Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #37761 - Allow rewrites needed for cockpit integration #1178

Closed
wants to merge 1 commit into from
Closed

Fixes #37761 - Allow rewrites needed for cockpit integration #1178

wants to merge 1 commit into from

Conversation

adamruzicka
Copy link
Contributor

A successor to #1177 which github won't allow me to reopen.

This was referenced Aug 26, 2024
Closed
Closed
@adamruzicka adamruzicka force-pushed the cockpit-3f branch 2 times, most recently from 390a202 to 8dee101 Compare August 27, 2024 08:50
ehelms
ehelms approved these changes Sep 16, 2024
View reviewed changes
Copy link
Member

@ehelms ehelms left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested and solved it for me. @evgeni @ekohl any comments to add?

ekohl
ekohl reviewed Sep 16, 2024
View reviewed changes
spec/classes/plugin/remote_execution_cockpit_spec.rb
@@ -71,7 +71,7 @@ class {'foreman':
.without_content
.with_ssl_content(%r{^<Location /webcon>$})
.with_ssl_content(%r{^ RewriteRule /webcon/\(\.\*\) ws://127\.0\.0\.1:19090/webcon/\$1 \[P\]$})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is still needed? And for websockets we don't suffer from the same problem? I ask because I get the impression this line is redundant

Copy link
Member

@evgeni evgeni Sep 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding is (without having explicitly tested that) that w/o this we do not get a protocol upgrade on EL8 (and Ubuntu Focal).

On EL9 (and Debian), we could use ProxyPass … upgrade=websocket, but not on EL8

evgeni
evgeni requested changes Sep 17, 2024
View reviewed changes
Copy link
Member

@evgeni evgeni left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am afraid this is not making the webconsole work for me on CS9 :(

httpd-2.4.57-8.el9.x86_64

This is the version without the fix for CVE-2024-38474 and thus "obviosly" works.

old config

<Location /webcon>
  ProxyPreserveHost On

  RewriteEngine On
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /webcon/(.*)           ws://127.0.0.1:19090/webcon/$1 [P]
  RewriteCond %{HTTP:Upgrade} !=websocket [NC]
  RewriteRule /webcon/(.*)           http://127.0.0.1:19090/webcon/$1 [P]
</Location>

WORKS

new config

<Location /webcon>
  ProxyPreserveHost On

  RewriteEngine On
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /webcon/(.*)           ws://127.0.0.1:19090/webcon/$1 [P]
  ProxyPass http://127.0.0.1:19090/webcon
</Location>

WORKS

config without explicit ws:// proxy

<Location /webcon>
  ProxyPreserveHost On
  ProxyPass http://127.0.0.1:19090/webcon
</Location>

FAILS with

Connection failed
There was an unexpected error while connecting to the machine.

config without explicit ws:// proxy but with upgrade=websocket

<Location /webcon>
  ProxyPreserveHost On
  ProxyPass http://127.0.0.1:19090/webcon upgrade=websocket
</Location>

I assumed (based on https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#wsupgrade) this would work, but alas, it does not, same "unexpected error". 🤔

httpd-2.4.62-1.el9.x86_64

That's the version with the CVE fix

old config

<Location /webcon>
  ProxyPreserveHost On

  RewriteEngine On
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /webcon/(.*)           ws://127.0.0.1:19090/webcon/$1 [P]
  RewriteCond %{HTTP:Upgrade} !=websocket [NC]
  RewriteRule /webcon/(.*)           http://127.0.0.1:19090/webcon/$1 [P]
</Location>

FAILS with "Forbidden" - this was expected

new config

<Location /webcon>
  ProxyPreserveHost On

  RewriteEngine On
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /webcon/(.*)           ws://127.0.0.1:19090/webcon/$1 [P]
  ProxyPass http://127.0.0.1:19090/webcon
</Location>

FAILS with

Connection failed
There was an unexpected error while connecting to the machine.

config from #1177

<Location /webcon>
  ProxyPreserveHost On

  RewriteEngine On
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /webcon/(.*)           ws://127.0.0.1:19090/webcon/$1 [P,UnsafeAllow3F]
  RewriteCond %{HTTP:Upgrade} !=websocket [NC]
  RewriteRule /webcon/(.*)           http://127.0.0.1:19090/webcon/$1 [P,UnsafeAllow3F]
</Location>

FAILS with

Connection failed
There was an unexpected error while connecting to the machine.

