There's been a long-standing issue where the hosted code-submitter emits urls which point at the machine hosting it, leading to users ending up on that domain rather than on our root domain.
The two previously observed failure modes were:
the proxied service emits urls to its own domain, sending users away from our user-facing domain; this happens when we're setting a Host header so that nginx on the service machine is happy
redirect loops behind the proxy; this happens when not setting a Host header (so that the urls are right) but the service machine's nginx is trying to canonicalise its domain
This PR fixes the issue by:
passing through the user-facing domain as the current host
configuring nginx on the competitor-services box to allow our user-facing domain as a valid Host for itself
This is approximately the same fix as was attempted in https://github.com/srobo/ansible/pull/37, however it seems that that PR didn't work due to the mismatch of types in the secondary_hostnames value (it's now a list, was presumably a string previously).
Code review
Reviewing the changes by commit may be useful.
Testing
[x] applied the configuration locally
[x] manually validated the new behaviour
TASK [srobo-nginx : Copy our configuration] ******************************************
--- before: /etc/nginx/nginx.conf
+++ after: /home/peter/.ansible/tmp/ansible-local-625847yb79663/tmp4s_nyuqn/nginx.conf
@@ -113,7 +113,8 @@
# starting up, even if in a degraded mode.
set $competitorsvcs 'competitorsvcs.studentrobotics.org';
proxy_pass https://$competitorsvcs/code-submitter/;
- proxy_set_header Host $competitorsvcs;
+ # Note: don't set a Host header as we want the code-submitter to use our
+ # public hostname, not the hostname of the underlying machine.
}
# Provide access to the competition pages under the normal prefix
changed: [monty.studentrobotics.org]
TASK [competitor-services-nginx : Copy our configuration] ****************************
--- before: /etc/nginx/nginx.conf
+++ after: /home/peter/.ansible/tmp/ansible-local-625847yb79663/tmpz44efhua/nginx.conf
@@ -61,7 +61,7 @@
# several server blocks can listen to the same port).
listen 443 ssl;
listen [::]:443 ssl;
- server_name competitorsvcs.studentrobotics.org ['studentrobotics.org'];
+ server_name competitorsvcs.studentrobotics.org studentrobotics.org ;
root /var/www;
proxy_pass_request_headers on;
changed: [competitorsvcs.studentrobotics.org]
Summary
There's been a long-standing issue where the hosted code-submitter emits urls which point at the machine hosting it, leading to users ending up on that domain rather than on our root domain.
The two previously observed failure modes were:
Host
header so that nginx on the service machine is happyHost
header (so that the urls are right) but the service machine's nginx is trying to canonicalise its domainThis PR fixes the issue by:
This is approximately the same fix as was attempted in https://github.com/srobo/ansible/pull/37, however it seems that that PR didn't work due to the mismatch of types in the
secondary_hostnames
value (it's now a list, was presumably a string previously).Code review
Reviewing the changes by commit may be useful.
Testing
Links
Extra context: https://github.com/PeterJCLaw/code-submitter/issues/31