DevOps handler does not work if RULES_URL uWSGI/FastCGI parameter is set
Concerned version
Version: %2.0.X
Platform: All
Summary
RULES_URL parameter can be set to retreive rules.json from another location than protected application.
But Host header is not defined depending on RULES_URL.
Logs
package Lemonldap::NG::Handler::Lib::DevOps;
my ( $class, $req, $vhost ) = @_;
$class->logger->debug("****************** $vhost");
my $json;
if ( $class->tsv->{useSafeJail} ) {
my $rUrl = $req->{env}->{RULES_URL}
|| ( (
$class->localConfig->{loopBackUrl}
|| "http://127.0.0.1:" . $req->{env}->{SERVER_PORT}
)
. '/rules.json'
);
$class->logger->debug("################## $rUrl");
my $get = HTTP::Request->new( GET => $rUrl );
$class->logger->debug("****************** $vhost");
$get->header( Host => $vhost );
my $resp = $class->ua->request($get);
if ( $resp->is_success ) {
eval {
$json = from_json( $resp->content, { allow_nonref => 1 } ); };
if ($@) {
$class->logger->error(
"Bad rules.json for $vhost, skipping ($@)");
}
else {
$class->logger->info("Compiling rules.json for $vhost");
}
}
}
else {
$class->logger->error(
q"I refuse to compile rules.json when useSafeJail isn't activated! Yes I know, I'm a coward..."
);
}
2021-09-20T14:13:30.027+02:00 dapqssogndevops f=3 s=7 LLNG[45628]: [debug] Process 45628 calls aliasInit
2021-09-20T14:13:30.027+02:00 dapqssogndevops f=3 s=7 LLNG[45628]: [debug] Process 45628 calls oauth2Init
2021-09-20T14:13:30.028+02:00 dapqssogndevops f=3 s=7 LLNG[45628]: [debug] Lemonldap::NG::Handler::Server::Main: configuration is up to date
2021-09-20T14:13:30.048+02:00 dapqssogndevops f=3 s=7 LLNG[45628]: [debug] ****************** evengrave.dvsso.gendarmerie.fr
2021-09-20T14:13:30.048+02:00 dapqssogndevops f=3 s=7 LLNG[45628]: [debug] ################## http://devops.dvsso.gendarmerie.fr/rules.json
2021-09-20T14:13:30.051+02:00 dapqssogndevops f=3 s=7 LLNG[45628]: [debug] ****************** evengrave.dvsso.gendarmerie.fr
2021-09-20T14:14:29.806+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] DevOps handler called by evengrave.dvsso.gendarmerie.fr
2021-09-20T14:14:29.806+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] VH evengrave.dvsso.gendarmerie.fr is HTTPS
2021-09-20T14:14:29.812+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] Get session 9deae8c00b4453092a8c6d544c4eb6a880168a2ce78a6a0156e7cf427c626aba from Handler::Main::Run
2021-09-20T14:14:29.812+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] Check session validity from Handler
2021-09-20T14:14:29.812+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] Session timeout -> 18000
2021-09-20T14:14:29.812+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] Session _utime -> 1632131219
2021-09-20T14:14:29.813+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] now -> 1632140069
2021-09-20T14:14:29.813+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] Session timeoutActivityInterval -> 60
2021-09-20T14:14:29.813+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] Session TTL = 9150
2021-09-20T14:14:29.813+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] No URL authentication level found...
