tag:help.tenderapp.com,2008-11-12:/discussions/problems/86030-cloudfront-redirect-to-cheddargettertenderappcomTender: Discussion 2018-06-04T19:00:35Ztag:help.tenderapp.com,2008-11-12:Comment/453810512018-05-30T14:38:00Z2018-05-31T22:10:19ZCloudFront redirect to cheddargetter.tenderapp.com<div><p>Hello,</p>
<p>After reading the public support discussion around "Custom SSL Certificate" (13299), we've implemented a CloudFront distribution for support.getcheddar.com.</p>
<p>In most cases it works as expected, but when logging in (using SSO), the site is redirected to cheddargetter.tenderapp.com rather than staying at support.getcheddar.com. Is this something you've encountered before? We are forwarding cookies and query strings (see attached image).</p>
<p>The support.getcheddar.com CNAME does not yet point to the CloudFront distribution.</p>
<p>To test it, one can add the following lines to their /etc/hosts file.</p>
<h1><a name="aws-cloudfront-test" class="anchor" href="#aws-cloudfront-test"></a>AWS Cloudfront test</h1>
<p>52.85.101.49 support.getcheddar.com support.cheddargetter.com</p>
<p>Also, here is example output of curl following the redirect.</p>
<p>Marks-Mac-Pro:~ msbaltz$ curl -L --head <a href="http://support.getcheddar.com/kb?sso=Bp1jwAmH6zDdstuDBGv-ZZ0JZN9ZVsuENIqYe6cOjLE8JpZLR4NSrlxANXPNKo0gdFJu1ytx3OLt7gIQOFUQX-u0lHRsS3wHFWA39KXLKYuLjWNIjdxzsRcPugHDPyHs_lIDU1wLHcp4ZLHj0gNpVQ%3D">http://support.getcheddar.com/kb?sso=Bp1jwAmH6zDdstuDBGv-ZZ0JZN9ZVs...</a><br>
HTTP/1.1 301 Moved Permanently<br>
Server: CloudFront<br>
Date: Tue, 29 May 2018 16:48:16 GMT<br>
Content-Type: text/html<br>
Content-Length: 183<br>
Connection: keep-alive<br>
Location: <a href="https://support.getcheddar.com/kb?sso=Bp1jwAmH6zDdstuDBGv-ZZ0JZN9ZVsuENIqYe6cOjLE8JpZLR4NSrlxANXPNKo0gdFJu1ytx3OLt7gIQOFUQX-u0lHRsS3wHFWA39KXLKYuLjWNIjdxzsRcPugHDPyHs_lIDU1wLHcp4ZLHj0gNpVQ%3D">https://support.getcheddar.com/kb?sso=Bp1jwAmH6zDdstuDBGv-ZZ0JZN9ZV...</a><br>
X-Cache: Redirect from cloudfront<br>
Via: 1.1 f65bda8bf2dccd41d20af73214f75094.cloudfront.net (CloudFront)<br>
X-Amz-Cf-Id: asR6Z3XkLIo8Yk72OySJ9Bj2BThRVDuVFrMrwzVS9Bh7izrsJqlcgg==</p>
<p>HTTP/2 302<br>
content-type: text/html; charset=utf-8<br>
location: <a href="https://cheddargetter.tenderapp.com/kb">https://cheddargetter.tenderapp.com/kb</a><br>
server: nginx/1.8.1<br>
date: Tue, 29 May 2018 16:48:16 GMT<br>
x-ua-compatible: IE=Edge,chrome=1<br>
cache-control: no-cache<br>
set-cookie: _tender19_session=BAh7CEkiD3Nlc3Npb25faWQGOgZFVEkiJTk2ZjM4YjNmZjFmMGUwMTk3ODEwODZhMzIwYzRjYWQ1BjsAVEkiDHVzZXJfaWQGOwBGaQM8EkBJIg9jcm9zc19zaXRlBjsARlQ%3D--38690830d0a30a91e30f13a0ccac3374dcc60110; path=/; HttpOnly; SameSite=Lax<br>
set-cookie: sso_multipass=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; HttpOnly; SameSite=Lax<br>
x-request-id: b6fda71e9b0340ed7edad47879d9edd0<br>
x-runtime: 0.063093<br>
x-rack-cache: miss<br>
content-security-policy: default-src https: http: 'unsafe-inline' 'unsafe-eval'; connect-src 'self' wss://*.tawk.to *.tawk.to nrpc.olark.com hooks.slack.com; img-src 'self' http: https: data:; report-uri <a href="https://help.tenderapp.com/csp_report">https://help.tenderapp.com/csp_report</a><br>
strict-transport-security: max-age=31536000; includeSubDomains<br>
x-content-type-options: nosniff<br>
x-download-options: noopen<br>
x-frame-options: allowall<br>
x-permitted-cross-domain-policies: none<br>
x-xss-protection: 1; mode=block<br>
x-cache: Miss from cloudfront<br>
via: 1.1 188b1ed2d0788bf81a654d83fd67a543.cloudfront.net (CloudFront)<br>
