Print asks for permission (403)

[davidoesch]

Printing from "outside Bund" : a 403 is returned

Although I can not reproduce it, we had several customers who were able to do so (see eg helpdesk Customer feedback ID : 2015101913282565) and cleaning achace or restarting computer did not help

Error message after hitting the print button

"Die Website hat die Anzeige dieser Webseite abgelehnt. HTTP 403 Wahrscheinlichste Ursachen: •Diese Website erfordert, dass Sie sich anmelden. Mögliche Vorgehensweise: Wechseln Sie zur vorherigen Seite. Weitere Informationen Dieser Fehler (HTTP 403 Verboten) bedeutet, dass Internet Explorer eine Verbindung mit der Website herstellen konnte. Jedoch verfügen Sie nicht über die Berechtigung, um diese Webseite anzeigen zu können. Weitere Informationen über HTTP-Fehler erhalten Sie in der Hilfe.

Permalink: https://map.geo.admin.ch/?topic=ech&lang=de&bgLayer=ch.swisstopo.pixelkarte-farbe&layers=ch.swisstopo.zeitreihen,ch.bfs.gebaeude_wohnungs_register,ch.bafu.wrz-wildruhezonen_portal,ch.swisstopo.swisstlm3d-wanderwege&layers_visibility=false,false,false,false&layers_timestamp=18641231,,,&X=221169.00&Y=614549.00&zoom=9.

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)

"

->assumption: this is the cas esince the varnish / s3 adaption ?

[gjn]

Looks like IE9. Might be security settings.

[davidoesch]

... We did once implement a solution for IE for enabling the pdf download- a side effect?

[gjn]

Could very well be. We recently switched our print back-ends, thus changed something in varnish configuration. Might be that this broke IE9 workaround.

I'll have a look Thursday.

[gjn]

We did a change in varnish by also requiring referer for print downloads (before, referer was only needed to create the print).

@danduk82 Could you please revert this change as it break IE9 printing. Instead of /print/* i [1], we should use "/print/.json"

I can test it on dev/int before going to prod. Let me know.

[danduk82]

@gjn : I do it ASAP, I'm having a couple of issues right now because of the puppet 4 migration (which I was informed about only this morning by the way...).

[cedricmoullet]

@danduk82 any status update ?

[danduk82]

I can push a "quick fix in production" in 15 min, or make it clean in a couple of hours. What do you prefer?

[danduk82]

@gjn : can you test the new config on the infra ELB? Its DNS: vpc-lb-infra-923749892.eu-west-1.elb.amazonaws.com btw this configuration includes already a bit of cleanup... We should test also DEV and INT addresses, as I have changed the backends (not the machines, only their definition in varnish)

[gjn]

@danduk82 I'll do it today. Can you provide a git diff?

[gjn]

@danduk82 There's no restriction at all. paths ending with print/info.json and print/create.json should be restricted. All others open.

[danduk82]

@gjn of course there is: if req.url ~ "^/1.0.0/WMTSCapabilities.xml" || req.url ~ "^/1.0.0/legend/" -> no restrictions else -> referer check.

for printprogress and "/print/.*.pdf.printout" there is no check

[gjn]

I strictly tested print.

I assume your changes don't affect other regions. Full fletched tests needed?

[gjn]

all good

[gjn]

Let me know when it's ready to be tested on dev/int.

[gjn]

@danduk82 status?

[danduk82]

I am still waiting for C2C to solve the puppet-related bug... I cannot deploy the branch until it is fixed.

[danduk82]

and I do not want to push it on stable without proper testing. (of course)

[gjn]

Ok. let me know when it's done.

[danduk82]

It is now applied on DEV and INT. The ACLs seem correct, but I get nothing with a curl on /print/info.json. But I get a json back when I test it on INT... Can you test it too?

[procrastinatio]

I did reinstall the print-war. All fine now.

[gjn]

@danduk82 For prod addresses, I think everything is good.

But for the mf-chsdi3.int.bgdi.ch adress on int, I'm not sure. Jenkins on int (using mf-chsdi3.int.bgdi.ch address without any DNS spoofing) fails with the GetCapabilities check (it's not protected there). Any idea why?

[danduk82]

OK, I push it in a moment.

[danduk82]

it is applied on prod. I have to check for INT

[danduk82]

Actually, i was told to free WMTSCapabilites/ and legend/, so this behavior is normal. Should I restrict them instead?

[gjn]

Ok for me. We just need to adapt the tests then.

[gjn]

@danduk82 Prod tests are failing now too.

We will let varnish configuration as it is (open up WMTSCapabilities and Legend) and we adapt the tests. I'll prepare a PR for this in chsdi. So nothing to be done on your side.

[danduk82]

OK