Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(helm): Fix setting X-Scope-OrgID header for ws #16400

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

chore(helm): Fix setting X-Scope-OrgID header for ws #16400

wants to merge 4 commits into from

Conversation

bcskda
Copy link

@bcskda bcskda commented Feb 21, 2025

What this PR does / why we need it: helm nginx config: fix setting X-Scope-OrgID from basic auth for websocket endpoints

Which issue(s) this PR fixes: probably related #9756

Special notes for your reviewer:

Current production/helm/loki chart includes the gateway component (nginx proxy). In multi-tenant mode with auth_enabled it uses HTTP basic auth to determine the tenant (by username). After authentication it sets the X-Scope-OrgID header with proxy_set_header directive in http{} scope.

Per proxy_set_header documentation:

These directives are inherited from the previous configuration level if and only if there are no proxy_set_header directives defined on the current level

, which is the case: the nested location{} blocks for websocket endpoints use the directive to enable websocket connection upgrade. So, in nested locations the http block-scoped proxy_set_header directive is ignored.

This leads to two issues:

  1. Valid requests to websocket endpoints that include valid basic auth don't get the X-Scope-OrgID header populated, which leads to 401 errors, as observed earlier in the linked issue;
  2. Requests by tenant X that include their valid basic auth may include client-provided X-Scope-OrgID header that is neither sanitized nor overriden by proxy_set_header, which might allow tenant X to access another tenant's logs in some configurations.

Checklist

  • Reviewed the CONTRIBUTING.md guide (required)
  • Documentation added
  • Tests updated
  • Title matches the required conventional commits format, see here
    • Note that Promtail is considered to be feature complete, and future development for logs collection will be in Grafana Alloy. As such, feat PRs are unlikely to be accepted unless a case can be made for the feature actually being a bug fix to existing behavior.
  • Changes that require user attention or interaction to upgrade are documented in docs/sources/setup/upgrade/_index.md
  • If the change is deprecating or removing a configuration option, update the deprecated-config.yaml and deleted-config.yaml files respectively in the tools/deprecated-config-checker directory. Example PR

@bcskda bcskda requested a review from a team as a code owner February 21, 2025 18:42
@CLAassistant
Copy link

CLAassistant commented Feb 21, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

cyriltovena
cyriltovena approved these changes Feb 25, 2025
View reviewed changes
Copy link
Contributor

@cyriltovena cyriltovena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cyriltovena cyriltovena enabled auto-merge (squash) February 25, 2025 14:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cyriltovena cyriltovena cyriltovena approved these changes

Assignees
No one assigned
Labels
area/helm size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bcskda @CLAassistant @cyriltovena