Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to run policy-bot behind a reverse-prxoy #724

Closed
KnisterPeter opened this issue Mar 5, 2024 · 3 comments · Fixed by #730
Closed

Unable to run policy-bot behind a reverse-prxoy #724

KnisterPeter opened this issue Mar 5, 2024 · 3 comments · Fixed by #730

Comments

@KnisterPeter
Copy link
Contributor

Even if configuration states differently (here), it's not possible to operate the policy-bot behind a reverse proxy.

This is caused by the wrong setup of the github authorization flow in this case.
The github default setup does create the redirect url (callback) at the end of the auth flow with the requests host header. This header is in case of a reverse-proxy set to the ip/host of that proxy.
Instead it should be the configured proxy host.

Can anyone confirm this behavior?
@bluekeyes
Copy link
Member

Our expectation is that reverse proxies set an appropriate Host header for the application (e.g. by using a proxy_set_header Host $host; directive in NGINX). If that's not possible, then yes, I believe the GitHub OAuth flow will generate incorrect URLs.

It might be possible to update this to use the public_url values instead. In #334, there was also a request to use theX-Forwarded-Host header instead of the normal Host header. If you are unable to set the Host header in your proxy, does it set the forwarding headers instead?

@KnisterPeter
Copy link
Contributor Author

I'm building the reverse proxy in JS (to run in Lambda). We are using the node.js fetch function. That is not allowed to override/set the host header. But I can set any other header.

Is a PR welcome?

@bluekeyes
Copy link
Member

Yes, I'm happy to review a PR if you'd like to try fixing this. I think the easiest option is probably to use the existing oauth2.WithRedirectURL option to set the redirect URL based on the public_url value.

If you'd like to support other headers instead, I think we first need to update https://github.com/palantir/go-githubapp to enable that in the oauth2 package.

KnisterPeter added a commit to KnisterPeter/policy-bot that referenced this issue Mar 15, 2024
@KnisterPeter
Add support for oauth2 beind proxy
4d4d45f 
This change does use the public_url config value to create
the oauth2 callback url. This logic is only setup
if the config value has been set.

Closes palantir#724
@KnisterPeter KnisterPeter mentioned this issue Mar 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for oauth2 beind proxy KnisterPeter/policy-bot
2 participants
@KnisterPeter @bluekeyes