search

akvo / akvo-provisioning

Server and development environment provisioning data and configurations
9 stars 2 forks source link

Remove '_' as a possible HTTP_HOST header for RSR #263

Closed KasperBrandt closed 8 years ago

KasperBrandt commented 8 years ago

See https://github.com/akvo/akvo-provisioning/blob/master/puppet/modules/rsr/manifests/config.pp#L18.

Background information (from email):

Invalid HTTP_HOST header: '_'. The domain name provided is not valid according to RFC 1034/1035.

Request repr(): 
<WSGIRequest
path:/,
GET:<QueryDict: {}>,
POST:<QueryDict: {}>,
COOKIES:{},
META:{'HTTP_ACCEPT': '*/*',
'HTTP_CONNECTION': 'close',
'HTTP_HOST': '_',
'HTTP_USER_AGENT': 'masscan/1.0 (https://github.com/robertdavidgraham/masscan)',
'HTTP_X_FORWARDED_FOR': '149.78.247.241',
'HTTP_X_REAL_IP': '149.78.247.241',
'PATH_INFO': u'/',
'QUERY_STRING': '',
'RAW_URI': '/',
'REMOTE_ADDR': '149.78.247.241',
'REMOTE_PORT': '80',
'REQUEST_METHOD': 'GET',
'SCRIPT_NAME': u'',
'SERVER_NAME': '_',
'SERVER_PORT': '80',
'SERVER_PROTOCOL': 'HTTP/1.0',
'SERVER_SOFTWARE': 'gunicorn/18.0',
'gunicorn.socket': <socket._socketobject object at 0x1286a600>,
'wsgi.errors': <open file '<stderr>', mode 'w' at 0x7f0432184270>,
'wsgi.file_wrapper': <class gunicorn.http.wsgi.FileWrapper at 0x7f042f2b5d50>,
'wsgi.input': <gunicorn.http.body.Body object at 0xf9bdf50>,
'wsgi.multiprocess': True,
'wsgi.multithread': False,
'wsgi.run_once': False,
'wsgi.url_scheme': 'http',
'wsgi.version': (1, 0)}>
kardan commented 8 years ago

We just need to make sure we don't block partner that have setup a host like projects.partner.org for the rsr page.

I have to say that I can't really remember how this works but I was under the impression (without having thought about it) that we need to allow "everything" into RSR.

orifito commented 8 years ago

I've just seen we also have *.akvoapp.org as a valid server name

KasperBrandt commented 8 years ago

@kardan Those do not exist currently. Plus, we get an error message for those as well:

Invalid HTTP_HOST header: 'dutchforeignaffairs_ice.akvoapp.org'. The domain name provided is not valid according to RFC 1034/1035.

Request repr(): 
<WSGIRequest
path:/robots.txt,
GET:<QueryDict: {}>,
POST:<QueryDict: {}>,
COOKIES:{},
META:{'HTTP_ACCEPT': '*/*',
'HTTP_ACCEPT_ENCODING': 'gzip',
'HTTP_ACCEPT_LANGUAGE': 'zh-cn,zh-tw',
'HTTP_CONNECTION': 'close',
'HTTP_HOST': 'dutchforeignaffairs_ice.akvoapp.org',
'HTTP_USER_AGENT': 'Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2',
'HTTP_X_FORWARDED_FOR': '123.125.71.76',
'HTTP_X_REAL_IP': '123.125.71.76',
'PATH_INFO': u'/robots.txt',
'QUERY_STRING': '',
'RAW_URI': '/robots.txt',
'REMOTE_ADDR': '123.125.71.76',
'REMOTE_PORT': '80',
'REQUEST_METHOD': 'GET',
'SCRIPT_NAME': u'',
'SERVER_NAME': 'dutchforeignaffairs_ice.akvoapp.org',
'SERVER_PORT': '80',
'SERVER_PROTOCOL': 'HTTP/1.0',
'SERVER_SOFTWARE': 'gunicorn/18.0',
'gunicorn.socket': <socket._socketobject object at 0x10b2e9f0>,
'wsgi.errors': <open file '<stderr>', mode 'w' at 0x7f0432184270>,
'wsgi.file_wrapper': <class gunicorn.http.wsgi.FileWrapper at 0x7f042f2b5d50>,
'wsgi.input': <gunicorn.http.body.Body object at 0x2006dad0>,
'wsgi.multiprocess': True,
'wsgi.multithread': False,
'wsgi.run_once': False,
'wsgi.url_scheme': 'http',
'wsgi.version': (1, 0)}>
orifito commented 8 years ago

So... should we remove _ and *.akvoapp.org server names?

kardan commented 8 years ago

FWIW, I'm not sure what we should do.

KasperBrandt commented 8 years ago

@kardan At least disallow _ in any RSR hostname :)

orifito commented 8 years ago

@kardan @KasperBrandt ok, I'm going to remove _ server names and reconfigure nginx accordingly

orifito commented 8 years ago

Applied to all environments :dancers: