When Cockpit is not configured any origins, it uses the host and protocol of the
incoming request to set the allowed origin for WebSocket connections. By
ensuring that the original host/protocol is passed on to Cockpit from the
browser, we can eliminate the need for configuring a pre-determined list of
origins. Passing the host and protocol from the browser is done by setting
ProxyPreserveHost and using https:// for proxying.
For a cross-site request, Origin: and Host: entries won't match and '403
Forbidden' is thrown. So, this approach is still safe.
Tests:
- Without the patch, access Cockpit using IP address and it fails. Apply the
patch. Cockpit setup should run. Origins= directive in the configuration file
/etc/cockpit/cockpit.conf should get removed. Accessing with IP address and
logging in succeeds.
- Freshly setup a container with the patch and access Cockpit using IP address.
This works and login succeeds.
- Test on stable and testing containers.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Cockpit uses WebSockets which won't work without HTTPS. For .onion domains, we
are not explicitly redirecting to HTTPS since TLS is not necessary. Ensure that
Cockpit continues to work with .onion domains by explicitly redirecting to
HTTPS.
Tests:
- Without the patch, on a normal/Onion domain run curl -kv
http://{DOMAIN}/_cockpit/. Redirection does not happen.
- With the patch, on a normal/Onion domain run curl -kv
http://{DOMAIN}/_cockpit/. Redirection happen to https:// occurs.
- Redirection is a with HTTP status code 302, the temporary redirection code.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
