search

gravitl / netmaker

Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.
https://netmaker.io
Other
9.51k stars 552 forks source link

[Bug]: CORS_ALLOWED_ORIGIN is not honored in docker deployment #1691

Open atlasloewenherz opened 2 years ago

atlasloewenherz commented 2 years ago

Contact Details

yassine.elassad@gmail.com

What happened?

i have the following setup:


  ┌──────────────────────────────────────────────────────────┐
  │                                                          │
  │                FIREWALL Open Ports: 80,443,8883          │
  │                                                          │
  └───────────┬───────────────────┬──────────────────┬───────┘
              │                   │                  │
              │                   │                  │
 (1)  Port 80 │    (2)   Port: 443│  (3) Port: 8883  │
              │                   │                  │
              │                   │                  │
              │                   │                  │
   ┌──────────▼───────────────────▼──────────────────▼───────┐
   │                                                         │
   │                                                         │
   │                                                         │
   │                                                         │
   │          NATIVE TRAEFIK BOX                             │           1) certificates management via traefik certresolvers
   │                                                         │
   │                                                         │
   │                                                         │
   │                                                         │           2) https to all backends includings API
   └───────────┬──────────────────┬─────────────────┬────────┘
               │                  │                 │
               │                  │                 │                    3) this port is mapped to 8883 in the target container ( on a different machine) Mosquitto
               │                  │                 │
         https │            8883  │           https │                       traefik configuration: see next chapter
      to api   │         to mq    │        to ui    │
               │                  │                 │
               │                  │                 │
               │                  │                 │
    ┌──────────▼──────────────────▼─────────────────▼──────────┐         4) api.nm.domain.tld:443
    │                                                          │
    │                                                          │         5) mq.nm.domain.tld:8883
    │                                                          │
    │                                                          │         6) ui.nm.domain.tld:443
    │  ┌───────────────┐ ┌───────────────┐ ┌───────────────┐   │
    │  │  (4)          │ │  (5)          │ │  (6)          │   │
    │  │               │ │               │ │               │   │
    │  │  NETMAKER (API) │  MOSQUITTO    │ │ NETMAKER-UI   │   │
    │  │               │ │               │ │               │   │
    │  ├───────────────┤ ├───────────────┤ ├───────────────┤   │
    │ ┌┴───────────────┴─┴───────────────┴─┴───────────────┴─┐ │
    │ │                                                      │ │
    │ │         DOCKER RUNTIME ENVIRONMENT                   │ │
    │ │                                                      │ │
    │ ├──────────────────────────────────────────────────────┤ │
    └─┴──────────────────────────────────────────────────────┴─┘

following are traefik file based configs as mentioned in the diagramm:

entryPoints:
  web:
    address: ":80"
    proxyProtocol:
      trustedIPs:
        - "10.210.1.0/16"
    forwardedHeaders:
      trustedIPs:
        - "10.210.1.0/16"
  websecure:
    address: ":443"
    proxyProtocol:
      trustedIPs:
        - "10.210.1.0/16"
    forwardedHeaders:
      trustedIPs:
        - "10.210.1.0/16"
  emq:
    address: ":8883/tcp"

tcp:
  routers:
    emq_router:
      rule: "HostSNI(`*`)"
      entrypoints:
        - emq
      service: nm_mq
  services:
    nm_mq:
      loadbalancer:
        servers:
          - address: "10.210.1.21:8883"
          - address: "10.210.1.22:8883"

in the environment variables of netmaker/api container i have the following for :


CORS_ALLOWED_ORIGIN: "{{  NM_CORS_ALLOWED_ORIGIN }}"

i tried all the combinations i could think of for

NM_CORS_ALLOWED_ORIGIN: *.nm.domain.tld :-1:

NM_CORS_ALLOWED_ORIGIN: ui.nm.domain.tld :-1:

NM_CORS_ALLOWED_ORIGIN: *.domain.tld :-1:

NM_CORS_ALLOWED_ORIGIN: * :-1:

all the variation ends with the problem that ui.nm.domain.tld is resticted accessing api.nm.domain.tld so i end up with : 

Access to XMLHttpRequest at 'api.nm.domain.tld:443/api/users/adm/hasadmin' from origin 'https://ui.nm.nm.domain.tld' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, isolated-app, chrome-extension, chrome, https, chrome-untrusted.

Version

v0.16.1

What OS are you using?

Linux

Relevant log output

Access to XMLHttpRequest at 'api.nm.domain.tld:443/api/users/adm/hasadmin' from origin 'https://ui.nm.nm.domain.tld' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, isolated-app, chrome-extension, chrome, https, chrome-untrusted.

Contributing guidelines

dylancarruthers commented 2 years ago

Same happens in 0.16.2

xbeaudouin commented 2 years ago

Same issues without docker as well... (on 0.16.2).

xbeaudouin commented 2 years ago

Ok I found how to make the stuff working. On the nginx used to serve netmaker-ui you should add the following : 

add_header 'Access-Control-Allow-Origin' '*.netmaker.your.domain.com' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;

This is really a shame the documentation about this part is not up to date (or non existant...).

dylancarruthers commented 1 year ago

Still happening in 0.16.3 using the Docker installation

dylancarruthers commented 1 year ago

I've found that for the Docker installation you cannot specify the CORS domain. This fails:

      CORS_ALLOWED_ORIGIN: "*.netmaker.yourdomain.com"

This works:

      CORS_ALLOWED_ORIGIN: "*"