Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nginx: reject requests with unexpected Host header #809

Merged
merged 39 commits into from
Dec 10, 2024
Merged

nginx: reject requests with unexpected Host header #809

merged 39 commits into from
Dec 10, 2024

Conversation

alxndrsn
Copy link
Contributor

@alxndrsn alxndrsn commented Dec 2, 2024
edited
Loading

Supersedes #747

Blocked by #814

What has been done to verify that this works as intended?

Tests.

Why is this the best possible solution? Were any other approaches considered?

#747 was also considered - this is up for debate.

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

Shouldn't change normal usage.

Does this change require updates to documentation? If so, please file an issue here and include the link below.

Probably not.

Before submitting this PR, please make sure you have:

  • branched off and targeted the next branch OR only changed documentation/infrastructure (master is stable and used in production)
  • verified that any code or assets from external sources are properly credited in comments or that everything is internally sourced

alxndrsn added 30 commits October 9, 2024 07:41
nginx: reject HTTPS requests with unexpected Host header
913ebcc
fix test URL
00b5bd7
Add check/config for HTTP
eb93b15
circle-ci: try changing DOMAIN to localhost
c232cb3
circle-ci: revert DOMAIN; force-set Host header
c26ee73
Merge branch 'next' into enforce-host-check-https
ff04489
capitalise host header
e1c245e
Merge branch 'next' into enforce-host-check-https
77b7505
revert code changes
bea939d
wip
20660c9
revert nginx dockerfile
4bc9b6f
expand comment
3627e92
421
b7ebe89
untee
18dad03
42102
5bcc786
421
2792708
re-order more like next
eea052d
revert circle config change
72db5d3
Revert "revert circle config change"
d4a27ee 
This reverts commit 72db5d3.
remove time limit for generated key
c6c5ce8
revert
bb07343
remove logging
b461036
remove catch-all server names
b1d5f23
Revert "revert"
13808d6 
This reverts commit bb07343.
Add test for SSL cert validity period.
0fd9b27
increase ssl cert validity period
c2683ce
rewrite test with TLS
c9b376e
little tls
7791efe
remove cert from fetch()
6971cda
remove stop
ba096cc
@alxndrsn alxndrsn marked this pull request as ready for review December 3, 2024 06:19
@alxndrsn alxndrsn requested a review from brontolosone December 3, 2024 06:19
@alxndrsn alxndrsn mentioned this pull request Dec 3, 2024
Closed
alxndrsn pushed a commit to alxndrsn/odk-central that referenced this pull request Dec 3, 2024
nginx: separate cert paths from server_name
e196707 
Working on getodk#809 I noticed that the location of SSL certs is based either on the domain name, or on the method of supply of SSL certs.

Cert provision approach should probably not affect the nginx "server_name" setting.

Also, the old variable name `CNAME` (short for "certificate name?") is easily confused with the DNS concept of CNAME records ("canonical names").
@alxndrsn alxndrsn mentioned this pull request Dec 3, 2024
Merged
2 tasks
@alxndrsn alxndrsn requested a review from yanokwa December 6, 2024 06:38
brontolosone
brontolosone requested changes Dec 6, 2024
View reviewed changes
Copy link
Contributor

@brontolosone brontolosone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have fears, please see comments

files/nginx/odk.conf.template Outdated Show resolved Hide resolved
files/nginx/redirector.conf Show resolved Hide resolved
test/test-nginx.js Show resolved Hide resolved
test/test-nginx.js Outdated Show resolved Hide resolved
alxndrsn added a commit that referenced this pull request Dec 7, 2024
@alxndrsn
nginx: separate cert paths from server_name (#814)
515bfb9 
Working on #809 I noticed that the location of SSL certs is based either on the domain name, or on the method of supply of SSL certs.

Cert provision approach should probably not affect the nginx "server_name" setting.

Also, the old variable name `CNAME` (short for "certificate name?") is easily confused with the DNS concept of CNAME records ("canonical names").
@alxndrsn alxndrsn requested a review from brontolosone December 8, 2024 09:37
@brontolosone brontolosone mentioned this pull request Dec 9, 2024
Open
@matthew-white matthew-white merged commit 0f7bad6 into getodk:next Dec 10, 2024
2 checks passed
alxndrsn pushed a commit to alxndrsn/odk-central that referenced this pull request Dec 10, 2024
test/nginx: remove misleading comment
ce40700 
This comment was merged as part of getodk#809, but was not correct by the time the PR was merged.
@alxndrsn alxndrsn mentioned this pull request Dec 10, 2024
Merged
@alxndrsn alxndrsn deleted the enforce-host-check-https-bronto-approach branch December 10, 2024 05:20
alxndrsn added a commit that referenced this pull request Dec 10, 2024
@alxndrsn
test/nginx: remove misleading comment (#839)
20878c7 
This comment was merged as part of #809, but was not correct by the time the PR was merged.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brontolosone brontolosone brontolosone approved these changes

@yanokwa yanokwa yanokwa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@alxndrsn @yanokwa @brontolosone @matthew-white