x-amz-cf-id: D52cCZ1maEWuJn2DkmaRzdmAKNegc5-PlusJLV3MImadZ5dQ-aqvcA==</p>
<p>HTTP/1.1 200 OK<br>
Server: nginx/1.8.1<br>
Date: Tue, 29 May 2018 16:48:17 GMT<br>
Content-Type: text/html; charset=utf-8<br>
Connection: keep-alive<br>
P3P: CP="ALL DSP COR CUR ADM DEV OUR IND UNI"<br>
X-UA-Compatible: IE=Edge,chrome=1<br>
ETag: "bb6263334bafe6e2fb06ec8cbbbc511a"<br>
Cache-Control: max-age=0, private, must-revalidate<br>
Set-Cookie: anon_token=0b22f3ba5; path=/; expires=Wed, 29-May-2019 16:48:17 GMT; HttpOnly; SameSite=Lax<br>
Set-Cookie: _tender19_session=BAh7B0kiD3Nlc3Npb25faWQGOgZFVEkiJWQxMzNmMDM1OTRmNDhjYThlMjE1YjM4OWE2YjM0Y2NmBjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiRWI0YjFmMDA5NjdjOTBkZjhjNDgyYTYzZWYyMTVlYWVjZWFmOTJiOWQ3ZTlmZTg5ZmQ2ODUzOTRhZTc1MWYzZWUGOwBG--fe6e5d8e298361ff6ea00aa4e710ce61d2c703e5; path=/; HttpOnly; SameSite=Lax<br>
X-Request-Id: a4ab31f08acb61d34144fd20e6d19e5c<br>
X-Runtime: 0.118958<br>
X-Rack-Cache: miss<br>
Content-Security-Policy: default-src https: http: 'unsafe-inline' 'unsafe-eval'; connect-src 'self' wss://*.tawk.to *.tawk.to nrpc.olark.com hooks.slack.com; img-src 'self' http: https: data:; report-uri <a href="https://help.tenderapp.com/csp_report">https://help.tenderapp.com/csp_report</a><br>
Strict-Transport-Security: max-age=31536000; includeSubDomains<br>
X-Content-Type-Options: nosniff<br>
X-Download-Options: noopen<br>
X-Frame-Options: allowall<br>
X-Permitted-Cross-Domain-Policies: none<br>
X-XSS-Protection: 1; mode=block</p>
<p>Thank you for your assistance!</p>
<h2><a name="mark-" class="anchor" href="#mark-"></a>Mark</h2>
<p>Mark Baltzegar<br>
<a href="mailto:markb@getcheddar.com">markb@getcheddar.com</a><br>
(812) 361-3815</p></div>Mark Baltzegartag:help.tenderapp.com,2008-11-12:Comment/453810512018-05-31T14:09:58Z2018-05-31T22:10:19ZCloudFront redirect to cheddargetter.tenderapp.com<div><p>Notice in the second hop that the tender cookie has been set. This feels like the redirect is occurring on the Tender end and is a consequence of the SSO.</p>
<p>Please acknowledge.</p></div>Mark Baltzegartag:help.tenderapp.com,2008-11-12:Comment/453810512018-05-31T22:10:58Z2018-05-31T22:10:58ZCloudFront redirect to cheddargetter.tenderapp.com<div><p>do you have a redirect string encoded in the SSO?</p></div>Courtenaytag:help.tenderapp.com,2008-11-12:Comment/453810512018-06-01T16:05:33Z2018-06-01T16:05:33ZCloudFront redirect to cheddargetter.tenderapp.com<div><p>Hi Courtenay,</p>
<p>Thank you for investigating this.</p>
<p>I have confirmed that we are <em>not</em> including the <a href=""Mark">to" field as outlined here:</a></p>
<p><a href=""Mark">https://help.tenderapp.com/kb/customizing-your-tender-site/share-your-own-sites-authentication-with-tender</a></p>
<p><a href=""Mark">Here are two examples of the information encoded in the SSO:</a></p>
<p><a href=""Mark">{"email":"marc@getcheddar.com","expires":"Fri, 01 Jun 2018 11:54:37 -0400","name":"Marc Guyer","product":"Unit Test Product (UNIT_TEST)"}</a></p>
<p><a href=""Mark">{"email":"markb@getcheddar.com","expires":"Tue, 22 May 2018 18:38:56 -0400","name</a> Baltzegar"}</p>
<p>I have also confirmed that the issue only occurs when the sso query string is present.</p></div>Mark Baltzegartag:help.tenderapp.com,2008-11-12:Comment/453810512018-06-01T17:45:08Z2018-06-01T17:45:08ZCloudFront redirect to cheddargetter.tenderapp.com<div><p>I've made some changes, try now! :)</p></div>Courtenaytag:help.tenderapp.com,2008-11-12:Comment/453810512018-06-01T18:25:29Z2018-06-01T18:25:29ZCloudFront redirect to cheddargetter.tenderapp.com<div><p>Hi Courtenay,</p>
