weizhouapache commented on pull request #898:
URL: 
https://github.com/apache/cloudstack-primate/pull/898#issuecomment-759745054


   > I tried this with two management servers from the PCextreme cloud.
   > 
   > server {
   >     listen       80;
   >     server_name  localhost;
   >     location / {
   >         root   /usr/share/nginx/html;
   >         index  index.html;
   >     }
   >     location /api/ams {
   >         # http://127.0.0.1:8080 should be replaced your CloudStack 
management
   >         # Server's actual URI
   >         proxy_pass   https://api.XXXXX.eu/ams3;
   >     }
   >     location /api/haa {
   >         # http://127.0.0.1:8080 should be replaced your CloudStack 
management
   >         # Server's actual URI
   >         proxy_pass   https://api.XXXXX.eu/zone01_haa01;
   >     }
   > }
   > {
   >   "servers": [
   >     {
   >       "name": "Amsterdam",
   >       "apiBase": "/api/ams"
   >     },
   >     {
   >       "name": "Haarlem",
   >       "apiBase": "/api/haa"
   >     }
   >   ],
   > I see the requests go to the proper Management server, but my Firefox 
console complains that _sessionkey_ cookie expires right away.
   > 
   > The calls which I see:
   > 
   > 172.17.0.1 - - [13/Jan/2021:13:18:15 +0000] "POST /api/haa/ HTTP/1.1" 200 
323 "http://localhost:8181/"; "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) 
Gecko/20100101 Firefox/84.0" "-"
   > 172.17.0.1 - - [13/Jan/2021:13:18:15 +0000] "GET 
/api/haa/?listall=true&command=listZones&response=json HTTP/1.1" 401 126 
"http://localhost:8181/"; "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) 
Gecko/20100101 Firefox/84.0" "-"
   > 172.17.0.1 - - [13/Jan/2021:13:18:15 +0000] "GET 
/api/haa/?username=admin&command=listUsers&response=json HTTP/1.1" 401 126 
"http://localhost:8181/"; "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) 
Gecko/20100101 Firefox/84.0" "-"
   > 172.17.0.1 - - [13/Jan/2021:13:18:15 +0000] "GET 
/api/haa/?command=listApis&response=json HTTP/1.1" 401 125 
"http://localhost:8181/"; "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) 
Gecko/20100101 Firefox/84.0" "-"
   > So some calls work, but others get back a _401 Unauthorized_. Still 
unclear to me what is breaking it here.
   > 
   > Both API endpoints and up at the management servers:
   > 
   > wido@wido-laptop:~$ curl -I http://localhost:8181/api/ams
   > HTTP/1.1 401 Unauthorized
   > Server: nginx/1.19.6
   > Date: Wed, 13 Jan 2021 13:22:08 GMT
   > Content-Type: text/xml;charset=utf-8
   > Content-Length: 211
   > Connection: keep-alive
   > X-Content-Type-Options: nosniff
   > X-XSS-Protection: 1;mode=block
   > content-security-policy: 1
   > content-security-policy: default-src=none
   > content-security-policy: script-src=self
   > content-security-policy: connect-src=self
   > content-security-policy: img-src=self
   > content-security-policy: style-src=self
   > X-Xss-Protection: 1; mode=block
   > 
   > wido@wido-laptop:~$ curl -I http://localhost:8181/api/haa
   > HTTP/1.1 401 Unauthorized
   > Server: nginx/1.19.6
   > Date: Wed, 13 Jan 2021 13:22:11 GMT
   > Content-Type: text/xml;charset=utf-8
   > Content-Length: 211
   > Connection: keep-alive
   > X-Content-Type-Options: nosniff
   > X-XSS-Protection: 1;mode=block
   > content-security-policy: 1
   > content-security-policy: default-src=none
   > content-security-policy: script-src=self
   > content-security-policy: connect-src=self
   > content-security-policy: img-src=self
   > content-security-policy: style-src=self
   > X-Xss-Protection: 1; mode=block
   > X-Xss-Protection: 1; mode=block
   > 
   > wido@wido-laptop:~$ 
   > I also checked the management server logs:
   > 
   > 2021-01-13 14:26:34,987 DEBUG [c.c.a.ApiServlet] 
(qtp979294118-71298:ctx-a4c4892a) (logid:a706fe0b) ===START===  92.XXX.170.138 
-- POST  
   > 2021-01-13 14:26:34,988 DEBUG [c.c.a.ApiServlet] 
(qtp979294118-71298:ctx-a4c4892a) (logid:a706fe0b) Session cookie is marked 
secure!
   > 2021-01-13 14:26:34,993 DEBUG [c.c.u.AccountManagerImpl] 
(qtp979294118-71298:ctx-a4c4892a) (logid:a706fe0b) Attempting to log in user: 
admin in domain 1
   > 2021-01-13 14:26:34,995 DEBUG [o.a.c.s.a.PBKDF2UserAuthenticator] 
(qtp979294118-71298:ctx-a4c4892a) (logid:a706fe0b) Retrieving user: admin
   > 2021-01-13 14:26:35,316 DEBUG [c.c.u.AccountManagerImpl] 
(qtp979294118-71298:ctx-a4c4892a) (logid:a706fe0b) CIDRs from which account 
'Acct[ae43e7cb-abe2-11ea-8f22-d8252d74bd58-admin]' is allowed to perform API 
calls: 0.0.0.0/0,::/0
   > 2021-01-13 14:26:35,316 DEBUG [c.c.u.AccountManagerImpl] 
(qtp979294118-71298:ctx-a4c4892a) (logid:a706fe0b) User: admin in domain 1 has 
successfully logged in
   > 2021-01-13 14:26:35,329 INFO  [c.c.a.ApiServer] 
(qtp979294118-71298:ctx-a4c4892a) (logid:a706fe0b) Current user logged in under 
UTC timezone
   > 2021-01-13 14:26:35,329 INFO  [c.c.a.ApiServer] 
(qtp979294118-71298:ctx-a4c4892a) (logid:a706fe0b) Timezone offset from UTC is: 
0.0
   > 2021-01-13 14:26:35,333 DEBUG [c.c.a.ApiServlet] 
(qtp979294118-71298:ctx-a4c4892a) (logid:a706fe0b) ===END===  92.XXX.170.138 -- 
POST  
   > 2021-01-13 14:26:35,387 DEBUG [c.c.a.ApiServlet] 
(qtp979294118-64148:ctx-2355cc41) (logid:343a1d0e) ===START===  92.XXX.170.138 
-- GET  listall=true&command=listZones&response=json
   > 2021-01-13 14:26:35,387 DEBUG [c.c.a.ApiServer] 
(qtp979294118-64148:ctx-2355cc41 ctx-c0c8312c) (logid:343a1d0e) Expired 
session, missing signature, or missing apiKey -- ignoring request. Signature: 
null, apiKey: null
   > 2021-01-13 14:26:35,389 DEBUG [c.c.a.ApiServlet] 
(qtp979294118-64148:ctx-2355cc41 ctx-c0c8312c) (logid:343a1d0e) ===END===  
92.xxx.170.138 -- GET  listall=true&command=listZones&response=json
   > Noticed how these values are **null**:
   > 
   > * apiKey
   > * signature
   
   @wido this is a good way to avoid CORS. thanks for sharing.
   To set cookie of other domains, you need to enable 3rd-party cookie on 
server side.
   `Set-Cookie: SiteSite=None; Secure`
   
   if you use nginx, add ` proxy_cookie_path / "/; Secure; SameSite=None;"; `
   it also means both server and client side must be secure (https)


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Reply via email to