Authorization issues with Ruby apps for servers without domain names

[wtripp180901]

We have been upgrading from OnDemand 2 to 3 and found that trying to access the dashboard would give a 403 error
The error.log file in the user's /var/log/ondemand-nginx directory contained:
ERROR "[ActionDispatch::HostAuthorization::DefaultResponseApp] Blocked host: <our IP address>

This was fixed by specifying our IP as the servername in the ood_portal.yml file, but it is documented that leaving this as the default null value should allow IP connections https://osc.github.io/ood-documentation/latest/reference/files/ood-portal-yml.html

On investigation of the error message, we found that we could connect via IP by injecting
config.hosts = nil
into /var/www/ood/apps/sys/dashboard/config/environments/production.rb and /var/www/ood/apps/sys/myjobs/config/environments/production.rb and the error message would no longer appear

The line replaced in both files was originally
config.hosts = ENV['ALLOWED_HOSTS'].nil? ? nil : ENV['ALLOWED_HOSTS'].split(',')
We can't find where this environment variable comes from

Is this a bug or is there something wrong with our config? Thank you

[johrstrom]

This was fixed by specifying our IP as the servername in the ood_portal.yml file, but it is documented that leaving this as the default null value should allow IP connections https://osc.github.io/ood-documentation/latest/reference/files/ood-portal-yml.html

Is this a bug or is there something wrong with our config? Thank you

ALLOWED_HOSTS is populated from a combination of servername and server_aliases - I think both apply to hostnames. you should be able to see a SetEnv OOD_ALLOWED_HOSTS <host list> directive in the ood-portal.conf for the same (that's how we set it and pass it to the PUN).

I wonder what this value is for you when you don't have servername set? I suspect you just found a bug where it's set to nothing like SetEnv OOD_ALLOWED_HOSTS then is evaluated on the other side as not nil because it's an empty string.

[johrstrom]

I suspect this is always evaluated to true because allowed_hosts is at least an empty array which would be true here.

ondemand/ood-portal-generator/templates/ood-portal.conf.erb

Lines 189 to 190 in f392397

	<%- if @allowed_hosts -%>
	SetEnv OOD_ALLOWED_HOSTS "<%= @allowed_hosts.join(',') %>"

[wtripp180901]

OOD_ALLOWED_HOSTS gets set to the hostname of our server

[johrstrom]

Thanks I see where it's being set. Seems like we need to add IPs to this list.

[johrstrom]

I have a patch incoming for this. Do you need ipv6 addresses too?

[wtripp180901]

ipv4 should be fine for now thanks

[flybirdkh]

I'm having the same issue, and how did I fix it

[johrstrom]

It looks like the patch made it into the 3.1 series. Are you running 3.1.9?

[flybirdkh]

The access issue was solved by using the ood-portal-generator/lib/ood_portal_generator/view.rb file of the master branch.
Version 1.8-3.0 of the reverse proxy seems to be a bit problematic, currently I am experiencing rstudio unable to access the file upload and download function in file and help. The features mentioned above are no problem with version 1.7 and there is no problem with using domain names as well