Project

General

Custom queries

Profile

Actions
Copy link

Bug #37761

closed

Cockpit integration fails with AH: Unsafe URL with %3f URL rewritten without UnsafeAllow3F in foreman-ssl_error_ssl.log

Added by Adam Ruzicka 8 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Adam Ruzicka
Category:
Foreman modules
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
https://github.com/theforeman/puppet-foreman/pull/1185, https://github.com/theforeman/foreman-installer/pull/980
Fixed in Releases:
Foreman - 3.12.0, Foreman - 3.13.0
Found in Releases:
Red Hat JIRA:
SAT-27411

Description

Trying to access the web console takes the user to https://$foreman-fqdn/webcon/=$hostname?access_token=$token

Trying to access this url fails with 403, apparently mod_rewrite forbids rewrites where the request being rewritten contains %3F and the rewritten results has a ?. This behaviour can be turned off with a flag1.

[1] - https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_unsafe_allow_3f

Added by Evgeni Golov 7 months ago

Revision 88e8ecc6 (diff)

Fixes #37761 - use ProxyPass and upgrade=websocket where possible

RewriteRules need special handling of some characters (esp "?"), which
differs based on Apache version. Instead of going down that way, we can
switch to using ProxyPass as proxying is the only thing we really need
here, at least for HTTP.

For WebSockets, we need to allow protocol upgrades, which modern
(2.4.47+) Apache can do itself via "ProxyPass … upgrade=websocket".
For older Apache (esp on EL8 and Ubuntu 20.04), we keep the RewriteRules
in place. To be removed when we drop support for those targets.

Co-Authored-By: Adam Ruzicka <>

Actions
Copy link

Also available in: Atom PDF