmp/ansible-local-625847yb79663/tmp4s_nyuqn/nginx.conf
@@ -113,7 +113,8 @@
         # starting up, even if in a degraded mode.
         set $competitorsvcs 'competitorsvcs.studentrobotics.org';
         proxy_pass https://$competitorsvcs/code-submitter/;
-        proxy_set_header Host $competitorsvcs;
+        # Note: don't set a Host header as we want the code-submitter to use our
+        # public hostname, not the hostname of the underlying machine.
       }
     
         # Provide access to the competition pages under the normal prefix

changed: [monty.studentrobotics.org]
TASK [competitor-services-nginx : Copy our configuration] ****************************
--- before: /etc/nginx/nginx.conf
+++ after: /home/peter/.ansible/tmp/ansible-local-625847yb79663/tmpz44efhua/nginx.conf
@@ -61,7 +61,7 @@
     # several server blocks can listen to the same port).
     listen         443 ssl;
     listen         [::]:443 ssl;
-    server_name    competitorsvcs.studentrobotics.org ['studentrobotics.org'];
+    server_name    competitorsvcs.studentrobotics.org studentrobotics.org ;
     root           /var/www;
 
     proxy_pass_request_headers on;

changed: [competitorsvcs.studentrobotics.org]

Links

Extra context: PeterJCLaw/code-submitter#31

@PeterJCLaw PeterJCLaw marked this pull request as ready for review November 9, 2023 22:41
@PeterJCLaw PeterJCLaw merged commit 82db46b into main Nov 11, 2023
1 check passed
@PeterJCLaw PeterJCLaw deleted the fix-proxied-url-hostnames branch November 11, 2023 10:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prophile prophile prophile approved these changes

@gitLRD gitLRD Awaiting requested review from gitLRD

@RealOrangeOne RealOrangeOne Awaiting requested review from RealOrangeOne

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@PeterJCLaw @prophile