You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@activemq.apache.org by Thai Le <ln...@gmail.com> on 2022/06/10 14:12:12 UTC

how to make artemis webconsole generates https url without https binding

Hello,

I have an artemis 2.19.1 broker running in a kubernetes pod. The binding in
the bootstrap.xml is set to bind="*http*://0.0.0.0:8161" path="web". I also
have a virtual service that routes http requests matching a pattern to this
pod so that I can access the webconsole from the internet. However, all
requests from internet to our services must be in *https.* So, from the
internet if i uses *https*://mycompanydomain.com/artemis/console then the
request hits our gateway and forward to the artemis pod as *http* request,
the webconsole then generates some urls with *http* scheme and send back
the response telling the browser to open these urls however such *http*
request will fail because our domain does not accept *http*. The obvious
approach is to config https binding for webconsole but due to security
policy, I can not have access to the keystore. So I wonder if there is a
way to force all urls generated by the webconsole to be in *https* instead
of *http* without config https binding.

Regards

Thai Le

Re: how to make artemis webconsole generates https url without https binding

Posted by Thai Le <ln...@gmail.com>.

Hi,

To answer my own question, the root cause is that I did not specify the
customizer in the binding to take advantage of the X-forwarded-proto
header. After adding the customizer, I see all the URLs generated are now
https. Here is where I got my answer
https://issues.apache.org/jira/browse/ARTEMIS-3011?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel%3D17238390#comment-17238390

However, now i am facing another issue which is upon authenticated, this
POST request is always return 403:

https://dev1.mycompany.com/stack/nle/artemis-master/console/jolokia/?maxDepth=7&maxCollectionSize=50000&ignoreErrors=true&canonicalNaming=false

and here is request header:
POST
/stack/nle/artemis-master/console/jolokia/?maxDepth=7&maxCollectionSize=50000&ignoreErrors=true&canonicalNaming=false
HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Content-Length: 71
Content-Type: text/json
Host: dev1.company.com
Origin: https://dev1.company.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/102.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="102", "Google
Chrome";v="102"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"

Here is response header --------------------------
HTTP/1.1 403 Forbidden
access-control-allow-origin: *
cache-control: max-age=0, no-cache, must-revalidate, proxy-revalidate,
private
content-security-policy: default-src 'self'; script-src 'self'
'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src
'self' data:; img-src 'self' data:; connect-src 'self'; frame-src
'self';default-src 'self' https://*.company.com <http://nakisa.com> https://
*.company.io/ <http://nakisa.io/> https://fonts.gstatic.com
https://use.fontawesome.com; script-src 'self' 'unsafe-inline'
'unsafe-eval' https://maps.googleapis.com https://developers.google.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com
https://use.fontawesome.com; img-src 'self' data: https://*.company.com
<http://nakisa.com> https://*.company.io/ <http://nakisa.io/>
https://maps.gstatic.com https://*.googleapis.com https://*.tile.osm.org;
font-src 'self' https://fonts.gstatic.com https://use.fontawesome.com;
date: Fri, 10 Jun 2022 19:14:46 GMT
hawtio-forbidden-reason: NONE
permissions-policy:
camera=(),microphone=(),geolocation=(),encrypted-media=(),payment=(),usb=()
pragma: no-cache
referrer-policy: no-referrer
server: company
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-envoy-upstream-service-time: 1
x-frame-options: SAMEORIGIN
x-xss-protection: 1
Content-Length: 0
Connection: keep-alive
--------------------
and since that post retrieves the data (accessors, addresses,...) i end up
having a blank page when i got the 403.

One thing i notice is that the content-security-policy seem to have
duplicated directives like default-src, script-src. I am not sure that
cause the 403 but chrome said it ignores the duplicates:
Ignoring duplicate Content-Security-Policy directive 'default-src'.

I am not sure what would be the next step to debug this, hope to get some
hint.