In all "unexpected error" cases, I see my Firefox (in the network tab) trying to access wss://centos9-stream-katello-nightly.tanso.example.com/webcon/cockpit+=centos9-stream.tanso.example.com/socket and quitting with "404 / WEBSOCKET CONNECTION REFUSED"

httpd agrees:

192.168.122.1 - - [17/Sep/2024:08:00:36 +0000] "GET /webcon/cockpit+=centos9-stream.tanso.example.com/socket HTTP/1.1" 404 1564 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0"

It's like the Upgrade: websocket header (which is sent!) is completely ignored.

@evgeni
Copy link
Member

evgeni commented Sep 17, 2024

On EL8, with httpd-2.4.37-65.module_el8.10.0+3874+c2064c23.2.x86_64, both fixes (here and #1177) work, as long as I keep

  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /webcon/(.*)           ws://127.0.0.1:19090/webcon/$1 [P]

in the config.

upgrade=websocket doesn't work as a param, as expected.

@evgeni
Copy link
Member

evgeni commented Sep 17, 2024

We probably should still merge this, to at least fix the issue on EL8… But it's still ugly.

@adamruzicka
Copy link
Contributor Author

to at least fix the issue on EL8

and EL <=9.4

@evgeni
Copy link
Member

evgeni commented Sep 17, 2024

to at least fix the issue on EL8

and EL <=9.4

But it's not broken with the old code on EL9.4 either, right?

@ekohl
Copy link
Member

ekohl commented Sep 17, 2024

It's like the Upgrade: websocket header (which is sent!) is completely ignored.

We're loading mod_proxy_wstunnel. https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html has some examples that look relevant for RewriteRules:

ProxyPass / http://example.com:9080/
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) "ws://example.com:9080/$1" [P,L]

Would those help?

@evgeni
Copy link
Member

evgeni commented Sep 17, 2024

Would those help?

I tested these all after my initial "doesn't work" reply, and the changes do not have any visible effect.

@evgeni
Copy link
Member

evgeni commented Sep 17, 2024
edited
Loading

the plot thickens!

It seems the WS request ends up routed to Rails, not foreman-cockpit, as I see the following in production.log:

2024-09-17T14:56:17 [I|app|53724f64] Started GET "/webcon/cockpit+=centos9-stream.tanso.example.com/socket" for 192.168.122.1 at 2024-09-17 14:56:17 +0000
2024-09-17T14:56:17 [F|app|53724f64]   
 53724f64 | ActionController::RoutingError (No route matches [GET] "/webcon/cockpit+=centos9-stream.tanso.example.com/socket"):

And that explains the 404!

And indeed, when I remove the following from the apache config:

  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /(.*) unix:///run/foreman.sock|ws://foreman/$1 [P,L]

it works.

WTF

@ekohl
Copy link
Member

ekohl commented Sep 17, 2024

Could it be the order of items? That Apache evaluates the rules from top to bottom.

evgeni
evgeni approved these changes Sep 17, 2024
View reviewed changes
Copy link
Member

@evgeni evgeni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The EL9 problem seems unrelated to the change at hand, so let's run with it.

@evgeni
Copy link
Member

evgeni commented Sep 17, 2024

When I use

<VirtualHost *:443>
…
  ProxyPass http://foreman upgrade=websocket
<Location /webcon>
  ProxyPass http://cockpit/webcon upgrade=websocket
</Location>
</VirtualHost>

Things work. But that'll break EL8 and Focal 😢

@ekohl
Copy link
Member

ekohl commented Sep 17, 2024

Things work. But that'll break EL8 and Focal 😢

I want to drop both of those for 3.13. Any thoughts on OS version specific content if we want to backport this?

@evgeni
Copy link
Member

evgeni commented Sep 17, 2024

You mean using proxypass with upgrade on OSes that support it, and without (and instead rewrite) on those which don't?

@ekohl
Copy link
Member

ekohl commented Sep 17, 2024

Exactly

@evgeni
Copy link
Member

evgeni commented Sep 18, 2024

Okay, let's try this!

#1185

@evgeni evgeni closed this Sep 18, 2024
@evgeni
Copy link
Member

evgeni commented Sep 18, 2024

#1185 was merged instead

@adamruzicka adamruzicka deleted the cockpit-3f branch September 19, 2024 07:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekohl ekohl ekohl left review comments

@ehelms ehelms ehelms approved these changes

@evgeni evgeni evgeni approved these changes

Assignees
No one assigned
Labels
skip-changelog Waiting on contributor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@adamruzicka @evgeni @ekohl @ehelms