Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS sigv4 validation fails when chef is being a reverse proxy #3840

Open
tomhughes opened this issue Jul 14, 2024 · 0 comments
Open

AWS sigv4 validation fails when chef is being a reverse proxy #3840

tomhughes opened this issue Jul 14, 2024 · 0 comments
Labels
Status: Untriaged An issue that has yet to be triaged.

Comments

@tomhughes
Copy link

tomhughes commented Jul 14, 2024
edited
Loading

Chef Server Version

Chef server 15.9.38 upgraded from 15.1.7 which was working.

Platform Details

Ubuntu 22.04

Configuration

Standalone, configured as follows:

api_fqdn "chef.openstreetmap.org"
default_orgname "openstreetmap"

addons['install'] = false

lb['api_fqdn'] = "chef.openstreetmap.org"
lb['web_ui_fqdn'] = "chef.openstreetmap.org"

nginx['non_ssl_port'] = false
nginx['ssl_port'] = 4443
nginx['ssl_certificate'] = '/etc/ssl/certs/chef.openstreetmap.org.pem'
nginx['ssl_certificate_key'] = '/etc/ssl/private/chef.openstreetmap.org.key'
nginx['server_name'] = "chef.openstreetmap.org"

opscode_erchef['base_resource_url'] = "https://chef.openstreetmap.org"

Scenario

Running chef server on port 4443 behind a reverse proxy that exposes it on port 443 using the following apache config:

<VirtualHost *:443>
        ServerName chef.openstreetmap.org
        ServerAdmin [email protected]

        CustomLog /var/log/apache2/chef.openstreetmap.org-access.log combined_extended
        ErrorLog /var/log/apache2/chef.openstreetmap.org-error.log

        SSLEngine on
        SSLProxyEngine on
        SSLCertificateFile /etc/ssl/certs/chef.openstreetmap.org.pem
        SSLCertificateKeyFile /etc/ssl/private/chef.openstreetmap.org.key

        ProxyPassMatch ^/.*\.git/ !
        ProxyPass / https://chef.openstreetmap.org:4443/
        ProxyPreserveHost on
</VirtualHost>

Steps to Reproduce

Attempt to upload or download cookbook content to/from bookshelf.

Expected Result

It works.

Actual Result

It fails with a not authorized response.

Analysis

I believe the following summarises what is happening:

  • Knife uses a host header value of chef.openstreetmap.org:443 and signs the request using that value
  • Apache proxies that to port 443 and preserves chef.openstreetmap.org:443
  • The chef nginx instance proxies that to bookshelf but rewrites the host header to chef.openstreetmap.org:4443
  • Bookshelf attempts signature validation using chef.openstreetmap.org:4443 and the alternate of chef.openstreetmap.org with the port deleted and both fail

The culprit appears to be

chef-server/omnibus/files/server-ctl-cookbooks/infra-server/templates/default/nginx/nginx_chef_api_lb.conf.erb

Line 31 in 7940d04

proxy_set_header Host <%= @helper.host_header_var(@server_proto) %>;
combined with

chef-server/omnibus/files/server-ctl-cookbooks/infra-server/libraries/nginx_erb.rb

Line 14 in 7940d04

def host_header_var(proto)
which sets the host header to the port the chef server is running on.

Changing that template to use proxy_set_header Host $http_host; to preserve the host sent by the client appears to make things work again.
@tomhughes tomhughes added the Status: Untriaged An issue that has yet to be triaged. label Jul 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Untriaged An issue that has yet to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tomhughes