Open bluecmd opened 4 years ago
bluecmd
commented
4 years ago So VCSA embedds the URL to not only itself, but also other hosts. This is quite annoying, and we might need to rethink the strategy here. Maybe fest needs to be more than a HTTPS/TLS frontend...
bluecmd
commented
4 years ago A file upload to VCSA to another machine furthermore does not include cookies, just these headers:
Request URL: https://server-mgmt.xxx.xxxx/folder/xxxx.xxz?dcPath=ha-datacenter&dsName=datastore1&enc=std
Referrer Policy: no-referrer-when-downgrade
Provisional headers are shown
Content-type: application/octet-stream
DNT: 1
Referer: https://vc-mgmt.xxxx.xxxxx/ui/app/datastore;nav=s/urn:vmomi:Datastore:da[..]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
vmware-cgi-ticket: xxxx-xxxx-xx-xxxx-xxxxxx
dcPath: ha-datacenter
dsName: datastore1
enc: stdFor example, this is a sort-of working example on nginx to show the needed hacks. File uploads still do not work, because the cookies issue above.
server {
listen [::1]:8001 default_server;
server_name _;
location / {
sub_filter "https://vc.x.y/" "https://vc-mgmt.x.y/";
sub_filter "https://srv1.x.y/" "https://srv1-mgmt.x.y/";
sub_filter "https://srv2.x.y/" "https://srv2-mgmt.x.y/";
sub_filter_types text/html application/json;
proxy_set_header Host "vc.x.y";
proxy_ssl_name "vc.x.y";
proxy_ssl_server_name on;
proxy_redirect "https://vc.x.y/" "https://vc-mgmt.x.y/";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass https://vc.x.y/;
}
}
VCSA 7.0 checks that the host the client is connecting to is the correct one, so we should support rewriting it to a configurable one - which should be used for SNI as well.