TG1/Cherrypy config change to make redirects more robust

Toshio Kuratomi a.badger at gmail.com
Sat Sep 19 01:25:14 UTC 2009 

mirrormanager uses the TurboGears raise redirect('/new/url') idiom
heavily.  Today we found that whenever such a redirect was occurring in
staging, the users browser would end up at the production mirrormanager
site instead of staging.  mmcgrath traced this to cherrypy creating URLs
like this:

http://admin.stg.fedoraproject.org/mirrormanager/ instead of like this:

https://admin.stg.fedoraproject.org/mirrormanager/

When the http:// URL goes back to the server, the server rewrites it as
an https:// URL.  Due to the way staging works, that ended up being
https://admin.fedoraproject.org instead of admin.stg.

This problem also affects production -- it's just that it isn't as
apparent there.  In production we end up doing two requests instead of
one -- the first one requests the http:// URL.  Then apache tells the
client to redirect to https:// and the second request is made.  This
also has the potential to return information to the server over http://
instead of https://.  Although we haven't found a case where we'd get to
that in a way that would reveal sensitive information yet (it has to be
a specific controller method where sensitive data is being passed
through a redirect() call) we want to close this potential for
unpleasant surprises.

Luckily, there's a quick config change that makes this problem go away:

  base_url_filter.on = True
  base_url_filter.base_url = "https://admin.fedoraproject.org/APPNAME"
  base_url_filter.use_x_forwarded_host = False

(substitute "admin.stg" for "admin" if you're deploying to staging.)

.on Turns on the base_url filter in cherrypy.  Because we're deploying
on one domain anyhow, this is on for almost all of our configs.

.base_url manually specifies the base_url to use with the app.  This
gets substituted into redirects as the scheme, host, and initial path.

.use_x_forwarded_host is the unexpected one.  This was set to True on
almost all of our apps before.  When True, it tells cherrypy to
construct the redirect URL from the X_FORWARDED_FOR header sent by the
apache proxy instead of using the manually specified base_url.  The
X_FORWARDED_FOR header contains the host that is being forwarded to the
proxy.  It's combined with the scheme (http or https) that cherrypy is
serving.  Since we're serving http from the app servers (https is on the
proxies only), that means the constructed urls use http.  The algorithm
behind .use_x_forwarded_host is simply making assumptions that aren't
true in our environment.  We have to set it False.

I've just deployed a config update to elections, bodhi, mirrormanager,
pkgdb, and fas that makes these changes.  If I've missed any apps let me
know or update the config in puppet yourself.

Thanks,
Toshio

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20090918/ebe62b7f/attachment.bin

More information about the infrastructure mailing list