nginx: obscure internal rewrite URLs #991

alxndrsn · 2025-04-28T05:57:36Z

TODO

consider if this change is helpful
if not, modify tests to test existing behaviour

Noted while working on #984:

Current setting proxy_redirect off prevents nginx from converting URLs like http://enketo:8005/v1 to external URLs.

This is not a feature that's required. Reverting to the default proxy_redirect config will:

simplify config
prevent some future leaking of internal docker URLs

See: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect

What has been done to verify that this works as intended?

added new passing tests: build
revert the proxy_redirect directive changes and checked the new tests now fail: build
reinstate the changes which fix the tests

Why is this the best possible solution? Were any other approaches considered?

This rule's meaning is subtle.

The change introduces inconsistency, in that redirects are only rewritten if they match the location block in which the proxy_pass is defined.

However, it doesn't seem like preserving internal URLs would ever by desirable, so reducing the occasions they can occur is probably helpful.

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

No effect.

Does this change require updates to documentation? If so, please file an issue here and include the link below.

No.

Before submitting this PR, please make sure you have:

branched off and targeted the next branch OR only changed documentation/infrastructure (master is stable and used in production)
verified that any code or assets from external sources are properly credited in comments or that everything is internally sourced

This reverts commit 456de9c.

matthew-white · 2025-05-02T21:47:29Z

Just FYI, we're currently thinking that we should wait for .2 to try to merge this PR. We're hoping to start regression testing early next week. Let me know if that doesn't sound right!

matthew-white · 2025-06-06T02:52:39Z

@alxndrsn, we're planning to start regression testing next Tuesday or Wednesday, so I wanted to check about the status of this PR. It's ready for review, right? Looking at the diff count of +138 -2 made me think that it's a big change, but actually only 2 lines of source changed. The rest is tests. That makes me think that there may be time to get it reviewed in time for .2.

Who would work best to review this PR? Sadiq?

Could you clarify whether the following is still a TODO?

consider if this change is helpful

It sounds like you think this change would be helpful, right? Or is that still an open question?

alxndrsn and others added 15 commits April 28, 2025 05:55

nginx: add test for proxy_redirect config

e97c01a

fix test title

3584a30

add temporary logging

7db2e75

Merge branch 'next' into test-redirect-rewrites

79fc597

add missing v1

faa7d1f

assert backend received

93035e0

use https

fb6148b

parseInt()

b1e13e7

log request

91e6d03

assert correct request path

7bdb075

remove proxy_redirect rule

df9f4a6

remove correct proxy_redirect rule

66cabba

try another test pass

f46b0d7

add tests for enketo

a1a396b

fix enekto tesdt

2992fd0

alxndrsn changed the title ~~nginx: add test for proxy_redirect config~~ nginx: set proxy_redirect to default Apr 28, 2025

remove rule

ebb9c9b

alxndrsn changed the title ~~nginx: set proxy_redirect to default~~ nginx: obscure internal rewrite URLs Apr 28, 2025

alxndrsn added 12 commits April 28, 2025 09:06

wip: remove rewrite rule to see if test than passes

8c9260b

test more paths

5e50f67

tabulate tests

e523f29

add dodgy tests which _should_ be failing

57bf820

upate tests; remove rewrite to see what it affects

0a22c36

remove unexpected test example

aaa3e64

add explicit default

4060945

update test name

2fea713

revert to existing

74d68be

try fix

8a46440

update tests

c6a1db6

assert correct location for requests

e0703c6

fix tests

fe63051

alxndrsn mentioned this pull request Apr 28, 2025

nginx: simplify enketo passthrough rewrites #992

Merged

2 tasks

alxndrsn added 2 commits April 28, 2025 09:59

revert proxy_redirect changes

456de9c

Revert "revert proxy_redirect changes"

239ca47

This reverts commit 456de9c.

alxndrsn marked this pull request as ready for review April 28, 2025 10:13

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

nginx: obscure internal rewrite URLs #991

nginx: obscure internal rewrite URLs #991

Uh oh!

alxndrsn commented Apr 28, 2025 •

edited

Loading

Uh oh!

matthew-white commented May 2, 2025

Uh oh!

matthew-white commented Jun 6, 2025 •

edited

Loading

Uh oh!

Uh oh!

nginx: obscure internal rewrite URLs #991

Are you sure you want to change the base?

nginx: obscure internal rewrite URLs #991

Uh oh!

Conversation

alxndrsn commented Apr 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

TODO

What has been done to verify that this works as intended?

Why is this the best possible solution? Were any other approaches considered?

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

Does this change require updates to documentation? If so, please file an issue here and include the link below.

Before submitting this PR, please make sure you have:

Uh oh!

matthew-white commented May 2, 2025

Uh oh!

matthew-white commented Jun 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

alxndrsn commented Apr 28, 2025 •

edited

Loading

matthew-white commented Jun 6, 2025 •

edited

Loading