https://pulp.plan.io/https://pulp.plan.io/favicon.ico2020-09-04T18:36:56ZPulpContainer Support - Issue #7462: auth token used in registry requests are not validated properly when behind an SSL proxyhttps://pulp.plan.io/issues/7462?journal_id=620632020-09-04T18:36:56Zjsherril@redhat.comjsherril@redhat.com
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/62063/diff?detail_id=62239">diff</a>)</li></ul> Container Support - Issue #7462: auth token used in registry requests are not validated properly when behind an SSL proxyhttps://pulp.plan.io/issues/7462?journal_id=620872020-09-04T21:36:04Zdkliban@redhat.com
<ul></ul><p>I was able to reproduce on my machine. I had to ensure that the 'CONTENT_ORIGIN' setting was set to <a href="https://localhost" class="external">https://localhost</a></p> Container Support - Issue #7462: auth token used in registry requests are not validated properly when behind an SSL proxyhttps://pulp.plan.io/issues/7462?journal_id=621052020-09-07T13:47:08Zekohl
<ul></ul><p>A common way with reverse proxy setups is <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto" class="external">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto</a>. Looks like Django has docs on this and <a href="https://docs.djangoproject.com/en/2.2/ref/settings/#secure-proxy-ssl-header" class="external">https://docs.djangoproject.com/en/2.2/ref/settings/#secure-proxy-ssl-header</a> suggests to use this setting:</p>
<p>SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')</p> Container Support - Issue #7462: auth token used in registry requests are not validated properly when behind an SSL proxyhttps://pulp.plan.io/issues/7462?journal_id=621122020-09-08T13:29:39Zmdellweg
<ul></ul><p><a href="mailto:jsherril@redhat.com" class="email">jsherril@redhat.com</a> wrote:</p>
<blockquote>
<p>[...]
I think it makes sense to just create and validate the token based off the request path, and ignore hostname, protocol, and port
[...]</p>
</blockquote>
<p>I agree. This would be compatible with whatever strange url rewrite rules a user might apply on his reverse proxy (well almost, but we need to assume something for the hash).</p> Container Support - Issue #7462: auth token used in registry requests are not validated properly when behind an SSL proxyhttps://pulp.plan.io/issues/7462?journal_id=621142020-09-08T14:44:30Zpulpbot
<ul><li><strong>Status</strong> changed from <i>NEW</i> to <i>POST</i></li></ul><p>PR: <a href="https://github.com/pulp/pulp_container/pull/146" class="external">https://github.com/pulp/pulp_container/pull/146</a></p> Container Support - Issue #7462: auth token used in registry requests are not validated properly when behind an SSL proxyhttps://pulp.plan.io/issues/7462?journal_id=621152020-09-08T15:52:54Zdkliban@redhat.com
<ul><li><strong>Assignee</strong> set to <i>dkliban@redhat.com</i></li></ul> Container Support - Issue #7462: auth token used in registry requests are not validated properly when behind an SSL proxyhttps://pulp.plan.io/issues/7462?journal_id=621162020-09-08T15:53:09Zdkliban@redhat.com
<ul><li><strong>Sprint</strong> set to <i>Sprint 81</i></li></ul> Container Support - Issue #7462: auth token used in registry requests are not validated properly when behind an SSL proxyhttps://pulp.plan.io/issues/7462?journal_id=621172020-09-08T15:56:21Zdkliban@redhat.com
<ul><li><strong>Status</strong> changed from <i>POST</i> to <i>MODIFIED</i></li></ul><p>Applied in changeset <a class="changeset" title="Use the path and query string of the URL to generate a 'validate_token'. fixes: #7462 https://pu..." href="https://pulp.plan.io/projects/pulp_container/repository/68/revisions/b6d5491405f33df4da46d07143473b3005f680a7">b6d5491405f33df4da46d07143473b3005f680a7</a>.</p> Container Support - Issue #7462: auth token used in registry requests are not validated properly when behind an SSL proxyhttps://pulp.plan.io/issues/7462?journal_id=621182020-09-08T16:05:53Zpulpbot
<ul></ul><p>PR: <a href="https://github.com/pulp/pulp_container/pull/147" class="external">https://github.com/pulp/pulp_container/pull/147</a></p> Container Support - Issue #7462: auth token used in registry requests are not validated properly when behind an SSL proxyhttps://pulp.plan.io/issues/7462?journal_id=621222020-09-08T17:49:13Zdkliban@redhat.com
<ul><li><strong>Sprint/Milestone</strong> set to <i>2.0.1</i></li></ul> Container Support - Issue #7462: auth token used in registry requests are not validated properly when behind an SSL proxyhttps://pulp.plan.io/issues/7462?journal_id=621242020-09-08T19:07:27Zpulpbot
<ul><li><strong>Status</strong> changed from <i>MODIFIED</i> to <i>CLOSED - CURRENTRELEASE</i></li></ul>