Project

General

Profile

Actions

tickets #68263

closed

Broken integration due to header on proxy

Added by hellcp almost 4 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Category:
Core services and virtual infrastructure
Target version:
-
Start date:
2020-06-21
Due date:
% Done:

100%

Estimated time:

Description

Proxy sets x-frame-options header on dimension.opensuse.org, breaking its chat.o.o integration

Actions #1

Updated by cboltz almost 4 years ago

Confirmed, haproxy.cfg has

    # additional security headers, as requested by MF-IT security scan at 2020-04-16
    http-response set-header X-Frame-Options SAMEORIGIN                 if is_ssl
    http-response set-header X-XSS-Protection "1; mode=block"           if is_ssl
    http-response set-header X-Content-Type-Options nosniff             if is_ssl
    http-response set-header Referrer-Policy no-referrer-when-downgrade if is_ssl

Do you have a better idea how we should set X-Frame-Options (globally or specific for dimension.o.o)?

https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options looks like it's possible to specify allow-from https://chat.o.o, but with limited browser support.

Actions #2

Updated by cboltz almost 4 years ago

  • Private changed from Yes to No
Actions #3

Updated by hellcp almost 4 years ago

cboltz wrote:

Confirmed, haproxy.cfg has

    # additional security headers, as requested by MF-IT security scan at 2020-04-16
    http-response set-header X-Frame-Options SAMEORIGIN                 if is_ssl
    http-response set-header X-XSS-Protection "1; mode=block"           if is_ssl
    http-response set-header X-Content-Type-Options nosniff             if is_ssl
    http-response set-header Referrer-Policy no-referrer-when-downgrade if is_ssl

Do you have a better idea how we should set X-Frame-Options (globally or specific for dimension.o.o)?

https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options looks like it's possible to specify allow-from https://chat.o.o, but with limited browser support.

I would probably ask for it to not be set on dimension.o.o at all, since dimension should be able to work with applications too, not just chat.o.o

Actions #4

Updated by cboltz almost 4 years ago

I tried with

http-response set-header X-Frame-Options SAMEORIGIN                 if is_ssl !is_dimension

but the only thing that produces is

[WARNING] 172/201010 (13798) : parsing [/etc/haproxy/haproxy.cfg:131] : acl 'is_dimension' will never match because it only involves keywords that are incompatible with 'frontend http-response header rule'

therefore I've reverted my non-working changes.

https://discourse.haproxy.org/t/http-response-set-header-with-condition-not-working/3108 looks somewhat related, but I'm not a fan of doing config changes I don't understand, especially not on one of our most important and visible servers ;-)

Can someone who is more familiar with haproxy please have to look at this?

Actions #5

Updated by hellcp over 3 years ago

Additional note, I remembered today we offer embeddable download pages on software-o-o, I looked it up and the header is also on software-o-o, breaking the entire integration there as well. https://software.opensuse.org/download/doc

Actions #6

Updated by lrupp over 3 years ago

I had a similar problem when trying to integrate etherpad into meet.o.o (and later meet.o.o in moodle.o.o ;-)

From /etc/haproxy/haproxy.cfg:

    # the following two lines are needed to allow embedding of etherpad.o.o
    # in meet.opensuse.org - using the 'is_etherpad' ACL will NOT work
    http-request set-var(txn.host) hdr(Host)
    acl no_x-frame-option var(txn.host) -m str etherpad.opensuse.org

Ergo: it should be possible to add an additional line like:

    acl no_x-frame-option var(txn.host) -m str chat.opensuse.org

and be done with it.

Leaving it up to those who want to saltify the haproxy.cfg to have a section for "embedded host names" ...

Actions #7

Updated by lrupp over 3 years ago

  • Status changed from New to Workable
Actions #8

Updated by SchoolGuy about 3 years ago

Can the Jitsi Team help you with that? Or is this purely ha-proxy related?

Actions #9

Updated by lrupp about 3 years ago

  • Status changed from Workable to Feedback

SchoolGuy wrote:

Can the Jitsi Team help you with that? Or is this purely ha-proxy related?

This is completely haproxy related.
I thought that someone from the other heroes would take this as a junior job - but it looks like this got forgotten... Sorry!

Checked/Added

acl no_x-frame-option var(txn.host) -m str chat.opensuse.org
acl no_x-frame-option var(txn.host) -m str dimension.opensuse.org

Followed by:

http-response set-header X-Frame-Options SAMEORIGIN                 if is_ssl !no_x-frame-option

Can you please verify if this fixes your problem?

Actions #10

Updated by lrupp about 3 years ago

  • Status changed from Feedback to Closed
  • % Done changed from 0 to 100

No feedback for >14 days, closing.

Actions

Also available in: Atom PDF