Haproxy redirect for HTTPS to login page is dropping realm parameter

pdw · August 25, 2023, 8:39am

Hi,

A redirect with the openremote/proxy container drops the parameter realm=customer if the login-link starts with https. The redirect with a blank or http in front of the link works perfectly. It is expected that the redirect with https in front of the link, will not drop the realm parameter.

These are the relevant variables in my environment. I used the latest openremote/proxy image from dockerhub.

OR_HOSTNAME="cerebro.cattlewatchafrica.com"
OR_ADDITIONAL_HOSTNAMES="cerebro.cattlewatchafrica.com,vaalharts.cattlewatchafrica.com"

PROXY_HOST_REDIRECT_1_NAME="vaalharts.cattlewatchafrica.com"
PROXY_HOST_REDIRECT_1_TARGET="/manager/?realm=vaalharts"

The following redirects happen:

OK redirect: http://vaalharts.cattlewatchafrica.com/ redirects to https://cerebro.cattlewatchafrica.com/manager/?realm=vaalharts
OK redirect: http://vaalharts.cattlewatchafrica.com redirects to https://cerebro.cattlewatchafrica.com/manager/?realm=vaalharts
NOK redirect: https://vaalharts.cattlewatchafrica.com/ redirects to http://vaalharts.cattlewatchafrica.com/manager

My customers complain they cannot login to the application. That is normal, as they try to login with the realm credentials on the master-realm.

For the sake of completeness, here is the log of curl of the failure case. I am not a haproxy expert. Is there a solution or workaround available for that?

$ curl -v https://vaalharts.cattlewatchafrica.com
*   Trying 34.251.122.127:443...
* TCP_NODELAY set
* Connected to vaalharts.cattlewatchafrica.com (34.251.122.127) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=vaalharts.cattlewatchafrica.com
*  start date: Aug 24 14:44:03 2023 GMT
*  expire date: Nov 22 14:44:02 2023 GMT
*  subjectAltName: host "vaalharts.cattlewatchafrica.com" matched cert's "vaalharts.cattlewatchafrica.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: vaalharts.cattlewatchafrica.com
> User-Agent: curl/7.68.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< location: http://vaalharts.cattlewatchafrica.com/manager
< content-length: 0
< date: Thu, 24 Aug 2023 20:02:44 GMT
< 
* Connection #0 to host vaalharts.cattlewatchafrica.com left intact

Rich · September 5, 2023, 2:40pm

Hi,

Sorry for the late reply.

The issue is caused by the fact the whole optional redirects section is in the http frontend section; it was introduced to solve a specific issue on a deployment a long time ago.

It should be moved to the https section (after the initial bind) which is something I will look to do shortly but please try this for yourself e.g.:

frontend https
    bind *:443 ssl crt /etc/haproxy/certs crt "${CERT_DIR}" no-tls-tickets

    # Optional: redirects for root requests with certain host names to service paths
    acl is_root path -i /
    acl is_redirect_1 hdr(host) -i "${PROXY_HOST_REDIRECT_1_NAME}"
    acl is_redirect_2 hdr(host) -i "${PROXY_HOST_REDIRECT_2_NAME}"
    acl is_redirect_3 hdr(host) -i "${PROXY_HOST_REDIRECT_3_NAME}"
    acl is_redirect_4 hdr(host) -i "${PROXY_HOST_REDIRECT_4_NAME}"
    acl is_redirect_5 hdr(host) -i "${PROXY_HOST_REDIRECT_5_NAME}"
    acl is_redirect_6 hdr(host) -i "${PROXY_HOST_REDIRECT_6_NAME}"
    acl is_redirect_7 hdr(host) -i "${PROXY_HOST_REDIRECT_7_NAME}"
    acl is_redirect_8 hdr(host) -i "${PROXY_HOST_REDIRECT_8_NAME}"
    acl is_redirect_9 hdr(host) -i "${PROXY_HOST_REDIRECT_9_NAME}"
    acl is_redirect_10 hdr(host) -i "${PROXY_HOST_REDIRECT_10_NAME}"
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_1_TARGET}" if is_root is_redirect_1
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_2_TARGET}" if is_root is_redirect_2
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_3_TARGET}" if is_root is_redirect_3
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_4_TARGET}" if is_root is_redirect_4
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_5_TARGET}" if is_root is_redirect_5
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_6_TARGET}" if is_root is_redirect_6
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_7_TARGET}" if is_root is_redirect_7
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_8_TARGET}" if is_root is_redirect_8
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_9_TARGET}" if is_root is_redirect_9
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_10_TARGET}" if is_root is_redirect_10

pdw · September 13, 2023, 1:48pm

Hi Rich,

Sorry for the late thank you. It works. It looks like the change is already pushed upstream.

Peter

craigsweb · November 19, 2023, 9:05pm

Hi @Rich FYI this change was never pushed to docker.

pdw · December 8, 2023, 10:42am

Hi Rich,

This change is still on the develop-tag in the docker hub. Is there a reason not to push it to latest?

Peter

michal · March 7, 2024, 10:43am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.