Commit ecbc7b88 authored by Jérome Perrin's avatar Jérome Perrin

software/slaprunner: set Host header in nginx proxy

This host header is not passed by default, because we are already using
proxy_set_header, so we need to set it explicitly.

It seems that since we updated some packages in in 279486fe (stack/slapos:
version up some eggs with known vulnerabilties, 2021-01-28) slaprunner was
producing URLs with "localhost" as hostname when using redirect(url_for(...))
parent f080a53f
......@@ -38,7 +38,7 @@ md5sum = bd0ad0b80d2b39189f9665c48f1b3830
[template_nginx_conf]
filename = nginx_conf.in
md5sum = 2b06f7eb9a1d45d250d4b92a944db925
md5sum = 862aa0e482927e023e63631087f92190
[template_httpd_conf]
filename = httpd_conf.in
......
......@@ -41,6 +41,7 @@ http {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Host $http_host;
proxy_set_header X-Accel-Mapping /private/;
proxy_connect_timeout 200;
proxy_send_timeout 200;
......@@ -54,6 +55,7 @@ http {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Host $http_host;
proxy_set_header X-Accel-Mapping /private/;
proxy_pass http://unix:{{ socket }};
......
......@@ -280,6 +280,28 @@ class TestWeb(SlaprunnerTestCase):
self.assertEqual(requests.codes.ok, resp.status_code)
self.assertIn('SlapOS', resp.text)
def test_slaprunner_redirects(self):
# redirects also work as expected. In this test we visit stopAllPartition
# which should redirect to inspectInstance
parameter_dict = self.computer_partition.getConnectionParameterDict()
url = parameter_dict['url']
resp = requests.get(
urljoin(url, '/stopAllPartition'),
verify=False,
auth=(parameter_dict['init-user'], parameter_dict['init-password']))
self.assertEqual(resp.status_code, requests.codes.ok)
self.assertEqual(resp.url, urljoin(url, '/inspectInstance'))
# this also works behind a frontend
resp = requests.get(
urljoin(url, '/stopAllPartition'),
verify=False,
allow_redirects=False,
headers={'Host': 'example.com:1234'},
auth=(parameter_dict['init-user'], parameter_dict['init-password']))
self.assertEqual(resp.status_code, requests.codes.found)
self.assertEqual(resp.headers['Location'], 'https://example.com:1234/inspectInstance')
def test_shellinabox(self):
# shellinabox exists at /shellinabox and is password protected
parameter_dict = self.computer_partition.getConnectionParameterDict()
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment