Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable RejectInsecureRequest middleware on unix sockets #1259

Merged

Conversation

Projects
None yet
2 participants
@jayme-github
Copy link
Contributor

commented Jan 16, 2019

Proposed changes

RejectInsecureRequests handler fails for requests via socket because the remote address is @.
We should not reject insecure requests coming in via unix socket as there is no TLS support anyways.

{"error":"address @: missing port in address","level":"warning","msg":"Could not serve http connection","time":"2019-01-16T08:39:17Z"}
{"code":502,"details":{},"error":"Can not serve request over insecure http","level":"error","msg":"An error occurred while handling a request","reason":"","request-id":"","status":"","time":"2019-01-16T08:39:17Z", "trace":"
Stack trace: 
github.com/ory/hydra/cmd/server.(*Handler).RejectInsecureRequests
        /go/src/github.com/ory/hydra/cmd/server/handler.go:303
github.com/ory/hydra/cmd/server.(*Handler).RejectInsecureRequests-fm
        /go/src/github.com/ory/hydra/cmd/server/handler.go:62
github.com/urfave/negroni.HandlerFunc.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/urfave/negroni.middleware.ServeHTTP-fm
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/ory/x/metricsx.(*MetricsManager).ServeHTTP
        /go/pkg/mod/github.com/ory/x@v0.0.33/metricsx/middleware.go:207
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/urfave/negroni.middleware.ServeHTTP-fm
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/ory/hydra/metrics/prometheus.(*MetricsManager).ServeHTTP
        /go/src/github.com/ory/hydra/metrics/prometheus/middleware.go:26
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/urfave/negroni.middleware.ServeHTTP-fm
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/meatballhat/negroni-logrus.(*Middleware).ServeHTTP
        /go/pkg/mod/github.com/meatballhat/negroni-logrus@v0.0.0-20170801195057-31067281800f/middleware.go:136
github.com/urfave/negroni.middleware.ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
github.com/urfave/negroni.(*Negroni).ServeHTTP
        /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:96
github.com/gorilla/context.ClearHandler.func1
        /go/pkg/mod/github.com/gorilla/context@v1.1.1/context.go:141
net/http.HandlerFunc.ServeHTTP
        /usr/local/go/src/net/http/server.go:1964
net/http.serverHandler.ServeHTTP
        /usr/local/go/src/net/http/server.go:2741
net/http.(*conn).serve
        /usr/local/go/src/net/http/server.go:1847
runtime.goexit
        /usr/local/go/src/runtime/asm_amd64.s:1333

Checklist

  • I have read the contributing guidelines
  • I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security
    vulnerability, I confirm that I got green light (please contact hi@ory.sh) from the maintainers to push the changes.
  • I signed the Developer's Certificate of Origin
    by signing my commit(s). You can amend your signature to the most recent commit by using git commit --amend -s. If you
    amend the commit, you might need to force push using git push --force HEAD:<branch>. Please be very careful when using
    force push.
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation within the code base (if appropriate)
  • I have documented my changes in the developer guide (if appropriate)
Disable RejectInsecureRequest middleware on unix sockets
We should not reject insecure requests coming in via unix socket as
there is no TLS support anyways.

Signed-off-by: Janis Meybohm <meybohm@traum-ferienwohnungen.de>
@aeneasr

This comment has been minimized.

Copy link
Member

commented Jan 17, 2019

Thank you!

@aeneasr aeneasr merged commit af125b3 into ory:master Jan 17, 2019

2 of 3 checks passed

ci/circleci: test Your tests failed on CircleCI
Details
DCO DCO
Details
ci/circleci: format Your tests passed on CircleCI!
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.