Project

General

Profile

Actions
Copy link

Bug #27791

open

UI: content-security-policy + hostname prevents us from using a reverse proxy

Added by ruben malchow over 4 years ago. Updated over 4 years ago.

Status:
Need more information
Priority:
Normal
Assignee:
-
Category:
Web Interface
Target version:
-
Difficulty:
easy
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
1.22.1
Red Hat JIRA:

Description

hi,

we're runnning a reverse proxy in front of foreman with a different hostname. this works just fine for almost everything. it does NOT work for (at least) one specific case:

in:

app/views/hosts/_operating_system.html.erb

there is this button ("resolve templates"):

<%= link_to_function icon_text("refresh", _("Resolve")), "template_info('#templates_info','#{template_used_hosts_url(:id => @host.id)}')", :class => "btn btn-default" %>

and in this, this part:

'#{template_used_hosts_url(:id => @host.id)}'

renders the "internal" hostname, which 

a.) doesn't work (that hostname is not reachable directly in our case)
    b.) it conflicts with the content security policy (which only "self" allowed, disabling all cross origin ajax)

since the hostname needed here should simply be whatever the origin is, i am assuming that this should be an easy fix. since i don't know all the internals & details, this assumption could of course be blatantly wrong. if it IS easy, we would be extremely happy if this was fixed (and possibly any other places where this pattern appears). also, not sure if this really counts as a bug.

thank you very much

ruben malchow

Files

Screenshot 2019-09-05 at 11.14.04.png View Screenshot 2019-09-05 at 11.14.04.png 18.3 KB ruben malchow, 09/05/2019 12:23 PM
Screenshot 2019-09-05 at 11.13.50.png View Screenshot 2019-09-05 at 11.13.50.png 27.7 KB ruben malchow, 09/05/2019 12:24 PM
Actions
Copy link
 #1

Updated by Ohad Levy over 4 years ago

I am not sure you are describing the correct issue, the @host.id is simply the ID value from the DB (in the hosts table) I am don't think its related at all to a load balancer / proxy.

Foreman is working well with a LB / proxy so I'm a bit confused on why it doesn't work for you..can you share exact details (e.g. browser / server logs)?

Actions
Copy link
 #2

Updated by Ohad Levy over 4 years ago

  • Status changed from New to Need more information
Actions
Copy link Download all files
 #3

Updated by ruben malchow over 4 years ago

hello ohad,

yes, for the most part everything is working fine. it is only the button "resolve" button in the screenshot that misbehaves.

the URL in the browser (i.e. the one pointing to the reverse proxy) is "foreman.mcon-group.com", so this is also the origin, but the button is rendered with an "onclick" event that takes a hostname, and in this case the hostname is "foreman.mcon-group.systems", which is the name behind the reverse proxy.

this hostname is then used in an ajax request, which then fails due to the settings from the content security policy headers.

Actions
Copy link

Also available in: Atom PDF