Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Nginx to make Buildbot logs available via CORS #375

Closed
wants to merge 1 commit into from
Closed

Use Nginx to make Buildbot logs available via CORS #375

wants to merge 1 commit into from

Conversation

aneeshusa
Copy link
Contributor

@aneeshusa aneeshusa commented May 16, 2016
edited by larsbergstrom

Buildbot itself (neither the current version eight nor the upcoming
verison nine) does not seem to have built-in CORS support, so use Nginx
to supply CORS headers while reverse proxying.

This is only needed to download log files, so start with a very
conservative set of CORS headers. In particular:

  • Only support basic CORS requests (those that don't require preflight
    requests via OPTIONS). This means supporting only GET requests.
  • Do not allow sending cookies or exposing any headers.
    In return, whitelist all domains for CORS, and send the Allow-Origin
    header unconditionally, as the actual value of the Origin header does
    not matter.

Because we are using proxy_pass to reverse proxy Buildbot, we need to
tell Nginx to always add the CORS headers, instead of only adding them
for successful responses. (I.e. add CORS headers even for 404s and other
erroneous status codes). This features is not available in the Nginx
packaged for Ubuntu Trusty, so replace it with a newer Nginx from
upstream Nginx's respositories.

Because Debian/Ubuntu modify the default configuration for Nginx, use
Salt to ensure that the installed nginx.conf properly looks into the
sites-enabled directory (which is a Debian-ism) and that the default
handler in /etc/nginx/conf.d/ is purged.

In order to only support CORS on GET requests, use the 'if' directive.
However, because Nginx's if is evil,
(https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/)
add a bunch of tests to ensure that the configuration is working.

Also, update the Nginx states to follow Salt best practices.

Fixes #354. Blocked on #374 because I encountered various failures
while upgrading from the Ubuntu Nginx to upstream Nginx, and I'd
like to make sure I caught them all.

This change is Reviewable

@aneeshusa
Copy link
Contributor Author

cc @jdm: Is this sufficient to pull the logs you needed or do I need to support OPTIONS/preflight requests too?

@aneeshusa
Use Nginx to make Buildbot logs available via CORS
5d93b54 
Buildbot itself (neither the current version eight nor the upcoming
verison nine) does not seem to have built-in CORS support, so use Nginx
to supply CORS headers while reverse proxying.

This is only needed to download log files, so start with a very
conservative set of CORS headers. In particular:
  - Only support basic CORS requests (those that don't require preflight
    requests via OPTIONS). This means supporting only GET requests.
  - Do not allow sending cookies or exposing any headers.
In return, whitelist all domains for CORS, and send the Allow-Origin
header unconditionally, as the actual value of the Origin header does
not matter.

Because we are using proxy_pass to reverse proxy Buildbot, we need to
tell Nginx to always add the CORS headers, instead of only adding them
for successful responses. (I.e. add CORS headers even for 404s and other
erroneous status codes). This features is not available in the Nginx
packaged for Ubuntu Trusty, so replace it with a newer Nginx from
upstream Nginx's respositories.

Because Debian/Ubuntu modify the default configuration for Nginx, use
Salt to ensure that the installed nginx.conf properly looks into the
sites-enabled directory (which is a Debian-ism) and that the default
handler in /etc/nginx/conf.d/ is purged.

In order to only support CORS on GET requests, use the 'if' directive.
However, because Nginx's if is evil,
(https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/)
add a bunch of tests to ensure that the configuration is working.

Also, update the Nginx states to follow Salt best practices.
@jdm
Copy link
Member

jdm commented May 16, 2016

I don't know of any reason that preflight requests should be required.

@aneeshusa aneeshusa mentioned this pull request Aug 26, 2016
Open
@aneeshusa
Copy link
Contributor Author

No longer blocked since #374 merged a while ago. @bors-servo try

@bors-servo
Copy link
Contributor

⌛ Trying commit 5d93b54 with merge f805856...

bors-servo pushed a commit that referenced this pull request Sep 29, 2016
Auto merge of #375 - aneeshusa:add-basic-cors-headers, r=<try>
f805856 
Use Nginx to make Buildbot logs available via CORS

Buildbot itself (neither the current version eight nor the upcoming
verison nine) does not seem to have built-in CORS support, so use Nginx
to supply CORS headers while reverse proxying.

This is only needed to download log files, so start with a very
conservative set of CORS headers. In particular:
  - Only support basic CORS requests (those that don't require preflight
    requests via OPTIONS). This means supporting only GET requests.
  - Do not allow sending cookies or exposing any headers.
In return, whitelist all domains for CORS, and send the Allow-Origin
header unconditionally, as the actual value of the Origin header does
not matter.

Because we are using proxy_pass to reverse proxy Buildbot, we need to
tell Nginx to always add the CORS headers, instead of only adding them
for successful responses. (I.e. add CORS headers even for 404s and other
erroneous status codes). This features is not available in the Nginx
packaged for Ubuntu Trusty, so replace it with a newer Nginx from
upstream Nginx's respositories.

Because Debian/Ubuntu modify the default configuration for Nginx, use
Salt to ensure that the installed nginx.conf properly looks into the
sites-enabled directory (which is a Debian-ism) and that the default
handler in /etc/nginx/conf.d/ is purged.

In order to only support CORS on GET requests, use the 'if' directive.
However, because Nginx's if is evil,
(https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/)
add a bunch of tests to ensure that the configuration is working.

Also, update the Nginx states to follow Salt best practices.

Fixes #354. Blocked on #374 because I encountered various failures
while upgrading from the Ubuntu Nginx to upstream Nginx, and I'd
like to make sure I caught them all.

<!-- Reviewable:start -->
---
This change is [<img src="https://reviewable.io/review_button.svg" height="35" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/saltfs/375)
<!-- Reviewable:end -->
@bors-servo
Copy link
Contributor

💔 Test failed - status-travis

@aneeshusa aneeshusa mentioned this pull request Oct 30, 2016
Closed
@bors-servo
Copy link
Contributor

☔ The latest upstream changes (presumably #544) made this pull request unmergeable. Please resolve the merge conflicts.

@jdm jdm closed this Aug 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
S-needs-rebase
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make buildbot log files available via CORS
4 participants
@aneeshusa @jdm @bors-servo @highfive