Unable to login to foreman GUI using smart proxy link after upgrading to 3.8.0 version

Hi Team,

Unable to login to Foreman GUI link after upgrading to 3.8.0 version.

Getting this error “CSRF protection token expired, please log in again” everytime when tried to login using smart proxy link.

In earlier versions , it was working fine. After recent upgrade to 3.8.0 , this issue popped up.

Login to GUI using Foreman Server link is working fine.

Can anyone help on this.


What do you mean by “smart proxy link”?

We have Centralised foreman server and associated smart proxy server in each site.

Foreman Dashboard can be accessed either via foreman server @ 443 port (https) or via smart proxy server @ 8443 port.

Now unable login to dashboard using smart proxy server link

This seems to be related to the HTTP/2 enablement we did in Fixes #36854 - Use HTTP/2 when proxying to Foreman · theforeman/puppet-foreman_proxy_content@e7a38f3 · GitHub

CC @ekohl

If you use foreman-installer --foreman-proxy-content-reverse-proxy-backend-protocol https on the smart proxy server, does it then work again?

Mh, it doesn’t on my test box, then maybe it’s something else.

Ah, when I dig production log, I see:

2023-12-19T12:50:37 [W|app|916bf600] HTTP Origin header (https://pipe-katello-proxy-nightly-centos8-stream.tanso.example.com:8443) didn't match request.base_url (https://pipe-katello-server-nightly-centos8-stream.tanso.example.com)
2023-12-19T12:50:37 [I|app|916bf600] Redirected to https://pipe-katello-server-nightly-centos8-stream.tanso.example.com/users/login

Okay, with backend protocoll set to https and Fixes #35432 - Use Rails 6.1 defaults · theforeman/foreman@f034a4f · GitHub reverted I can login via proxy:8443.


I suspect Rails 6.1 defaults enables the ActionDispatch::HostAuthorization middleware by default. We have introduced it in the settings.yaml here:

But the installer doesn’t expose it. AFAIK this configuration was done by default as part of some CVE fixes. Quoting the description:

This middleware guards from DNS rebinding attacks by explicitly permitting the hosts a request can be sent to

Can you guide me what settings needs to be updated as it is not clear from the link shared

So what @ekohl meant is to edit /etc/foreman/settings.yaml and add lines like:

  - foreman.example.com
  - proxy.example.com

However, this doesn’t help in my test setup and I still get

HTTP Origin header (https://pipe-katello-proxy-nightly-centos8-stream.tanso.example.com:8443) didn't match request.base_url (https://pipe-katello-server-nightly-centos8-stream.tanso.example.com)

in the logs.

This comes from here

But I think the check failing is

And indeed, setting config.action_controller.forgery_protection_origin_check = false in application.rb makes the whole login flow work again, as long as I am using HTTPS, not HTTP/2 as the backend protocol between the proxy and the main Foreman instance.

However, I think in general the default makes sense and we should keep it.

Yes updating /etc/settings.yaml doesn’t help.
Still getting same error

Another thought: we have the trusted proxies setting. We document --foreman-trusted-proxies in Installing a Smart Proxy Server 3.8 on CentOS/RHEL and that’s 100% needed for a reverse proxy setup (which you are running). Have you applied that?

Sorry was on Holiday.
updating trusted proxies option using foreman installer also didn’t work.
still getting same error.