https://progress.opensuse.org/https://progress.opensuse.org/themes/openSUSE/favicon/favicon.ico?15829177842020-06-21T15:39:05ZopenSUSE Project Management ToolopenSUSE admin - tickets #68263: Broken integration due to header on proxyhttps://progress.opensuse.org/issues/68263?journal_id=3085602020-06-21T15:39:05Zcboltzsuse-beta@cboltz.de
<ul></ul><p>Confirmed, <code>haproxy.cfg</code> has</p>
<pre><code> # additional security headers, as requested by MF-IT security scan at 2020-04-16
http-response set-header X-Frame-Options SAMEORIGIN if is_ssl
http-response set-header X-XSS-Protection "1; mode=block" if is_ssl
http-response set-header X-Content-Type-Options nosniff if is_ssl
http-response set-header Referrer-Policy no-referrer-when-downgrade if is_ssl
</code></pre>
<p>Do you have a better idea how we should set <code>X-Frame-Options</code> (globally or specific for dimension.o.o)?</p>
<p><a href="https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options" class="external">https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options</a> looks like it's possible to specify <code>allow-from https://chat.o.o</code>, but with limited browser support.</p>
openSUSE admin - tickets #68263: Broken integration due to header on proxyhttps://progress.opensuse.org/issues/68263?journal_id=3085632020-06-21T15:40:11Zcboltzsuse-beta@cboltz.de
<ul><li><strong>Private</strong> changed from <i>Yes</i> to <i>No</i></li></ul> openSUSE admin - tickets #68263: Broken integration due to header on proxyhttps://progress.opensuse.org/issues/68263?journal_id=3085692020-06-21T18:21:16Zhellcphel@lcp.world
<ul></ul><p>cboltz wrote:</p>
<blockquote>
<p>Confirmed, <code>haproxy.cfg</code> has</p>
<pre><code> # additional security headers, as requested by MF-IT security scan at 2020-04-16
http-response set-header X-Frame-Options SAMEORIGIN if is_ssl
http-response set-header X-XSS-Protection "1; mode=block" if is_ssl
http-response set-header X-Content-Type-Options nosniff if is_ssl
http-response set-header Referrer-Policy no-referrer-when-downgrade if is_ssl
</code></pre>
<p>Do you have a better idea how we should set <code>X-Frame-Options</code> (globally or specific for dimension.o.o)?</p>
<p><a href="https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options" class="external">https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options</a> looks like it's possible to specify <code>allow-from https://chat.o.o</code>, but with limited browser support.</p>
</blockquote>
<p>I would probably ask for it to not be set on dimension.o.o at all, since dimension should be able to work with applications too, not just chat.o.o</p>
openSUSE admin - tickets #68263: Broken integration due to header on proxyhttps://progress.opensuse.org/issues/68263?journal_id=3085752020-06-21T20:24:21Zcboltzsuse-beta@cboltz.de
<ul></ul><p>I tried with</p>
<pre><code>http-response set-header X-Frame-Options SAMEORIGIN if is_ssl !is_dimension
</code></pre>
<p>but the only thing that produces is</p>
<p><code>[WARNING] 172/201010 (13798) : parsing [/etc/haproxy/haproxy.cfg:131] : acl 'is_dimension' will never match because it only involves keywords that are incompatible with 'frontend http-response header rule'</code></p>
<p>therefore I've reverted my non-working changes.</p>
<p><a href="https://discourse.haproxy.org/t/http-response-set-header-with-condition-not-working/3108" class="external">https://discourse.haproxy.org/t/http-response-set-header-with-condition-not-working/3108</a> looks somewhat related, but I'm not a fan of doing config changes I don't understand, especially not on one of our most important and visible servers ;-)</p>
<p>Can someone who is more familiar with haproxy please have to look at this?</p>
openSUSE admin - tickets #68263: Broken integration due to header on proxyhttps://progress.opensuse.org/issues/68263?journal_id=3138702020-07-18T13:57:31Zhellcphel@lcp.world
<ul></ul><p>Additional note, I remembered today we offer embeddable download pages on software-o-o, I looked it up and the header is also on software-o-o, breaking the entire integration there as well. <a href="https://software.opensuse.org/download/doc" class="external">https://software.opensuse.org/download/doc</a></p>
openSUSE admin - tickets #68263: Broken integration due to header on proxyhttps://progress.opensuse.org/issues/68263?journal_id=3161772020-08-03T08:19:18Zlrupp
<ul></ul><p>I had a similar problem when trying to integrate etherpad into meet.o.o (and later meet.o.o in moodle.o.o ;-)</p>
<p>From /etc/haproxy/haproxy.cfg:</p>
<pre><code> # the following two lines are needed to allow embedding of etherpad.o.o
# in meet.opensuse.org - using the 'is_etherpad' ACL will NOT work
http-request set-var(txn.host) hdr(Host)
acl no_x-frame-option var(txn.host) -m str etherpad.opensuse.org
</code></pre>
<p>Ergo: it should be possible to add an additional line like:</p>
<pre><code> acl no_x-frame-option var(txn.host) -m str chat.opensuse.org
</code></pre>
<p>and be done with it. </p>
<p>Leaving it up to those who want to saltify the haproxy.cfg to have a section for "embedded host names" ...</p>
openSUSE admin - tickets #68263: Broken integration due to header on proxyhttps://progress.opensuse.org/issues/68263?journal_id=3322092020-10-08T08:39:50Zlrupp
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Workable</i></li></ul> openSUSE admin - tickets #68263: Broken integration due to header on proxyhttps://progress.opensuse.org/issues/68263?journal_id=3814732021-02-02T08:34:24ZSchoolGuyegotthold@suse.com
<ul></ul><p>Can the Jitsi Team help you with that? Or is this purely ha-proxy related?</p>
openSUSE admin - tickets #68263: Broken integration due to header on proxyhttps://progress.opensuse.org/issues/68263?journal_id=3815012021-02-02T11:31:03Zlrupp
<ul><li><strong>Status</strong> changed from <i>Workable</i> to <i>Feedback</i></li></ul><p>SchoolGuy wrote:</p>
<blockquote>
<p>Can the Jitsi Team help you with that? Or is this purely ha-proxy related?</p>
</blockquote>
<p>This is completely haproxy related. <br>
I thought that someone from the other heroes would take this as a junior job - but it looks like this got forgotten... Sorry!</p>
<p>Checked/Added</p>
<pre><code class="text syntaxhl" data-language="text">acl no_x-frame-option var(txn.host) -m str chat.opensuse.org
acl no_x-frame-option var(txn.host) -m str dimension.opensuse.org
</code></pre>
<p>Followed by:</p>
<pre><code class="text syntaxhl" data-language="text">http-response set-header X-Frame-Options SAMEORIGIN if is_ssl !no_x-frame-option
</code></pre>
<p>Can you please verify if this fixes your problem?</p>
openSUSE admin - tickets #68263: Broken integration due to header on proxyhttps://progress.opensuse.org/issues/68263?journal_id=3852102021-02-24T07:25:26Zlrupp
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Closed</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>No feedback for >14 days, closing.</p>