From 5427c0a0193f2a8e89e03bd1ffa43822afd5416f Mon Sep 17 00:00:00 2001 From: Peter Law Date: Thu, 9 Nov 2023 22:16:32 +0000 Subject: [PATCH 1/4] Passthrough the public hostname to the code-submitter for valid urls See inline comment for why this is needed. --- host_vars/competitorsvcs.studentrobotics.org.yml | 4 ++++ roles/srobo-nginx/templates/nginx.conf | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/host_vars/competitorsvcs.studentrobotics.org.yml b/host_vars/competitorsvcs.studentrobotics.org.yml index f156525..e586f5a 100644 --- a/host_vars/competitorsvcs.studentrobotics.org.yml +++ b/host_vars/competitorsvcs.studentrobotics.org.yml @@ -1,6 +1,10 @@ --- canonical_hostname: competitorsvcs.studentrobotics.org secondary_hostnames: + # Include our primary canonical hostname so that requests via the proxy there + # aren't redirected. This is needed (rather than overriding the Host header + # with the actual domain) so that urls generated by services hosted services + # include the right domain. - studentrobotics.org add_hsts_header: true diff --git a/roles/srobo-nginx/templates/nginx.conf b/roles/srobo-nginx/templates/nginx.conf index badee8b..59cdebb 100644 --- a/roles/srobo-nginx/templates/nginx.conf +++ b/roles/srobo-nginx/templates/nginx.conf @@ -123,7 +123,8 @@ http { # starting up, even if in a degraded mode. set $competitorsvcs 'competitorsvcs.studentrobotics.org'; proxy_pass https://$competitorsvcs/code-submitter/; - proxy_set_header Host $competitorsvcs; + # Note: don't set a Host header as we want the code-submitter to use our + # public hostname, not the hostname of the underlying machine. } {% endif %} From 7604bbdbe5ffc10ad1a8e184954e539848127b11 Mon Sep 17 00:00:00 2001 From: Peter Law Date: Thu, 9 Nov 2023 22:18:19 +0000 Subject: [PATCH 2/4] Include the proxy as a secondary hostname in development too --- host_vars/sr-compsvc.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/host_vars/sr-compsvc.yml b/host_vars/sr-compsvc.yml index 4b0738d..e4d2f18 100644 --- a/host_vars/sr-compsvc.yml +++ b/host_vars/sr-compsvc.yml @@ -3,6 +3,9 @@ canonical_hostname: sr-compsvc secondary_hostnames: + # See explanation in host_vars/competitorsvcs.studentrobotics.org.yml for why + # we include the proxy hostname here. + - sr-proxy add_hsts_header: false certbot_create_if_missing: false From 6c1f19fc4c824859824baee6a52c43867684d1d0 Mon Sep 17 00:00:00 2001 From: Peter Law Date: Thu, 9 Nov 2023 22:18:38 +0000 Subject: [PATCH 3/4] Fix rendering of secondary hostnames into Nginx config It turns out that outputting a list by dumping it into a text file doesn't work so well. --- roles/competitor-services-nginx/templates/nginx.conf | 2 +- roles/srobo-nginx/templates/nginx.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/competitor-services-nginx/templates/nginx.conf b/roles/competitor-services-nginx/templates/nginx.conf index 1678d07..8c2ea27 100644 --- a/roles/competitor-services-nginx/templates/nginx.conf +++ b/roles/competitor-services-nginx/templates/nginx.conf @@ -70,7 +70,7 @@ http { # several server blocks can listen to the same port). listen 443 ssl; listen [::]:443 ssl; - server_name {{ canonical_hostname }} {{ secondary_hostnames }}; + server_name {{ canonical_hostname }} {% for name in secondary_hostnames %}{{ name }} {% endfor %}; root /var/www; proxy_pass_request_headers on; diff --git a/roles/srobo-nginx/templates/nginx.conf b/roles/srobo-nginx/templates/nginx.conf index 59cdebb..9006a71 100644 --- a/roles/srobo-nginx/templates/nginx.conf +++ b/roles/srobo-nginx/templates/nginx.conf @@ -94,7 +94,7 @@ http { # several server blocks can listen to the same port). listen 443 ssl; listen [::]:443 ssl; - server_name {{ canonical_hostname }} {{ secondary_hostnames }}; + server_name {{ canonical_hostname }} {% for name in secondary_hostnames %}{{ name }} {% endfor %}; root /var/www; proxy_pass_request_headers on; From 73833a9125007fa3ee86534261fde12c821a704c Mon Sep 17 00:00:00 2001 From: Peter Law Date: Thu, 9 Nov 2023 22:23:51 +0000 Subject: [PATCH 4/4] Hoist default secondary_hostnames and set correct value This is a list of strings. --- group_vars/all.yml | 4 ++++ host_vars/monty.studentrobotics.org.yml | 1 - host_vars/sr-proxy.yml | 1 - 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/group_vars/all.yml b/group_vars/all.yml index 8f4e27d..e30f478 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,4 +1,8 @@ --- +# Hostnames which are accepted as valid for this host (and not redirected away +# from) even though they are not the canonical name. +secondary_hostnames: [] + certbot_auto_renew: true certbot_auto_renew_user: root certbot_auto_renew_hour: "3" diff --git a/host_vars/monty.studentrobotics.org.yml b/host_vars/monty.studentrobotics.org.yml index 397bd42..a95eff5 100644 --- a/host_vars/monty.studentrobotics.org.yml +++ b/host_vars/monty.studentrobotics.org.yml @@ -1,6 +1,5 @@ --- canonical_hostname: studentrobotics.org -secondary_hostnames: add_hsts_header: true certbot_create_if_missing: true diff --git a/host_vars/sr-proxy.yml b/host_vars/sr-proxy.yml index e0ee6a1..0ee3d6c 100644 --- a/host_vars/sr-proxy.yml +++ b/host_vars/sr-proxy.yml @@ -2,7 +2,6 @@ # This is a dev VM created by Vagrant. canonical_hostname: sr-proxy -secondary_hostnames: add_hsts_header: false certbot_testmode: true