HTTP->HTTPS redirection assumes the request contains a host header

[belavicm]

Error description

Jupyterlab and proxy http to https work fine but getting this error.
Log from /var/log/messeges:

Apr 28 03:20:33 jupyter jupyterhub[2015]: 03:20:33.871 [ConfigProxy] #033[31merror#033[39m: Uncaught Exception: Cannot read property 'split' of undefined
Apr 28 03:20:33 jupyter jupyterhub[2015]: 03:20:33.871 [ConfigProxy] #033[31merror#033[39m: TypeError: Cannot read property 'split' of undefined
Apr 28 03:20:33 jupyter jupyterhub[2015]:    at Server.<anonymous> (/usr/lib/node_modules/configurable-http-proxy/bin/configurable-http-proxy:382:35)
Apr 28 03:20:33 jupyter jupyterhub[2015]:    at Server.emit (events.js:198:13)
Apr 28 03:20:33 jupyter jupyterhub[2015]:    at parserOnIncoming (_http_server.js:691:12)
Apr 28 03:20:33 jupyter jupyterhub[2015]:    at HTTPParser.parserOnHeadersComplete (_http_common.js:111:17)

Systemctl:

$ systemctl status jupyterhub
● jupyterhub.service - Jupyterhub
   Loaded: loaded (/usr/lib/systemd/system/jupyterhub.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-04-27 20:20:05 CEST; 12h ago
 Main PID: 2015 (jupyterhub)
    Tasks: 25 (limit: 23844)
   Memory: 104.5M
   CGroup: /system.slice/jupyterhub.service
           ├─2015 /usr/bin/python3.6 /usr/local/bin/jupyterhub -f /etc/jupyterhub/jupyterhub_config.py
           ├─2025 node /usr/bin/configurable-http-proxy --redirect-port 80 --ip jupyter.example.com --port 443 --api-ip localhost --api-port 8001 --error-target http://192.168.103.202:8443/h>
           └─2037 python3 /root/jupyterhub_services/cull_idle_servers.py --timeout=8640

Personal set up

• OS:
  Linux 4.18.0-147.8.1.el8_1.x86_64
  CentOS Linux release 8.1.1911 (Core)
• Version:
  jupyterhub 1.1.0
  configurable-http-proxy 4.2.1
• Configuration:
  /etc/jupyterhub/jupyterhub_config.py

c.JupyterHub.cleanup_proxy = False
c.JupyterHub.cleanup_servers = False
c.ConfigurableHTTPProxy.command = ['configurable-http-proxy', '--redirect-port', '80']
c.ConfigurableHTTPProxy.api_url = 'http://localhost:8001'
c.JupyterHub.hub_ip = "192.168.103.202"
c.JupyterHub.hub_port = 8443
c.JupyterHub.bind_url = 'https://jupyter.example.com:443'
c.JupyterHub.ssl_cert = '/etc/jupyterhub/jupyter.crt'
c.JupyterHub.ssl_key = '/etc/jupyterhub/jupyter.key'
c.Spawner.default_url = '/lab'

[consideRatio]

The error seem to come from the following line:

configurable-http-proxy/bin/configurable-http-proxy

Lines 376 to 382 in 5c4d360

	// Redirect HTTP to HTTPS on the proxy's port
	if (options.redirectPort && listen.port !== 80) {
	var http = require("http");
	var redirectPort = (options.redirectTo ? options.redirectTo : listen.port);
	var server = http
	.createServer(function(req, res) {
	var host = req.headers.host.split(":")[0];

My conclusion is that we are assuming that the incoming request will have a host header, but it doesn't, and then it errors like this.

[consideRatio]

This is about redirection from HTTP to HTTPS, and HTTPS will require a hostname I think - because certificates are valid for hostnames I think...

Focusing on this project, there is room to check for this and provide a better error message, something along the lines of "attempted to redirect to https, but the http request didn't contain a host header, so does it really make sense?". But hmmm, I'm not sure what makes sense to do in this case... @minrk do you have ideas?

Hmmm... I figure the assumption that we require a hostname header is wrong, because I figure HTTPS should work without a hostname but instead just using an IP, or? Maybe not? I'm not sure.

[manics]

HTTP 1.1 requires a Host header, HTTP 1.0 doesn't (though I didn't think any browsers still used HTTP 1.0!). If you've only got one domain hosted on an IP you don't need a host header since the certificate verification is done on the client side, and the client knows what address it connected to. If you've got multiple virtualhosts the server must support Server Name Indication and the client must send the host so the server knows which certificate to return, if it doesn't the server normally returns a default certificate.

[consideRatio]

@manics ❤️! Do you have a suggested course of action?

[manics]

Let's check whether the host header is sent or not first- I'm surprised that HTTP 1.0 is being used!

• if it is set then the bug is that the host header isn't being passed on to configurable http proxy
• if it's not set then the only option I can think of is to add a configuration parameter that sets the host

@belavicm would you mind reproducing the bug with the network tab of your browser's development console/tools, and show us the request headers?

[belavicm]

I can't reproduce the bug because my browser is not a problem (using HTTP 1.1). Maybe the problem is with one of the monitoring services (Zabbix, Wazuh, Puppet, etc.)?