Allow CORS requests at random ports for defined origin hosts (SQPIT-9…

…22) (#2283) The QA runs tests against a HTTP proxy (HA proxy). This changes the origin in two ways: - The ports aren't default (i.e. 80 or 443) but something more random - The host part contains a different subdomain, e.g. custom.qa-fixed-sso.wire.link To enable this behaviour for testing but keep the rules strict in production, introduce the Helm value nginx_conf.randomport_allowlisted_origins. This list defines to which origins CORS requests at random ports are allowed. The default is: To none.
wireapp · Apr 19, 2022 · 9d066e3 · 9d066e3
1 parent d5979d1
commit 9d066e3
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 1 deletion.
diff --git a/changelog.d/5-internal/allow_cors_requests_at_random_ports b/changelog.d/5-internal/allow_cors_requests_at_random_ports
@@ -0,0 +1,2 @@
+Allow additional origins at random ports in nginz Helm chart. This is useful for
+testing with an HTTP proxy. It should not be used in production.
diff --git a/charts/nginz/templates/conf/_nginx.conf.tpl b/charts/nginz/templates/conf/_nginx.conf.tpl
@@ -128,7 +128,13 @@ http {
     {{ range $origin := .Values.nginx_conf.allowlisted_origins }}
       "https://{{ $origin }}.{{ $.Values.nginx_conf.external_env_domain}}" "$http_origin";
     {{ end }}
-  }
+
+    # Allow additional origins at random ports. This is useful for testing with an HTTP proxy.
+    # It should not be used in production.
+    {{ range $origin := .Values.nginx_conf.randomport_allowlisted_origins }}
+      "~^https://{{ $origin }}.{{ $.Values.nginx_conf.external_env_domain}}(:[0-9]{2,5})?$" "$http_origin";
+    {{ end }}
+   }
 
 
   #

diff --git a/charts/nginz/values.yaml b/charts/nginz/values.yaml
@@ -57,6 +57,11 @@ nginx_conf:
     - webapp
     - teams
     - account
+  # -- The origins from which we allow CORS requests at random ports. This is
+  # useful for testing with HTTP proxies and should not be used in production.
+  # The list entries are combined with 'external_env_domain' to form a full url
+  # regex that matches for all ports.
+  randomport_allowlisted_origins: [] # default is empty by intention
   upstreams:
     cargohold:
     - path: /conversations/([^/]*)/assets

diff --git a/hack/helm_vars/wire-server/values.yaml.gotmpl b/hack/helm_vars/wire-server/values.yaml.gotmpl
@@ -202,6 +202,7 @@ nginz:
     external_env_domain: zinfra.io
     # NOTE: Web apps are disabled by default
     allowlisted_origins: []
+    randomport_allowlisted_origins: [] # default is empty by intention
   secrets:
     basicAuth: "whatever"
     zAuth:
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Allow additional origins at random ports in nginz Helm chart. This is useful for
		testing with an HTTP proxy. It should not be used in production.