search

ionos-cloud / docker-machine-driver

IONOS Cloud Docker Machine Driver
Apache License 2.0
6 stars 3 forks source link

NodeDriver - Whitelist Domain wrong? #53

Closed mueller-tobias closed 1 year ago

mueller-tobias commented 1 year ago

Description

The Node driver didn't display any values in the node template view when using the domain https://cdn.jsdelivr.net

Expected behavior

The Node Driver displays the custom UI specified by JS File.

Environment

Rancher:

2.6.9

Docker Machine Driver Ionos Cloud version: 

6.1.0rc1

OS: 

Ubuntu

Configuration Files

How to Reproduce

Use https://cdn.jsdelivr.net as Whitelist Domain when adding the node driver.

To get it working i had to use cdn.jsdelivr.net. Can you please verify that this is the correct value? Maybe on your setup with an older Rancher Version it is working with the http prefix, but with Chrome and Safari on Rancher 2.6.9 it's only working without the https prefix.

avirtopeanu-ionos commented 1 year ago

Hi! It seems like modern browsers don't support Mixed Content. https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content

It seems like the problem here is that if the VM which is running the Rancher Image is loaded over HTTPS you must use https://cdn.jsdelivr.net, while if it is loaded over HTTP you must use cdn.jsdelivr.net. (In my case specifically, I am running the VM over HTTPS, and trying with cdn.jsdeliver.net fails)

We will change the documentation to include this fact.

To debug the UI Driver, you can look in your browser's Developer Console for errors.

Thanks for opening this issue! Have a nice day!

mueller-tobias commented 1 year ago

Thats the errors i receive from the console:

load-script.js:45          GET https://r***:8443/meta/proxy/https:/cdn.jsdelivr.net/gh/ionos-cloud/ui-driver-ionoscloud@0.1.0/releases/v0.1.0/component.js net::ERR_ABORTED 502
node-templates:1 Refused to execute script from 'https://****:8443/meta/proxy/https:/cdn.jsdelivr.net/gh/ionos-cloud/ui-driver-ionoscloud@0.1.0/releases/v0.1.0/component.js' because its MIME type ('') is not executable, and strict MIME type checking is enabled.
node-templates:1 Refused to apply style from 'https://****:8443/meta/proxy/https:/cdn.jsdelivr.net/gh/ionos-cloud/ui-driver-ionoscloud@0.1.0/releases/v0.1.0/component.css' because its MIME type ('') is not a supported stylesheet MIME type, and strict MIME checking is enabled.

Both of my Rancher Instances are running with HTTPS. One with a valid ssl certificate and one with a self signed certificate. I don't think this is an issue with mixed content. Because Rancher proxies the call the browser itself dosn't call the jsdelivr.net Domain.

Part of the problem could be the isAllowed Function or the proxy Function When i look at the functions it should work with https, http and without a prefix because the values get replaced by the proxy function.

avirtopeanu-ionos commented 1 year ago

These issues seems to be related:

Does using a different browser serve the correct MIME type?

Also, note that you might want to redact the URL where the Rancher container is hosted at (in your previous response)

There might not be much we can do about this issue, except open an issue on rancher

mueller-tobias commented 1 year ago

I don't think that those old issues are related. Those are issues are for Rancher v1.

Rancher v2 was a complete new development and has nothing in common with rancher v1

For me it's just the question that the default of the whitelist domain in the documentation should be just the domain without any prefix. Other Custom Driver with whitelist domains only lists the domain without any prefix.

avirtopeanu-ionos commented 1 year ago

The reason I was so reluctant to change the whitelist domain to only be cdn.jsdelivr.net was that I was having issues with this domain, and absolutely needed the https prefix for it not to have a wrong MIME type. However, in the meantime, this seems to have resolved itself. I'm not sure where the bug originated from, and my hunch is that in fact it had to do with me not clearing the cache in between tests.

However, why my UI driver continues to work even with https prepend I can't explain. I wonder - if there is actually some way to set up the environment so that the domain whitelist https://cdn.jsdelivr.net works, and cdn.jsdelivr.net does not work? If so, would a whitelist *cdn.jsdelivr.net fix it? If this is the case, perhaps a better alternative to add to the whitelist domain in the documentation would be *cdn.jsdelivr.net. At least, this is my rationale for delaying the change you proposed and looking for possible alternatives.

I'll have to keep testing and I'll come back with a conclusion

(In any case, regarding my first answer, the whitelist domain would certainly not work if the Docker image is running over HTTP and not HTTPS exactly due to the mixed content. So, definitely this should be changed in the docs)

mrndev commented 1 year ago

as a workaround, I guess one can just whitelist both versions (with https and without). Works at least for me.