Insecure forms and proxy servers? - google-chrome

I have a web application written in Apache Tomcat 8.5 that is proxied behind NGINX. i.e. I am using NGINX to offload SSL and serve static images etc. The app has been working reliably for years.
Now, the Chrome 87 update is causing a warning "The information that you’re about to submit is not secure" on every form submission. I've gone through the code with a fine-toothed comb and I can't figure out what could be triggering it.
The user gets to NGINX on https and the certificate is valid. NGINX forwards the request to Tomcat on port 8080. See config below.
The forms are submitted on the tomcat server as HTTP. But NGINX should prevent the browser from knowing that. It's https as far as the browser knows...
All tags are written as relative links or implied to be the same URL. e.g.
<form action="/login/login.do" method="post"> or <form method="post">.
Can anyone please point out something to look for? Am I missing a header or something?
Thanks in advance
from NGINX conf.d/site.conf:
location ~ \.(do|jsp)$ {
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}

Seems like there was a change in Chrome 87 to give warnings for mixed forms, so that is probably why those errors are appearing.
Perhaps there are some stray absolute links within your application which are still http, and are not being automatically converted when proxied by nginx?
If you are sure all your content is served over https, you can try enabling this header Content-Security-Policy: upgrade-insecure-requests (more info here) to force browsers to upgrade insecure connections automatically.

Had a similar issue, and in my case was the response from my app server being a redirect to a different scheme (http) than the one used by the client (https).
If it's your case as well, adding this to your location definition should do the trick. Assuming your app/app server respects this header, then it should respond with the proper scheme (https) on the Location header.
proxy_set_header X-Forwarded-Proto $scheme;
For completeness, excerpt for X-Forwarded-Proto from MDN docs:
The X-Forwarded-Proto (XFP) header is a de-facto standard header for identifying the protocol (HTTP or HTTPS) that a client used to connect to your proxy or load balancer.

Related

Is someone also getting this error in Chrome 87.0.4280.88?

"The information you’re about to submit is not secure
Because the site is using a connection that’s not completely secure, your information will be visible to others."
We have started receiving this error today. I thought that this is a certificate problem, but it's secure
[]
Also there no warnings and errors in console page
What do you advise to do?
Same problem from today on chrome 87.0.4280.88.
Cert is ok and all assets are loaded over https.
My login forms are triggering this warning message, the form action url is relative so it's supposed to be sent over https too, don't know why this message is triggered...
Maybe try with absolute https action url.
[edit]
Check this tread -> https://support.google.com/chrome/thread/88331714?hl=en
For me it was the scheme on the location header when redirecting after successful login that was misconfigured on the reverse proxy, the app was sending back on http.
Fixed by adding these headers on reverse proxy conf on Nginx :
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443;
Make sur that your app is aware of these headers too.
For example in a symfony app -> https://symfony.com/doc/current/deployment/proxies.html
This problem disappeared. I think they solved this problem, and now we don't have it)

Setting custom Request Headers through nginx ingress controller

I have a kubernetes cluster using nginx controller to proxy requests to the backend. There is an LB in the front.
LB <-> Nginx Ingress <-> WLS in K8s
When I terminate the SSL at the LB, and the backend sends a redirect it will send the redirect with location that starts with http. However, WebLogic recognizes WL-PROXY-SSL request header to send a https redirect.
I am trying to set the request header on the Nginx Ingress controller for a specific URL patterns only.
Tried using
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header WL-PROXY-SSL: "true";
It didn't work.
Even tried ....
more_set_headers "WL-PROXY-SSL: true";
nginx.org/location-snippets: |
proxy_set_header "WL-PROXY-SSL: true";
Also tried the custom-headers module but it sets for all resources. While I see the entry in the nginx.conf, it is not taking effect even with global custom-headers configMap also.
Is there any good example of adding this header to the request ?
Thanks in advance.

