nginx: reject requests with unexpected Host header by alxndrsn · Pull Request #809 · getodk/central

alxndrsn · 2024-12-02T12:28:52Z

Supersedes #747

Blocked by #814

What has been done to verify that this works as intended?

Tests.

Why is this the best possible solution? Were any other approaches considered?

#747 was also considered - this is up for debate.

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

Shouldn't change normal usage.

Does this change require updates to documentation? If so, please file an issue here and include the link below.

Probably not.

Before submitting this PR, please make sure you have:

branched off and targeted the next branch OR only changed documentation/infrastructure (master is stable and used in production)
verified that any code or assets from external sources are properly credited in comments or that everything is internally sourced

This reverts commit 72db5d3.

This reverts commit bb07343.

files/nginx/setup-odk.sh

Working on getodk#809 I noticed that the location of SSL certs is based either on the domain name, or on the method of supply of SSL certs. Cert provision approach should probably not affect the nginx "server_name" setting. Also, the old variable name `CNAME` (short for "certificate name?") is easily confused with the DNS concept of CNAME records ("canonical names").

files/nginx/odk.conf.template

brontolosone

I have fears, please see comments

files/nginx/odk.conf.template

files/nginx/redirector.conf

test/test-nginx.js

Working on #809 I noticed that the location of SSL certs is based either on the domain name, or on the method of supply of SSL certs. Cert provision approach should probably not affect the nginx "server_name" setting. Also, the old variable name `CNAME` (short for "certificate name?") is easily confused with the DNS concept of CNAME records ("canonical names").

This comment was merged as part of getodk#809, but was not correct by the time the PR was merged.

This comment was merged as part of #809, but was not correct by the time the PR was merged.

Working on getodk#809 I noticed that the location of SSL certs is based either on the domain name, or on the method of supply of SSL certs. Cert provision approach should probably not affect the nginx "server_name" setting. Also, the old variable name `CNAME` (short for "certificate name?") is easily confused with the DNS concept of CNAME records ("canonical names").

Co-authored-by: alxndrsn <alxndrsn>

This comment was merged as part of getodk#809, but was not correct by the time the PR was merged.

alxndrsn added 30 commits October 9, 2024 07:41

nginx: reject HTTPS requests with unexpected Host header

913ebcc

fix test URL

00b5bd7

Add check/config for HTTP

eb93b15

circle-ci: try changing DOMAIN to localhost

c232cb3

circle-ci: revert DOMAIN; force-set Host header

c26ee73

Merge branch 'next' into enforce-host-check-https

ff04489

capitalise host header

e1c245e

Merge branch 'next' into enforce-host-check-https

77b7505

revert code changes

bea939d

wip

20660c9

revert nginx dockerfile

4bc9b6f

expand comment

3627e92

421

b7ebe89

untee

18dad03

42102

5bcc786

421

2792708

re-order more like next

eea052d

revert circle config change

72db5d3

Revert "revert circle config change"

d4a27ee

This reverts commit 72db5d3.

remove time limit for generated key

c6c5ce8

revert

bb07343

remove logging

b461036

remove catch-all server names

b1d5f23

Revert "revert"

13808d6

This reverts commit bb07343.

Add test for SSL cert validity period.

0fd9b27

increase ssl cert validity period

c2683ce

rewrite test with TLS

c9b376e

little tls

7791efe

remove cert from fetch()

6971cda

remove stop

ba096cc

alxndrsn requested a review from brontolosone December 3, 2024 06:19

alxndrsn commented Dec 3, 2024

View reviewed changes

files/nginx/setup-odk.sh Show resolved Hide resolved

alxndrsn mentioned this pull request Dec 3, 2024

nginx: reject requests with unexpected Host header #747

Closed

alxndrsn added 2 commits December 3, 2024 06:25

revert magix perl

cc95d47

rename CNAME -> CERT_DOMAIN

5850495

alxndrsn mentioned this pull request Dec 3, 2024

nginx: separate cert paths from server_name #814

Merged

2 tasks

alxndrsn commented Dec 3, 2024

View reviewed changes

files/nginx/odk.conf.template Show resolved Hide resolved

reorder vars to match getodk#814

0fca92a

alxndrsn requested a review from yanokwa December 6, 2024 06:38

brontolosone requested changes Dec 6, 2024

View reviewed changes

files/nginx/odk.conf.template Show resolved Hide resolved

files/nginx/redirector.conf Show resolved Hide resolved

test/test-nginx.js Show resolved Hide resolved

test/test-nginx.js Outdated Show resolved Hide resolved

alxndrsn added 6 commits December 8, 2024 08:38

Merge branch 'next' into enforce-host-check-https-bronto-approach

938bd31

update comment more

0ea7207

rename sfetch() fn to avoid confusion; remove logging

fb826af

wip: add failing test: ipv6

a03694d

Passing tests

c41b7cb

rename sfetch() as request()

d7ad2d7

alxndrsn requested a review from brontolosone December 8, 2024 09:37

brontolosone mentioned this pull request Dec 9, 2024

nginx: Remove SSL client certificate support config #831

Open

brontolosone approved these changes Dec 9, 2024

View reviewed changes

yanokwa approved these changes Dec 9, 2024

View reviewed changes

matthew-white merged commit 0f7bad6 into getodk:next Dec 10, 2024

alxndrsn pushed a commit to alxndrsn/odk-central that referenced this pull request Dec 10, 2024

test/nginx: remove misleading comment

ce40700

This comment was merged as part of getodk#809, but was not correct by the time the PR was merged.

alxndrsn mentioned this pull request Dec 10, 2024

test/nginx: remove misleading comment #839

Merged

alxndrsn deleted the enforce-host-check-https-bronto-approach branch December 10, 2024 05:20

alxndrsn added a commit that referenced this pull request Dec 10, 2024

test/nginx: remove misleading comment (#839)

20878c7

This comment was merged as part of #809, but was not correct by the time the PR was merged.

yanokwa pushed a commit to yanokwa/odk-central that referenced this pull request Jun 11, 2025

nginx: reject requests with unexpected Host header (getodk#809)

26b40dc

Co-authored-by: alxndrsn <alxndrsn>

yanokwa pushed a commit to yanokwa/odk-central that referenced this pull request Jun 11, 2025

test/nginx: remove misleading comment (getodk#839)

3fd358e

This comment was merged as part of getodk#809, but was not correct by the time the PR was merged.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

nginx: reject requests with unexpected Host header#809

nginx: reject requests with unexpected Host header#809
matthew-white merged 39 commits intogetodk:nextfrom
alxndrsn:enforce-host-check-https-bronto-approach

alxndrsn commented Dec 2, 2024 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

brontolosone left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

alxndrsn commented Dec 2, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What has been done to verify that this works as intended?

Why is this the best possible solution? Were any other approaches considered?

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

Does this change require updates to documentation? If so, please file an issue here and include the link below.

Before submitting this PR, please make sure you have:

Uh oh!

Uh oh!

Uh oh!

brontolosone left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

alxndrsn commented Dec 2, 2024 •

edited

Loading