CORS restrictions in Workspace Agent

[nemusa]

I am running Che server in native mode and Workspace Agent in Docker on separate hosts. When running a workspace, the browser cannot retrieve resources from the Workspace Agent due to CORS restrictions.

Is it possible to configure which domains should be allowed to get resources from the workspace agent?

Observed behavior:

Failed to load resource: the server responded with a status of 403 (Forbidden)
XMLHttpRequest cannot load http://54.173.13.229:10348/wsagent/ext/project-type. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://my.domain' is therefore not allowed access. The response had HTTP status code 403.
Failed to load resource: the server responded with a status of 403 (Forbidden)
XMLHttpRequest cannot load http://54.173.13.229:10348/wsagent/ext/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://my.domain' is therefore not allowed access. The response had HTTP status code 403.

Che version: 4.3.0
OS and version: Linux swarm-manager-staging-1 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u3 (2016-01-17) x86_64 GNU/Linux
Docker version: 1.11.2
Che install: Che server in native mode from zip, Workspace Agent running in Docker

Additional information:

Application settings:
defaults, except of
CHE_DOCKER_MACHINE_HOST: Che public IP
machine.docker.che_api.endpoint=http://my.domain:80/wsmaster/api

• Problem started happening recently, didn't happen in an older version of Che: No
• Problem can be reliably reproduced, doesn't happen randomly: Yes

[skabashnyuk]

@evoevodin can you comment?

[ghost]

@nemusa What I have just done is:

• started node A to run Che master
• started node B with Docker
• exported:
  export DOCKER_HOST=tcp://192.34.63.94:2375
export CHE_DOCKER_MACHINE_HOST=192.34.63.94
• edited /conf/che.properties - machine.docker.che_api.endpoint=http://192.81.219.137:${SERVER_PORT}/wsmaster/api

I was able to start a workspace.

Can you perhaps elaborate on your particular network config, Swarm cluster, when exactly the error shows up etc?

[nemusa]

The error happens when I open a workspace. An example is when the browser makes the following request:

curl -v 'http://54.173.13.229:10348/wsagent/ext/' -H 'Origin: http://my.domain' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: pl,en-US;q=0.8,en;q=0.6,es;q=0.4' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36' -H 'Content-Type: text/plain; charset=utf-8' -H 'Accept: */*' -H 'Referer: http://my.domain/ide/1gpikdo6syxu6fd39f3m' -H 'Connection: keep-alive' --compressed

I have noticed that when Workspace Agent is running on a machine different than Che, it does not set Access-Control-Allow headers. Could you run similar requests to your ws-agent and check what headers are set in response?

Differences between Che host and ws-agent hosts:

• Che host has Nginx installed, but it does not handle traffic from docker container ports
• Docker daemon running on Che host listens only on unix socket, daemon running on ws-agent listens on unix socket and TCP

Example requests
Che and WS-agent on separate machines, headers are set

$ curl -v 'http://52.205.44.13:10246/wsagent/ext/' -H 'Origin: http://my.domain' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: pl,en-US;q=0.8,en;q=0.6,es;q=0.4' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36' -H 'Content-Type: text/plain; charset=utf-8' -H 'Accept: */*' -H 'Referer: http://my.domain/ide/vum3f1sf26vj6qc3o655' -H 'Connection: keep-alive' --compressed
*   Trying 52.205.44.13...
* Connected to 52.205.44.13 (52.205.44.13) port 10246 (#0)
> GET /wsagent/ext/ HTTP/1.1
> Host: 52.205.44.13:10246
> Origin: http://my.domain
> Accept-Encoding: gzip, deflate, sdch
> Accept-Language: pl,en-US;q=0.8,en;q=0.6,es;q=0.4
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36
> Content-Type: text/plain; charset=utf-8
> Accept: */*
> Referer: http://my.domain/ide/vum3f1sf26vj6qc3o655
> Connection: keep-alive
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Access-Control-Allow-Origin: http://my.domain
< Access-Control-Allow-Credentials: true
< Access-Control-Expose-Headers: JAXRS-Body-Provided
< Set-Cookie: JSESSIONID=95962BDD0E5B967B7548CBC9515A3ECB; Path=/wsagent/; HttpOnly
< Cache-Control: public, no-cache, no-store, no-transform
< Content-Type: application/json
< Transfer-Encoding: chunked
< Content-Encoding: gzip
< Vary: Accept-Encoding
< Date: Fri, 15 Jul 2016 13:24:00 GMT
<
* Connection #0 to host 52.205.44.13 left intact

Che and WS-agent on separate machines, headers not set

$ curl -v 'http://54.173.13.229:10348/wsagent/ext/' -H 'Origin: http://my.domain' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: pl,en-US;q=0.8,en;q=0.6,es;q=0.4' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36' -H 'Content-Type: text/plain; charset=utf-8' -H 'Accept: */*' -H 'Referer: http://my.domain/ide/1gpikdo6syxu6fd39f3m' -H 'Connection: keep-alive' --compressed
*   Trying 54.173.13.229...
* Connected to 54.173.13.229 (54.173.13.229) port 10348 (#0)
> GET /wsagent/ext/ HTTP/1.1
> Host: 54.173.13.229:10348
> Origin: http://my.domain
> Accept-Encoding: gzip, deflate, sdch
> Accept-Language: pl,en-US;q=0.8,en;q=0.6,es;q=0.4
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36
> Content-Type: text/plain; charset=utf-8
> Accept: */*
> Referer: http://my.domain/ide/1gpikdo6syxu6fd39f3m
> Connection: keep-alive
>
< HTTP/1.1 403 Forbidden
< Server: Apache-Coyote/1.1
< Content-Type: text/plain
< Content-Length: 0
< Date: Wed, 13 Jul 2016 14:10:32 GMT
<
* Connection #0 to host 54.173.13.229 left intact

curl -v 'http://54.173.13.229:10348/wsagent/ext/' -H 'Origin: http://54.173.13.229:10348' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: pl,en-US;q=0.8,en;q=0.6,es;q=0.4' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36' -H 'Content-Type: text/plain; charset=utf-8' -H 'Accept: */*' -H 'Referer: http://my.domain/ide/1gpikdo6syxu6fd39f3m' -H 'Connection: keep-alive' --compressed
*   Trying 54.173.13.229...
* Connected to 54.173.13.229 (54.173.13.229) port 10348 (#0)
> GET /wsagent/ext/ HTTP/1.1
> Host: 54.173.13.229:10348
> Origin: http://54.173.13.229:10348
> Accept-Encoding: gzip, deflate, sdch
> Accept-Language: pl,en-US;q=0.8,en;q=0.6,es;q=0.4
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36
> Content-Type: text/plain; charset=utf-8
> Accept: */*
> Referer: http://my.domain/ide/1gpikdo6syxu6fd39f3m
> Connection: keep-alive
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=F2B09BBD8ADC3632DD6ED19B739048B9; Path=/wsagent/; HttpOnly
< Cache-Control: public, no-cache, no-store, no-transform
< Content-Type: application/json
< Transfer-Encoding: chunked
< Content-Encoding: gzip
< Vary: Accept-Encoding
< Date: Wed, 13 Jul 2016 14:20:59 GMT
<
* Connection #0 to host 54.173.13.229 left intact

[ghost]

@nemusa so, my test was a bit different since I did not have nginx running on Che instance and workspace agent is communicating with the server using 8080 port.

[ghost]

@nemusa it might be nginx issue. What happens if you stop nginx, use 8080 port, so that server and agent communicate directly but not through nginx proxy.

[nemusa]

It has turned out that Che 4.4 has solved this problem. Thank you for your help.