NET::ERR_CERT_AUTHORITY_INVALID in Chrome not incognito and Firefox locally with valid certs on nginx

A couple of weeks ago we implemented the SameSite cookie policy to our cookies. If I want to develop locally, I needed a certificate to get the cookies.
We're running a Node express server and that is reversed proxied to an nginx configuration where we add the cert.
# Server configuration
#
server {
listen 443;
server_name test-local.ad.ourdomain.com;
ssl_certificate /home/myname/.certs/ourcert.crt;
ssl_certificate_key /home/myname/.certs/ourkey.rsa;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:9090;
proxy_read_timeout 90;
proxy_redirect http://localhost:9090 https://test-local.ad.ourdomain.com;
}
}
Now to the wierd part. We updated to Chrome 80 today, and all of a sudden I got an HSTS issue. I was unable to access site even if I wanted to (no opt in possibility). I tried to clear that inside chrome://internals/#hsts, and that worked. However, I still get NET::ERR_CERT_AUTHORITY_INVALID but I now have the opt in alternative.
Accessing it from Chrome Incognito mode works like a charm, no issues there. Same with Firefox, no issues there either. It says Certificate is Valid, green and pretty. Checked here as well: https://www.sslshopper.com/certificate-decoder.html and its 100% green.
I'm running Ubuntu 19.10 using Regolith.
My colleagues are using same cert, also Chrome 80, but they're running Mac, no issues there in Chrome.
Any idea? I tried to clear Browser settings, no change.
I have some great news!
We're using the same cert on our cloud dev environments (however, they are in pfx form). Locally I run Linux as mentioned, and I had to convert the pfx to a RSA file and a CRT file.
I entered our dev domain on this site: https://whatsmychaincert.com/ and it downloaded a *.chain.crt file. Together with my old crt file, and this command:
cat example.com.crt example.com.chain.crt > example.com.chained.crt
In Nginx I then referenced the .chained.crt file.
Now Chrome accepts my local, secure webpage.
We had the same issue and fixed it following petur 's solution.

NGINX, proxy_pass and SPA routing in HTML5 mode

I have NGINX set up as a reverse proxy for a virtual network of docker containers running itself as a container. One of these containers serves an Angular 4 based SPA with client-side routing in HTML5 mode.
The application is mapped to location / on NGINX, so that http://server/ brings you to the SPA home screen.
server {
listen 80;
...
location / {
proxy_pass http://spa-server/;
}
location /other/ {
proxy_pass http://other/;
}
...
}
The Angular router changes the URL to http://server/home or other routes when navigating within the SPA.
However, when I try to access these URLs directly, a 404 is returned. This error originates from the spa-server, because it obviously does not have any content for these routes.
The examples I found for configuring NGINX to support this scenario always assume that the SPA's static content is served directly from NGINX and thus try_files is a viable option.
How is it possible to forward any unknown URLs to the SPA so that it can handle them itself?
The solution that works for me is to add the directives proxy_intercept_errors and error_page to the location / in NGINX:
server {
listen 80;
...
location / {
proxy_pass http://spa-server/;
proxy_intercept_errors on;
error_page 404 = /index.html;
}
location /other/ {
proxy_pass http://other/;
}
...
}
Now, NGINX will return the /index.html i.e. the SPA from the spa-server whenever an unknown URL is requested. Still, the URL is available to Angular and the router will immediately resolve it within the SPA.
Of course, now the SPA is responsible for handling "real" 404s. Fortunately, this is not a problem and a good practice within the SPA anyway.
UPDATE: Thanks to #dan

Fiware - How to integrate Keyrock IdM, Wilma PEP Proxy and Orion Context Broker?

