Review Board Ticket #5012: requests to /api/... do not use public server name but private IP address

[Heroic Albeit]

------------------------------------------------------------------------------
To reply, visit https://hellosplat.com/s/beanbag/tickets/5012/
------------------------------------------------------------------------------

New ticket #5012 by HeroicAlbeit
For Beanbag, Inc. > Review Board

Status: New
Tags: Priority:Medium, Type:Defect


------------------------------------------------------------------------------
requests to /api/... do not use public server name but private IP address
==============================================================================

# What version are you running?


6.0

in docker image 45ada0a9f402


this is a new setup with the nginx+gunicorn setup method and a "API Gateway" on 
Oracle Cloud in front of the nginx port.

The "API Gateway" is setup to route `https://<public server name>/<everything>` 
to `http://<private instance ip>:8080/<everything>`, where 8080 is the exposed 
nginx port. This works, as I can login.


# What's the URL of the page containing the problem?

`https://<public server name>/r/3/`


this page shows up, but the "Diff" tab is missing and I am unable to change 
fields of this request, such as Summary or Description.

Using Debug Console of the browser reveals an error, see below.


# What steps will reproduce the problem?
1. create a new review request, ie. by uploading a patch
2. browse the request
3. not the missing Diff tab
4. inspect browser debug console


# What is the expected output? What do you see instead?

the Diff tab would be there

editing Fields such as Summary would work

no errors in browser console


# What operating system are you using? What browser?

the instance uses Ubuntu 22.04.3 LTS on ARM processor

however, Reviewboard itself runs as above mentioned Docker image, pulling the 
ARM sha256.


# Please provide any additional information below.


the error on debug console is this:


```
3rdparty-base.min.js:1 Mixed Content: The page at 'https://<public server 
name>/r/3/' was loaded over HTTPS, but requested an insecure XMLHttpRequest 
endpoint 'http://<private instance 
ip>/api/review-requests/3/draft/?api_format=json&force-text-type=html&include-text-types=raw&expand=depends_on%2Ctarget_people%2Ctarget_groups'.
 This request has been blocked; the content must be served over HTTPS.
```

this is absolutely correct and can not work, even if the browser would not 
block it, since `<private instance ip>` is not routed on the internet.

also note that port 8080 is missing in `<private instance ip>`; this tells me 
the API Gateway is not involved as it is setup to always send to this port.

looking at the Network tab in the browser debug tool shows a Request Initiator 
chain looking like this:


1. `https://<public server name>/r/3/`
2. `https://<public server name>/static/lib/js/3rdparty-base.min.js`
3. `http://<private instance 
ip>/api/review-requests/3/draft/?api_format=json&force-text-type=html&include-text-types=raw&expand=depends_on%2Ctarget_people%2Ctarget_groups`

the Request call stack for this is rather long and I can't copy-paste it.


the nginx.conf setup follows the Admin Manual, with the essential part being:
```
    location / {
        proxy_pass http://reviewboard;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Ssl off;
        proxy_set_header X-Real-IP $remote_addr;

        client_max_body_size        10m;
        client_body_buffer_size     128k;
        proxy_connect_timeout       90;
        proxy_send_timeout          90;
        proxy_read_timeout          90;
        proxy_headers_hash_max_size 512;
        proxy_buffer_size           4k;
        proxy_buffers               4 32k;
        proxy_busy_buffers_size     64k;
        proxy_temp_file_write_size  64k;
    }
```

This handles login/logout and many other things such as configuring, while some 
(?) `/api/` requests dont ever reach this nginx since the browser gets told to 
send these using the `<private instance ip>`.

The Server name in General Settings is correctly set to `<public server name>` 
- I guess login would not be impossible otherwise.

------------------------------------------------------------------------------

-- 
You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard-issues+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/reviewboard-issues/20231102142420.23594.27586%40ip-10-1-54-209.ec2.internal.