[BUG]: Chaining two levels of Cosmos is not possible

[athiffau]

What happened?

I am trying to chain two level of proxy using Cosmos but I get a StatusBadRequest (400) when the /cosmos/api/me end-point is loaded

What should have happened?

It should load the endpoint on the second layer instead of the first layer.

How to reproduce the bug?

I've been working on trying to chain two layers of proxy using Cosmos for a few days without success so I started to step through the code and this is why I think it currently cannot work. I'm not sure how to report this so hopefully this makes sense.

On xxx.xxx.xxx.193 I have a ubuntu server + cosmos installed = first layer I have the hostname of the first layer set to mydomain.com [internal IP xxx.xxx.xxx.193] *.mydomain.com is pointing to [public ip] -> OPNSense firewall -> xxx.xxx.xxx.193 mydomain has wildcard SSL with DNS challenge setup = working perfectly. I have a bunch of apps running on app[x].mydomain.com = working perfectly; note that some are in docker containers but some are proxied to external, standalone boxes. One example is HomeAssitant [Internal IP xxx.xxx.xxx.164] = working perfectly I create a proxy url as devbox.mydomain.com with target set to http://xxx.xxx.xxx.106

On xxx.xxx.xxx.106 I have a ubuntu server + cosmos installed = second layer SSL is disabled on the dev box. hostname is set to devbox.mydomain.com

I launch the url devbox.mydomain.com and this is what I see:

• layer 1 receives the url and passes it to layer 2
• layer 2 receives the url and returns a 307 StatusTemporaryRedirect to url/cosmos-ui -- file: httpServer.go [461]

  router.HandleFunc("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  http.Redirect(w, r, "/cosmos-ui", http.StatusTemporaryRedirect)
  }))

• layer 2 logs the 307
• http 307 bubbles up to layer 1, layer 1 logs the 307
• browser gets the 307
• layer 1 tries to reach devbox.mydomain.com/cosmos-ui and tries to load the api/me end-point
• at this point layer 1 returns a status 400 because the hostnames do not match. -- file: middleware.og [function EnsureHostnameCosmosAPI les 349 - 392]

                if og != reqHostNoPort {
            PushShieldMetrics("hostname")
            Error("Invalid Hostname " + r.Host + " for request.", nil)
            w.WriteHeader(http.StatusBadRequest)
            http.Error(w, "Bad Request: Invalid hostname. Use your domain instead of your IP to access your server. Check logs if more details are needed.", http.StatusBadRequest)

• layer 1 logs about 10 errors for devbox.mydomain.com/cosmos/api/me with status 400
• NOTE: the second layer never receives / logs calls to https://devbox.mydomain.com/cosmos/api/me - it does not pass through layer 1 anymore (because of the StatusBadRequest).

From what I can tell, cosmos running in layer 1 starts parsing the url and run its checks and compares 'mydomain.com' to 'devbox.mydomain.com' which results in an invalid hostname. I think it's due to the redirect.

The solution is maybe to change function EnsureHostnameCosmosAPI [middleware.go] to evaluate all proxied hostnames as well - similar to what is done in function EnsureHostname [middleware.go]

Relevant log output

No response

Other details

No response

System details

• OS: Ubuntu server 22.04
• Browser: Chrome, Firefox
• Version: 0.14.6

[azukaar]

This is by design. This is done to prevent apps to overwrite Cosmos' endpoint into phishing pages to steal credentials and cannot be solved. If you want to access a Cosmos instance from another one, the only solution is Constellation