Bug #27791
openUI: content-security-policy + hostname prevents us from using a reverse proxy
Description
hi,
we're runnning a reverse proxy in front of foreman with a different hostname. this works just fine for almost everything. it does NOT work for (at least) one specific case:
in:
app/views/hosts/_operating_system.html.erb
there is this button ("resolve templates"):
<%= link_to_function icon_text("refresh", _("Resolve")), "template_info('#templates_info','#{template_used_hosts_url(:id => @host.id)}')", :class => "btn btn-default" %>
and in this, this part:
'#{template_used_hosts_url(:id => @host.id)}'
renders the "internal" hostname, which
a.) doesn't work (that hostname is not reachable directly in our case)
b.) it conflicts with the content security policy (which only "self" allowed, disabling all cross origin ajax)
since the hostname needed here should simply be whatever the origin is, i am assuming that this should be an easy fix. since i don't know all the internals & details, this assumption could of course be blatantly wrong. if it IS easy, we would be extremely happy if this was fixed (and possibly any other places where this pattern appears). also, not sure if this really counts as a bug.
thank you very much
ruben malchow
Files
Updated by Ohad Levy over 4 years ago
I am not sure you are describing the correct issue, the @host.id is simply the ID value from the DB (in the hosts table) I am don't think its related at all to a load balancer / proxy.
Foreman is working well with a LB / proxy so I'm a bit confused on why it doesn't work for you..can you share exact details (e.g. browser / server logs)?
Updated by Ohad Levy over 4 years ago
- Status changed from New to Need more information
Updated by ruben malchow over 4 years ago
- File Screenshot 2019-09-05 at 11.14.04.png Screenshot 2019-09-05 at 11.14.04.png added
- File Screenshot 2019-09-05 at 11.13.50.png Screenshot 2019-09-05 at 11.13.50.png added
hello ohad,
yes, for the most part everything is working fine. it is only the button "resolve" button in the screenshot that misbehaves.
the URL in the browser (i.e. the one pointing to the reverse proxy) is "foreman.mcon-group.com", so this is also the origin, but the button is rendered with an "onclick" event that takes a hostname, and in this case the hostname is "foreman.mcon-group.systems", which is the name behind the reverse proxy.
this hostname is then used in an ajax request, which then fails due to the settings from the content security policy headers.