spinnaker: [Gate]: Redirect URL after login is not correct if not terminating SSL at the server

Title

[Gate]: Redirect URL after login is not correct if not terminating SSL at the server

Cloud Provider

All?

Environment

AWS

Feature Area

Authentication - Google

Description

Related to #390

The above PR fixed one issue related to this, but there is one more area that is affected.

Backstory:

If terminating SSL at a Load Balancer (ELB), Gate was not sending back the correct /login URL. Using preEstablishedRedirectUri had no affect on the endpoint /auth/redirect would redirect to. Now that the /login endpoint is correct, once you’ve authenticated with Google, the /auth/redirect URL is incorrect. Refreshing the page will get you in, but the clean flow from Spinnaker -> Google -> Spinnaker is broken.

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 26 (7 by maintainers)

Commits related to this issue

Most upvoted comments

Hi! I’m a colleague of @vide . We found out how to fix this. This works for us:

server:
  tomcat:
    protocolHeader: X-Forwarded-Proto
    remoteIpHeader: X-Forwarded-For
    internalProxies: .*
    httpsServerPort: X-Forwarded-Port

The proxy has to set X-Forwarded-Port header, otherwise you should hardcode the original port.

We figure this out reading Tomcat’s documentation, here.

+5
jordiclariana on Jul 5, 2018

Hi there,

attaching to this issue as it seems related. I was not able to configure gate/deck behind a reverse proxy terminating TLS and appending a custom URI; the redirection to login service happens correctly, but then the actual login POST does not include the additional URI path.

Spinnaker version: 1.16.0

Configuration bits:

  • api and UI custom URL set by hal
hal config security api edit --override-base-url https://domain.com/spinnaker-api
hal config security ui edit --override-base-url https://domain.com/spinnaker

Logs from the httpd reverse proxy when landing on authentication page:

IP - - [11/Sep/2019:11:14:32 +0200] "GET /spinnaker-api/login HTTP/1.1" 200 632 "https://domain.com/spinnaker/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36" 

<putting credentials in and clicking sign in>

IP - - [11/Sep/2019:11:14:41 +0200] "POST /login HTTP/1.1" 404 203 "https://domain.com/spinnaker-api/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"

The problem I see is that the POST /login should have been POST /spinnaker-api/login. Any idea where this is handled or if it is configurable? Thanks for you help

+3
inge4pres on Sep 11, 2019

I think that’s a good idea.

On Fri, Jan 18, 2019, 9:44 AM Ethan Rogers <notifications@github.com wrote:

@ttomsu https://github.com/ttomsu thoughts on adding the above to Gate’s halconfig/gate.yml? I think this is a common enough problem that it would be good to drop in by default.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/spinnaker/spinnaker/issues/1630#issuecomment-455569046, or mute the thread https://github.com/notifications/unsubscribe-auth/AMiGLiCIMlh0ju_h5M7661ol6yrX4N0jks5vEd20gaJpZM4NVurO .

+2
ttomsu on Jan 18, 2019

For those who uses Spinnaker deployment via helm (or directly hal) with istio gateway in version < 1.1.0 :

There is problem with X-Forwarded-Proto when terminating SSL on ELB: https://github.com/istio/istio/issues/7964

Workaround is bellow:

helm value.yaml file changes (or gate-local.yml file):

      gate-local.yml: |-
        server:
          tomcat:
            protocolHeader: X-Forwarded-New
            remoteIpHeader: X-Forwarded-For
            internalProxies: .*
            httpsServerPort: X-Forwarded-Port

For the virtual file to expose gate externally - keep in mind that domains for gate and deck (dashboard) should be different:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: spin-gate
spec:
  hosts:
  - "spinnaker-api.domain.com"
  gateways:
  - spinnaker-gateway
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: spin-gate
        port:
          number: 8084
    appendHeaders:
        "X-Forwarded-New": "https"

There is an option to use istio filters to replace headers but I didn’t try this out.

For istio version >= 1.1.0 there is a possibility to remove and add the headers

+1
vanditboy on Feb 26, 2019

I just installed Spinnaker 1.9.0 and found this issue is gone. Also tried 1.8.5 and the issue is still there.

Wondering what changes have merged into 1.9.0 but I am happy to see it is gone and will migrate to 1.9.0 version.

+1
rchench on Aug 23, 2018

@vide I tried your approach, but it does not resolve my issue. do you mean put followings into ~/.hal/default/profiles/gate-local.yml and redeploy spinnaker?

server:
  tomcat:
    protocolHeader: X-Forwarded-Proto
    remoteIpHeader: X-Forwarded-For
    internalProxies: .*
    httpsServerPort: X-Forwarded-Port

my case is that SSL terminates at ingress controller (traefik) and I also tried nodePort (SSL terminates at deck and gate), the URL redirect always works for chrome, but does not work for firefox.

+1
rchench on Jul 12, 2018
Read more comments on GitHub
← spinnaker: Gate not running or starting with hal 1.12.0 on local install
spinnaker: [gate] SSL w/ apiPort and ssl: enabled causes tomcat to start 2 https ports →