Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow multiple hostname #2733

Merged
merged 4 commits into from
Jun 1, 2022
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion dev-docs/habitat_configurations_for_development.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ Start with `hab studio enter`
port = 3000\
secret_key_base = "<appropriate value>"\
protocol = 'https'\
allowed_host = "localhost"
allowed_hosts = "localhost"

[nginx]\
force_ssl = true\
Expand Down
7 changes: 5 additions & 2 deletions docs-chef-io/content/supermarket/config_rb_supermarket.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,9 +58,12 @@ This configuration file has the following general settings:

: This flag is to allow/restrict injection of arbitrary host headers in the API calls to supermarket. The scenarios in which this flag will be useful is e.g. if supermarket runs behind an AWS ELB (load balancer), the internal health-check API calls to supermarket invoked by the load balancer get responded with status code: 403 (forbidden) if this flag is set to `true`. So to unblock the health-check API calls invoked by the ELB we need to set this flag as `false`

`default['supermarket']['allowed_host']`
`default['supermarket']['allowed_hosts']`

: This attribute is to set the Allowed Host for supermarket to block arbitrary [Host header injection](https://crashtest-security.com/invalid-host-header/) in the API calls to supermarket. This is by default set as the value of the FQDN(`default['supermarket']['fqdn']`). You can also set this attribute explicitly as the the domain name of your supermarket website e.g. <https://supermarket.chef.io>. You also need to keep the flag: `disable_host_header_attack` as `true` to make this attribute effective. If `disable_host_header_attack` is set to `false` then this attribute will be ignored.
: This attribute is to set the list of Allowed Hosts for supermarket to block arbitrary [Host header injection](https://crashtest-security.com/invalid-host-header/) in the API calls to supermarket. This is by default set as the value of the FQDN(`default['supermarket']['fqdn']`). You can also set this attribute explicitly as the the domain name of your supermarket website e.g. <https://supermarket.chef.io>. You also need to keep the flag: `disable_host_header_attack` as `true` to make this attribute effective. If `disable_host_header_attack` is set to `false` then this attribute will be ignored.
: For allowing multiple hostnames in `default['supermarket']['allowed_hosts']`,
specify the values separated by comma e.g. below:
`'https://www.example1.com, https://www.example2.com'`

`default['supermarket']['from_email']`

Expand Down
6 changes: 4 additions & 2 deletions omnibus/cookbooks/omnibus-supermarket/attributes/default.rb
Original file line number Diff line number Diff line change
Expand Up @@ -365,11 +365,13 @@
# calls invoked by the load balancer get responded with status code 403 (forbidden) if this flag is set to true.
# So to unblock the healthcheck API we need to set this flag as false
default['supermarket']['disable_host_header_attack'] = true
# Setting allowed_host for supermarket to avoid arbitrary "Host" header injection
# Setting allowed_hosts for supermarket to avoid arbitrary "Host" header injection
# Set this value to the domain name of your supermarket website e.g. supermarket.chef.io
# You also need to keep the flag: disable_host_header_attack as true to make it effective
# If disable_host_header_attack is false then this flag will be ignored.
default['supermarket']['allowed_host'] = node['supermarket']['fqdn']
# To set allowed_hosts to allow multiple hosts in the host header specify the hosts separated by comma(,)
# e.g. 'https://www.example1.com, https://www.example2.com'
default['supermarket']['allowed_hosts'] = node['supermarket']['fqdn']

# ### Chef URL Settings
#
Expand Down
2 changes: 1 addition & 1 deletion src/supermarket/.env
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,4 @@ ROBOTS_ALLOW=/
ENFORCE_PRIVACY=true
COOKSTYLE_COPS=Chef/Deprecations,Chef/Correctness,Chef/Sharing,Chef/RedundantCode,Chef/Modernize,Chef/Security,InSpec/Deprecations
DISABLE_HOST_HEADER_ATTACK=true
ALLOWED_HOST=YOUR_SUPERMARKET_DOMAIN_NAME
ALLOWED_HOSTS=YOUR_SUPERMARKET_DOMAIN_NAME
7 changes: 5 additions & 2 deletions src/supermarket/config/environments/production.rb
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,10 @@

# The value of ENV["DISABLE_HOST_HEADER_ATTACK"] will be parsed as string.
# Hence we need to convert string to boolean.
if ActiveModel::Type::Boolean.new.cast(ENV["DISABLE_HOST_HEADER_ATTACK"]) && ENV["ALLOWED_HOST"].present?
config.hosts << ENV["ALLOWED_HOST"]
# It allows multiple hosts by specifying ENV["ALLOWED_HOSTS"] attribute in .env file.
if ActiveModel::Type::Boolean.new.cast(ENV["DISABLE_HOST_HEADER_ATTACK"]) && ENV["ALLOWED_HOSTS"].present?
ENV["ALLOWED_HOSTS"].split(",").each do |host|
config.hosts << host.strip
end
end
end
2 changes: 1 addition & 1 deletion src/supermarket/habitat-web/plan.sh
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ scaffolding_env[SENTRY_URL]="{{ cfg.sentry_url }}"
scaffolding_env[STATSD_PORT]="{{ cfg.statsd_port }}"
scaffolding_env[STATSD_URL]="{{ cfg.statsd_url }}"
scaffolding_env[cookbook]="{{ cfg.app.cookbook }}"
scaffolding_env[ALLOWED_HOST]="{{ cfg.app.allowed_host }}"
scaffolding_env[ALLOWED_HOSTS]="{{ cfg.app.allowed_hosts }}"

scaffolding_env[INSTALL_DIRECTORY]="{{ pkg.path }}"
scaffolding_env[INSTALL_PATH]="{{ pkg.path }}"
Expand Down