Pin xmlsec version + improve SAML flow (#4054)

* Pin xmlsec version

* testing

* test nginx conf change

* Pass through more

* Cleanup + remove DOMAIN across the board

backend/requirements/ee.txt

@@ -1,3 +1,4 @@
 cohere==5.6.1
 posthog==3.7.4
 python3-saml==1.15.0
+xmlsec==1.3.14

deployment/data/nginx/app.conf.template

@@ -4,6 +4,24 @@ log_format custom_main '$remote_addr - $remote_user [$time_local] "$request" '
                 '"$http_user_agent" "$http_x_forwarded_for" '
                 'rt=$request_time';
 
+# Map X-Forwarded-Proto or fallback to $scheme
+map $http_x_forwarded_proto $forwarded_proto {
+    default $http_x_forwarded_proto;
+    ""      $scheme;
+}
+
+# Map X-Forwarded-Host or fallback to $host
+map $http_x_forwarded_host $forwarded_host {
+    default $http_x_forwarded_host;
+    ""      $host;
+}
+
+# Map X-Forwarded-Port or fallback to server port
+map $http_x_forwarded_port $forwarded_port {
+    default $http_x_forwarded_port;
+    ""      $server_port;
+}
+
 upstream api_server {
     # fail_timeout=0 means we always retry an upstream even if it failed
     # to return a good HTTP response
@@ -21,8 +39,7 @@ upstream web_server {
 }
 
 server {
-    listen 80;
+    listen 80 default_server;
-    server_name ${DOMAIN};
 
     client_max_body_size 5G;    # Maximum upload size
 
@@ -36,8 +53,9 @@ server {
         # misc headers
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto $forwarded_proto;
-        proxy_set_header X-Forwarded-Host $host; 
+        proxy_set_header X-Forwarded-Host $forwarded_host; 
+        proxy_set_header X-Forwarded-Port $forwarded_port;
         proxy_set_header Host $host;
 
         # need to use 1.1 to support chunked transfers
@@ -54,8 +72,9 @@ server {
         # misc headers
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto $forwarded_proto;
-        proxy_set_header X-Forwarded-Host $host; 
+        proxy_set_header X-Forwarded-Host $forwarded_host; 
+        proxy_set_header X-Forwarded-Port $forwarded_port;
         proxy_set_header Host $host;
 
         proxy_http_version 1.1;
@@ -72,14 +91,25 @@ server {
 }
 
 server {
-    listen 443 ssl;
+    listen 443 ssl default_server;
-    server_name ${DOMAIN};
 
     client_max_body_size 5G;    # Maximum upload size
     
     location / {
+        # misc headers
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        # don't use forwarded schema, host, or port here - this is the entry point
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host; 
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header Host $host;
+
         proxy_http_version 1.1;
         proxy_buffering off;
+        # we don't want nginx trying to do something clever with
+        # redirects, we set the Host: header above already.
+        proxy_redirect off;
         proxy_pass http://localhost:80;
     }
 

deployment/data/nginx/app.conf.template.dev

@@ -21,8 +21,7 @@ upstream web_server {
 }
 
 server {
-    listen 80;
+    listen 80 default_server;
-    server_name ${DOMAIN};
 
     client_max_body_size 5G;    # Maximum upload size    
 
@@ -38,6 +37,7 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
         proxy_set_header Host $host;
 
         # need to use 1.1 to support chunked transfers
@@ -56,6 +56,7 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
         proxy_set_header Host $host;
 
         proxy_http_version 1.1;

deployment/data/nginx/app.conf.template.no-letsencrypt

@@ -4,6 +4,24 @@ log_format custom_main '$remote_addr - $remote_user [$time_local] "$request" '
                 '"$http_user_agent" "$http_x_forwarded_for" '
                 'rt=$request_time';
 
+# Map X-Forwarded-Proto or fallback to $scheme
+map $http_x_forwarded_proto $forwarded_proto {
+    default $http_x_forwarded_proto;
+    ""      $scheme;
+}
+
+# Map X-Forwarded-Host or fallback to $host
+map $http_x_forwarded_host $forwarded_host {
+    default $http_x_forwarded_host;
+    ""      $host;
+}
+
+# Map X-Forwarded-Port or fallback to server port
+map $http_x_forwarded_port $forwarded_port {
+    default $http_x_forwarded_port;
+    ""      $server_port;
+}
+
 upstream api_server {
     # fail_timeout=0 means we always retry an upstream even if it failed
     # to return a good HTTP response
@@ -21,8 +39,7 @@ upstream web_server {
 }
 
 server {
-    listen 80;
+    listen 80 default_server;
-    server_name ${DOMAIN};
 
     client_max_body_size 5G;    # Maximum upload size
 
@@ -36,8 +53,9 @@ server {
         # misc headers
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto $forwarded_proto;
-        proxy_set_header X-Forwarded-Host $host; 
+        proxy_set_header X-Forwarded-Host $forwarded_host; 
+        proxy_set_header X-Forwarded-Port $forwarded_port;
         proxy_set_header Host $host;
 
         # need to use 1.1 to support chunked transfers
@@ -54,8 +72,9 @@ server {
         # misc headers
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto $forwarded_proto;
-        proxy_set_header X-Forwarded-Host $host; 
+        proxy_set_header X-Forwarded-Host $forwarded_host; 
+        proxy_set_header X-Forwarded-Port $forwarded_port;
         proxy_set_header Host $host;
 
         proxy_http_version 1.1;
@@ -68,14 +87,25 @@ server {
 }
 
 server {
-    listen 443 ssl;
+    listen 443 ssl default_server;
-    server_name ${DOMAIN};
 
     client_max_body_size 5G;    # Maximum upload size
     
     location / {
+        # misc headers
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        # don't use forwarded schema, host, or port here - this is the entry point
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host; 
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header Host $host;
+
         proxy_http_version 1.1;
         proxy_buffering off;
+        # we don't want nginx trying to do something clever with
+        # redirects, we set the Host: header above already.
+        proxy_redirect off;
         proxy_pass http://localhost:80;
     }
 

deployment/data/nginx/run-nginx.sh

@@ -1,5 +1,5 @@
 # fill in the template
-envsubst '$DOMAIN $SSL_CERT_FILE_NAME $SSL_CERT_KEY_FILE_NAME' < "/etc/nginx/conf.d/$1" > /etc/nginx/conf.d/app.conf
+envsubst '$SSL_CERT_FILE_NAME $SSL_CERT_KEY_FILE_NAME' < "/etc/nginx/conf.d/$1" > /etc/nginx/conf.d/app.conf
 
 # wait for the api_server to be ready
 echo "Waiting for API server to boot up; this may take a minute or two..."