Unable to login to foreman GUI using smart proxy link after upgrading to 3.8.0 version

jeevaugustin · November 27, 2023, 10:39am

Hi Team,

Unable to login to Foreman GUI link after upgrading to 3.8.0 version.

Getting this error “CSRF protection token expired, please log in again” everytime when tried to login using smart proxy link.

In earlier versions , it was working fine. After recent upgrade to 3.8.0 , this issue popped up.

Login to GUI using Foreman Server link is working fine.

Can anyone help on this.

Regards,
Jeev

aruzicka · November 27, 2023, 1:47pm

What do you mean by “smart proxy link”?

jeevaugustin · November 27, 2023, 2:57pm

We have Centralised foreman server and associated smart proxy server in each site.

Foreman Dashboard can be accessed either via foreman server @ 443 port (https) or via smart proxy server @ 8443 port.

Now unable login to dashboard using smart proxy server link

evgeni · December 19, 2023, 12:09pm

This seems to be related to the HTTP/2 enablement we did in Fixes #36854 - Use HTTP/2 when proxying to Foreman · theforeman/puppet-foreman_proxy_content@e7a38f3 · GitHub

CC @ekohl

ekohl · December 19, 2023, 12:21pm

If you use foreman-installer --foreman-proxy-content-reverse-proxy-backend-protocol https on the smart proxy server, does it then work again?

evgeni · December 19, 2023, 12:52pm

Mh, it doesn’t on my test box, then maybe it’s something else.

Ah, when I dig production log, I see:

2023-12-19T12:50:37 [W|app|916bf600] HTTP Origin header (https://pipe-katello-proxy-nightly-centos8-stream.tanso.example.com:8443) didn't match request.base_url (https://pipe-katello-server-nightly-centos8-stream.tanso.example.com)
2023-12-19T12:50:37 [I|app|916bf600] Redirected to https://pipe-katello-server-nightly-centos8-stream.tanso.example.com/users/login

evgeni · December 19, 2023, 1:06pm

Okay, with backend protocoll set to https and Fixes #35432 - Use Rails 6.1 defaults · theforeman/foreman@f034a4f · GitHub reverted I can login via proxy:8443.

ekohl · December 19, 2023, 1:10pm

I suspect Rails 6.1 defaults enables the ActionDispatch::HostAuthorization middleware by default. We have introduced it in the settings.yaml here:

But the installer doesn’t expose it. AFAIK this configuration was done by default as part of some CVE fixes. Quoting the description:

This middleware guards from DNS rebinding attacks by explicitly permitting the hosts a request can be sent to

jeevaugustin · December 20, 2023, 6:41am

Can you guide me what settings needs to be updated as it is not clear from the link shared

evgeni · December 20, 2023, 8:26am

So what @ekohl meant is to edit /etc/foreman/settings.yaml and add lines like:

:hosts:
  - foreman.example.com
  - proxy.example.com

However, this doesn’t help in my test setup and I still get

HTTP Origin header (https://pipe-katello-proxy-nightly-centos8-stream.tanso.example.com:8443) didn't match request.base_url (https://pipe-katello-server-nightly-centos8-stream.tanso.example.com)

in the logs.

This comes from here

github.com

rails/rails/blob/v6.1.7.6/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L235


      
          # verify that JavaScript responses are for XHR requests, ensuring they
          # follow the browser's same-origin policy.
          def verify_authenticity_token # :doc:
            mark_for_same_origin_verification!
          
            if !verified_request?
              if logger && log_warning_on_csrf_failure
                if valid_request_origin?
                  logger.warn "Can't verify CSRF token authenticity."
                else
                  logger.warn "HTTP Origin header (#{request.origin}) didn't match request.base_url (#{request.base_url})"
                end
              end
              handle_unverified_request
            end
          end
          
          def handle_unverified_request # :doc:
            forgery_protection_strategy.new(self).handle_unverified_request
          end

But I think the check failing is

github.com

rails/rails/blob/v6.1.7.6/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L455-L463


      
          def valid_request_origin? # :doc:
            if forgery_protection_origin_check
              # We accept blank origin headers because some user agents don't send it.
              raise InvalidAuthenticityToken, NULL_ORIGIN_MESSAGE if request.origin == "null"
              request.origin.nil? || request.origin == request.base_url
            else
              true
            end
          end

And indeed, setting config.action_controller.forgery_protection_origin_check = false in application.rb makes the whole login flow work again, as long as I am using HTTPS, not HTTP/2 as the backend protocol between the proxy and the main Foreman instance.

However, I think in general the default makes sense and we should keep it.

jeevaugustin · December 20, 2023, 10:03am

Yes updating /etc/settings.yaml doesn’t help.
Still getting same error

ekohl · December 20, 2023, 2:03pm

Another thought: we have the trusted proxies setting. We document --foreman-trusted-proxies in Installing a Smart Proxy Server 3.8 on CentOS/RHEL and that’s 100% needed for a reverse proxy setup (which you are running). Have you applied that?

jeevaugustin · January 5, 2024, 6:32am

Sorry was on Holiday.
updating trusted proxies option using foreman installer also didn’t work.
still getting same error.