fix: incorrect/invalid HSTS policy for proxy hosts (#4471)#5714
Open
tm-frs wants to merge 1 commit into
Open
Conversation
Author
|
This does not seem to be related to my change, is that broken? |
remove HSTS headers from upstream for proxy hosts
|
Docker Image for build 3 is available on DockerHub: Note Ensure you backup your NPM instance before testing this image! Especially if there are database changes. Warning Changes and additions to DNS Providers require verification by at least 2 members of the community! |
Author
|
Well, I don't know if it was just temporary or not, but I literally force-pushed the same unchanged amended commit again; and two times the build system failed, now it succeeded. |
Author
|
After a bit of fighting with my local setup, I managed to test my changes and can confirm it works as intended. I tested
So there are no invalid or undesireable states. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Fixes #4471
With a proxy host, when the upstream server itself includes an HTTP header for HSTS (e.g. Nextcloud), it is currently kept. When enabling HSTS in NPM, it adds another one, so there will be two of those (which is invalid, and HSTS will not work at all), and (haven't explicitly checked, but I'd imagine) when HSTS is disabledin NPM, it'll actually be enabled due to the upstream header. So, when an upstream server sends an HSTS header, the setting within NPM is actually kinda reversed (HSTS on when setting is off, HSTS invalid/off when setting is on). This is not desireable and unexpected.
I fixed that by adding a directive to the proxy host template that removes any pre-existing HSTS headers; afterwards, if enabled, NPM will add its own.
Type of Change
AI Usage
NOTE: I have not yet tested this change itself; I verified it works when adding that to the custom nginx options in the proxy host settings (which did what I expected and wanted). I will later test these changes to the template.