Thai Le

On Fri, 10 Jun 2022 at 11:53, Justin Bertram <jb...@apache.org> wrote:

> > ...the webconsole then generates some urls with *http* scheme and send
> back the response telling the browser to open these urls...
>
> Can you provide an example of a URL that gets passed back as http?
>
>
> Justin
>
> On Fri, Jun 10, 2022 at 9:12 AM Thai Le <ln...@gmail.com> wrote:
>
> > Hello,
> >
> > I have an artemis 2.19.1 broker running in a kubernetes pod. The binding
> in
> > the bootstrap.xml is set to bind="*http*://0.0.0.0:8161" path="web". I
> > also
> > have a virtual service that routes http requests matching a pattern to
> this
> > pod so that I can access the webconsole from the internet. However, all
> > requests from internet to our services must be in *https.* So, from the
> > internet if i uses *https*://mycompanydomain.com/artemis/console then
> the
> > request hits our gateway and forward to the artemis pod as *http*
> request,
> > the webconsole then generates some urls with *http* scheme and send back
> > the response telling the browser to open these urls however such *http*
> > request will fail because our domain does not accept *http*. The obvious
> > approach is to config https binding for webconsole but due to security
> > policy, I can not have access to the keystore. So I wonder if there is a
> > way to force all urls generated by the webconsole to be in *https*
> instead
> > of *http* without config https binding.
> >
> > Regards
> >
> > Thai Le
> >
>


-- 
Where there is will, there is a way

Re: how to make artemis webconsole generates https url without https binding

Posted by Justin Bertram <jb...@apache.org>.

> ...the webconsole then generates some urls with *http* scheme and send
back the response telling the browser to open these urls...

Can you provide an example of a URL that gets passed back as http?


Justin

On Fri, Jun 10, 2022 at 9:12 AM Thai Le <ln...@gmail.com> wrote:

> Hello,
>
> I have an artemis 2.19.1 broker running in a kubernetes pod. The binding in
> the bootstrap.xml is set to bind="*http*://0.0.0.0:8161" path="web". I
> also
> have a virtual service that routes http requests matching a pattern to this
> pod so that I can access the webconsole from the internet. However, all
> requests from internet to our services must be in *https.* So, from the
> internet if i uses *https*://mycompanydomain.com/artemis/console then the
> request hits our gateway and forward to the artemis pod as *http* request,
> the webconsole then generates some urls with *http* scheme and send back
> the response telling the browser to open these urls however such *http*
> request will fail because our domain does not accept *http*. The obvious
> approach is to config https binding for webconsole but due to security
> policy, I can not have access to the keystore. So I wonder if there is a
> way to force all urls generated by the webconsole to be in *https* instead
> of *http* without config https binding.
>
> Regards
>
> Thai Le
>

Re: how to make artemis webconsole generates https url without https binding

Posted by Edson Richter <ed...@hotmail.com>.

I've same problem with docker and HaProxy, and got no solution so far.

I hope someone gives you a direction, so I can find a solution for our scenario as well.

Regards,

Edson

Obter o BlueMail para Android<https://bluemail.me>
Em 10 de jun. de 2022, em 11:12, Thai Le <ln...@gmail.com>> escreveu:

Hello,

I have an artemis 2.19.1 broker running in a kubernetes pod. The binding in
the bootstrap.xml is set to bind="*http*://0.0.0.0:8161" path="web". I also
have a virtual service that routes http requests matching a pattern to this
pod so that I can access the webconsole from the internet. However, all
requests from internet to our services must be in *https.* So, from the
internet if i uses *https*://mycompanydomain.com/artemis/console<http://mycompanydomain.com/artemis/console> then the
request hits our gateway and forward to the artemis pod as *http* request,
the webconsole then generates some urls with *http* scheme and send back
the response telling the browser to open these urls however such *http*
request will fail because our domain does not accept *http*. The obvious
approach is to config https binding for webconsole but due to security
policy, I can not have access to the keystore. So I wonder if there is a
way to force all urls generated by the webconsole to be in *https* instead
of *http* without config https binding.

Regards

Thai Le