Re: Review Board Ticket #5012: requests to /api/... do not use public server name but private IP address

2023-11-08 Thread Heroic Albeit
To reply, visit

New update by HeroicAlbeit
For Beanbag, Inc. > Review Board > Ticket #5012


ah, yes. thanks for responding.

meanwhile I came cross your point 1. of rewriting the Host header to 
``, like you suggest.

This, however, ran me into problems with Djangos' CSRF checks. To get these 
working I endet up with this in ``:


plus `proxy_set_header X-Forwarded-Proto https` in nginx.conf. The tweak 
here is to get it to send the correct protocoll to the outside, ie. 
`https:///...` instead of `http:///...`. This is because the API Gateway terminates the SSL.

I have not done any header (re)writings on the API Gateway.

So far I consider this a workaround, since - as far as I understand - it 
makes the CSRF checks pretty much useless. *(please tell me if I get that 
wrong, I have no understanding of how such attacks actually work and therefore 
what the risk is)*

oh, another side observation: my Server name  (in General Settings on the 
WebUI) was set to `http://` by the installer and that still 
is so, despite me using `https://...` only. If I change this to `https://...` 
the CSRF checks break again.

You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To view this discussion on the web visit

Re: Review Board Ticket #5012: requests to /api/... do not use public server name but private IP address

2023-11-02 Thread Heroic Albeit
To reply, visit

New update by HeroicAlbeit
For Beanbag, Inc. > Review Board > Ticket #5012


to get some more insight and rule out the browser I use curl to do the 
above failed request with correct ``.

what I get is a JSON body that contains (many) wrong URLs with 
`http://` like so:

$ curl -H 'cookie: csrftoken=; rbsessionid;' 
{"draft": {"branch": "", "bugs_closed": [], "changedescription": "", 
"changedescription_text_type": "html", "commit_id": null, "depends_on": [], 
"description": "", "description_text_type": "html", "extra_data": {}, "id": 3, 
"last_updated": "2023-11-02T07:22:25Z", "links": {"delete": {"href": 
"http:///api/review-requests/3/draft/", "method": 
"DELETE"} ... "submitter": {"href": "http:///api/users/admin/", "method": "GET", "title": "admin"} ...

looks like the `/api/` part is not using the configured server name?

You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To view this discussion on the web visit

Review Board Ticket #5012: requests to /api/... do not use public server name but private IP address

2023-11-02 Thread Heroic Albeit
To reply, visit

New ticket #5012 by HeroicAlbeit
For Beanbag, Inc. > Review Board

Status: New
Tags: Priority:Medium, Type:Defect

requests to /api/... do not use public server name but private IP address

# What version are you running?


in docker image 45ada0a9f402

this is a new setup with the nginx+gunicorn setup method and a "API Gateway" on 
Oracle Cloud in front of the nginx port.

The "API Gateway" is setup to route `https:///` 
to `http://:8080/`, where 8080 is the exposed 
nginx port. This works, as I can login.

# What's the URL of the page containing the problem?


this page shows up, but the "Diff" tab is missing and I am unable to change 
fields of this request, such as Summary or Description.

Using Debug Console of the browser reveals an error, see below.

# What steps will reproduce the problem?
1. create a new review request, ie. by uploading a patch
2. browse the request
3. not the missing Diff tab
4. inspect browser debug console

# What is the expected output? What do you see instead?

the Diff tab would be there

editing Fields such as Summary would work

no errors in browser console

# What operating system are you using? What browser?

the instance uses Ubuntu 22.04.3 LTS on ARM processor

however, Reviewboard itself runs as above mentioned Docker image, pulling the 
ARM sha256.

# Please provide any additional information below.

the error on debug console is this:

3rdparty-base.min.js:1 Mixed Content: The page at 'https:///r/3/' was loaded over HTTPS, but requested an insecure XMLHttpRequest 
endpoint 'http:///api/review-requests/3/draft/?api_format=json=html=raw=depends_on%2Ctarget_people%2Ctarget_groups'.
 This request has been blocked; the content must be served over HTTPS.

this is absolutely correct and can not work, even if the browser would not 
block it, since `` is not routed on the internet.

also note that port 8080 is missing in ``; this tells me 
the API Gateway is not involved as it is setup to always send to this port.

looking at the Network tab in the browser debug tool shows a Request Initiator 
chain looking like this:

1. `https:///r/3/`
2. `https:///static/lib/js/3rdparty-base.min.js`
3. `http:///api/review-requests/3/draft/?api_format=json=html=raw=depends_on%2Ctarget_people%2Ctarget_groups`

the Request call stack for this is rather long and I can't copy-paste it.

the nginx.conf setup follows the Admin Manual, with the essential part being:
location / {
proxy_pass http://reviewboard;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl off;
proxy_set_header X-Real-IP $remote_addr;

client_body_buffer_size 128k;
proxy_connect_timeout   90;
proxy_send_timeout  90;
proxy_read_timeout  90;
proxy_headers_hash_max_size 512;
proxy_buffer_size   4k;
proxy_buffers   4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size  64k;

This handles login/logout and many other things such as configuring, while some 
(?) `/api/` requests dont ever reach this nginx since the browser gets told to 
send these using the ``.

The Server name in General Settings is correctly set to `` 
- I guess login would not be impossible otherwise.


You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To view this discussion on the web visit