2021-09-20T14:14:29.813+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] evengrave.dvsso.gendarmerie.fr: Apply default rule
2021-09-20T14:14:29.813+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] Send header Auth-User with value alexandre.karim
2021-09-20T14:14:29.813+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] removing cookie
2021-09-20T14:14:29.813+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] Cookies -> rl_anonymous_id=%220b20876f-3594-4705-81d1-54863233e58a%22; rl_user_id=%22%22; dtCookie=3$E7299D988465464BC2DC6EC581246F3B|0d251f1d60b14756|1|65c02833dcb59b59|0; rxVisitor=1632131211503UF9PQSFTACVJUK55HSGO56N88NPVBMBQ; dtPC=3$132431880_673h-vRMSNPBNCRBKJHGKGCVBTKHMRSUARCUGH-0e0; rxvt=1632134232005|1632131211514; dtSa=false%7C_load_%7C2%7C_onload_%7C-%7C1632132432005%7C132431880_673%7Chttps%3A%2F%2Fauth2.sso.gendarmerie.fr%2Fsaml%2FsingleSignOn%7CAuthentication%20portal%7C%7C%7C; dtLatC=17; lemonldap=9deae8c00b4453092a8c6d544c4eb6a880168a2ce78a6a0156e7cf427c626aba; lemonldaphttp=a8d92881942db4991654a59d96f0e68fdce85cac094f012051e01279a6e77a895e624af56392d61a93d48d4ca05a817a; PHPSESSID=jfmaiblpl2vidgpe6s17142uj1; MYSAPSSO2=AjQxMDMBABhHADAAMAA0ADQAMAA4ADkANwAgACAAIAACAAY2ADEAMAADABBQAEUAQwAgACAAIAAgACAABAAYMgAwADIAMQAwADkAMgAwADEAMAAwADcABQAEAAAADAkAAkYA%2fwFCMIIBPgYJKoZIhvcNAQcCoIIBLzCCASsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGCAQowggEGAgEBMFswTzELMAkGA1UEBhMCRlIxDTALBgNVBAoTBERHR04xDTALBgNVBAsTBERHR04xFDASBgNVBAsTC0kwMDIwNTAzNDczMQwwCgYDVQQDEwNQRUMCCAogFxITFlABMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTA5MjAxMDA3MTJaMCMGCSqGSIb3DQEJBDEWBBRweMA2sRZfC2nPjlGzSVSH5NL21DAJBgcqhkjOOAQDBC8wLQIUBFWNqTQxUh8dax64VUJTkXh6mJ4CFQCl5YsLSsIEV3cPOwnL4idlUAqFvw%3d%3d
2021-09-20T14:14:29.813+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] CookieName -> lemonldap
2021-09-20T14:14:29.814+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] newCookies -> rl_anonymous_id=%220b20876f-3594-4705-81d1-54863233e58a%22; rl_user_id=%22%22; dtCookie=3$E7299D988465464BC2DC6EC581246F3B|0d251f1d60b14756|1|65c02833dcb59b59|0; rxVisitor=1632131211503UF9PQSFTACVJUK55HSGO56N88NPVBMBQ; dtPC=3$132431880_673h-vRMSNPBNCRBKJHGKGCVBTKHMRSUARCUGH-0e0; rxvt=1632134232005|1632131211514; dtSa=false%7C_load_%7C2%7C_onload_%7C-%7C1632132432005%7C132431880_673%7Chttps%3A%2F%2Fauth2.sso.gendarmerie.fr%2Fsaml%2FsingleSignOn%7CAuthentication%20portal%7C%7C%7C; dtLatC=17; PHPSESSID=jfmaiblpl2vidgpe6s17142uj1; MYSAPSSO2=AjQxMDMBABhHADAAMAA0ADQAMAA4ADkANwAgACAAIAACAAY2ADEAMAADABBQAEUAQwAgACAAIAAgACAABAAYMgAwADIAMQAwADkAMgAwADEAMAAwADcABQAEAAAADAkAAkYA%2fwFCMIIBPgYJKoZIhvcNAQcCoIIBLzCCASsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGCAQowggEGAgEBMFswTzELMAkGA1UEBhMCRlIxDTALBgNVBAoTBERHR04xDTALBgNVBAsTBERHR04xFDASBgNVBAsTC0kwMDIwNTAzNDczMQwwCgYDVQQDEwNQRUMCCAogFxITFlABMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTA5MjAxMDA3MTJaMCMGCSqGSIb3DQEJBDEWBBRweMA2sRZfC2nPjlGzSVSH5NL21DAJBgcqhkjOOAQDBC8wLQIUBFWNqTQxUh8dax64VUJTkXh6mJ4CFQCl5YsLSsIEV3cPOwnL4idlUAqFvw%3d%3d
2021-09-20T14:14:29.814+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] User alexandre.karim was granted to access to /
2021-09-20T14:14:29.814+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] Check configuration for Lemonldap::NG::Handler::Server::Main
2021-09-20T14:14:29.814+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] Get configuration from cache without verification.
2021-09-20T14:14:29.814+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] Lemonldap::NG::Handler::Server::Main: configuration is up to date
2021-09-20T14:14:29.814+02:00 dapqssogndevops f=3 s=6 LLNG[45627]: [info] No cookie found
2021-09-20T14:14:29.814+02:00 dapqssogndevops f=3 s=7 LLNG[45627]: [debug] Build URL https://evengrave.dvsso.gendarmerie.fr/rules.json
Possible fixes
$req->{env}->{RULES_URL} is called (devops.dvsso.gendarmerie.fr/rules.json): my $get = HTTP::Request->new( GET => $rUrl );
But, HTTP_HOST header is set with protected application alias (evengrave.dvsso.gendarmerie.fr): $get->header( Host => $vhost );
Host header must be set with $req->{env}->{RULES_URL} corresponding host.