I read all the documentation of Keyrock and Wilma and I watched all the videos in the FIWARE Academy, but I still do not get success in this integration. I am searching for this since a few days ago, but without success. I think the FIWARE documentation could have tutorials, hands on...
I have a VM with Orion Context Broker and a container with Keyrock IdM and Wilma PEP Proxy. I am trying to generate an access token to grant access for an application, but I still did not get it. Besides, I would like to know how can I securely exchange messages between the Orion Context Broker and some IoT devices. Indeed, it is complicated to think about IoT devices having to access a screen and put their credentials to authenticate and to be authorized like the Keyrock IdM examples show. What do you sugest?
Seeing the answer of #albertinisg here, I found a bash script for token request. I changed it to use with my local instances and it worked.
After registering my application at FIWARE Portal (more information here), I had to make a POST request to http://idm:8000/oauth2/token (idm is my local instance of Keyrock). With this valid token, I can access the content in Orion.
import requests, json, getpass
TOKEN_URL = "http://idm:5000/v2.0/tokens"
USER = raw_input("Username: ")
PASSWORD = getpass.getpass("Password: ")
PAYLOAD = "{\"auth\": {\"passwordCredentials\": {\"username\":\""+USER+"\", \"password\":\""+PASSWORD+"\"}}}"
HEADERS = {'content-type': 'application/json'}
RESP = requests.post(TOKEN_URL, data=PAYLOAD, headers=HEADERS)
PEP Proxy (Wilma) configuration (config.js):
config.app_host = 'my_orion_ip'; //change to your Orion address
config.app_port = '1026'; //change to your Orion port
config.username = 'pep_proxy_credential_obtained_at_portal';
config.password = 'password_obtained_at_portal';
With the valid token and the PEP Proxy (Wilma) server running with this configuration, it is possible to control the access to Orion doing a request to PEP Proxy address. The PEP Proxy will redirect this request to IdM (Keyrock) so that IdM can verify the user/device credentials. If the credentials are valid, the user/device will receive a valid token and now PEP Proxy can allow the access to Orion.
For HTTPS communication, I configured a Nginx server to act like a reverse proxy (.conf file):
server {
listen 443;
server_name orion;
ssl on;
ssl_certificate /etc/nginx/ssl/orion.crt;
ssl_certificate_key /etc/nginx/ssl/orion.key;
...
...
location / {
#root orion:1026; #/var/www/yourdomain.com;
#index index.php index.html index.htm;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://orion:1026;
proxy_read_timeout 90;
proxy_redirect http://orion:1026 https://orion;
}
}
I made a simple tutorial about the integration of FIWARE Orion, Wilma and Keyrock: https://www.slideshare.net/daltoncezane/integrating-fiware-orion-keyrock-and-wilma
I hope this answer can help someone else.
Regarding Orion, it depends on the interface to be secured, either the service API (i.e. the listening REST server that Orion runs typically at port 1026), the notification API or both:
Regarding service API:
Authentication & authorization: it can be implemented through PEP.
The following documentation introduces two PEP alternative
implementations. However, note that PEP doesn't work standalone, as it
also needs the IDM and Access Control to work. I understand that #Alvaro
can explain this topic in detail (with regards to Wilma PEP). It is out
of my knowledge.
Encryption: it can be implemented by a proxy acting as HTTPS-to-HTTP
bridge (e.g. ngnix) or by Orion itself using the -https CLI
parameter (which works in combination with -key and -cert). This
section of the documentation elaborates on it.
Regarding notification API:
Authentication & authorization: the current implementation of
custom notifications (see "Custom notifications" section in the NGSIv2 specification) allows you to include custom HTTP headers that
could be used for authentication (e.g. the X-Auth-Token header needed
by a PEP instance protecting your endpoint). Note that
this is currently done in an static way, i.e. Orion is not able
to interact directly with IDM/AccessControl to set the X-Auth-Token
value dynamically after expiration, etc. However, it would be possible to develop a
process able to do this and set the proper header (if you are interested
in this I'd recommend to check "How to add a custom header in outgoing notifications with Orion?" post).
Encryption: it can be implemented relaying in Rush component. This
section of the documentation elaborates on it.
UPDATE: since verion 1.7.0, Orion implements native HTTPS notifications (i.e. without needing Rush).
The following presentation shows you step by step how to create a FIWARE-Based IoT Platform and to secure it using a PEP Proxy, Keystone and Keypass.
https://docs.google.com/presentation/d/18LaWZSK4h2wncPF6hNAwK5MToLvJesR3XLrzsqrsmrw/edit?usp=sharing
I hope this helps
thanks