<p>I saw a new alert message that the Multipass token was expired. However, I'm still having the issue.</p>
<p>While logged in (with a fresh browser), clicking the "View Knowledge Base" button here still exhibits the issue:</p>
<p><a href="https://www.getcheddar.com/support">https://www.getcheddar.com/support</a></p></div>Mark Baltzegartag:help.tenderapp.com,2008-11-12:Comment/453810512018-06-01T21:36:33Z2018-06-01T21:36:33ZCloudFront redirect to cheddargetter.tenderapp.com<div><p>the issue before was that tender wasn’t set to allow your site to use custom/arbitrary ssl; which is just a flag i set on your site. this should have fixed the issue. do you know what hostname cloudflare is sending? and when it redirects, is it the same url as before? i added an extra url parameter for some redirects that has extra debugging info in it.</p></div>Courtenaytag:help.tenderapp.com,2008-11-12:Comment/453810512018-06-02T05:30:38Z2018-06-02T05:30:38ZCloudFront redirect to cheddargetter.tenderapp.com<div><p>I was able to look at some logs and reproduce - it looks like cloudfront isn't sending the right host header, compared to what we normally expect and receive.</p>
<p>Tender is receiving <code>cheddargetter.tenderapp.com</code> as the hostname, which will always retain and override for the request. What you want to do is send <code>support.getcheddar.com</code> as the hostname. I know there are a few possible headers and ways to do this.. i THINK the way to do it is outlined here - <a href="https://serversforhackers.com/c/cloudfront-and-your-app">https://serversforhackers.com/c/cloudfront-and-your-app</a> - by adding 'host' to the forwarded headers whitelist</p></div>Courtenaytag:help.tenderapp.com,2008-11-12:Comment/453810512018-06-04T15:40:40Z2018-06-04T15:40:40ZCloudFront redirect to cheddargetter.tenderapp.com<div><p>It looks like the CloudFront interface has changed since that article. I tried adding a custom host, but was unsuccessful. I've attached a screenshot of the message from AWS and the relevant section from their documentation.</p>
<p>Is there another custom header that Tender could read from for this purpose?</p>
<p>Thanks again for your help!</p>
<p>Mark</p></div>Mark Baltzegartag:help.tenderapp.com,2008-11-12:Comment/453810512018-06-04T18:28:58Z2018-06-04T18:28:58ZCloudFront redirect to cheddargetter.tenderapp.com<div><p>I <em>THINK</em> this is the solution, but I'm setting up my own cloudfront distribution right now to try and figure it out: "whitelist headers" in the cache section</p>
<p><a href="https://aws.amazon.com/premiumsupport/knowledge-center/configure-cloudfront-to-forward-headers/">https://aws.amazon.com/premiumsupport/knowledge-center/configure-cl...</a></p>
<p>if this doesn't work, you might also try X-Forwarded-Host header</p></div>Courtenaytag:help.tenderapp.com,2008-11-12:Comment/453810512018-06-04T18:41:03Z2018-06-04T18:41:03ZCloudFront redirect to cheddargetter.tenderapp.com<div><p>Awesome! Whitelisting the cache headers appears to have worked. We'll continue to test on our end.</p>
<p>Thank you!!</p>
<p>Mark</p></div>Mark Baltzegartag:help.tenderapp.com,2008-11-12:Comment/453810512018-06-04T18:48:12Z2018-06-04T18:48:12ZCloudFront redirect to cheddargetter.tenderapp.com<div><p>OK great, I'll stop smashing my head on this awful aws UI :) Let me know if there's anything else I can help with.</p></div>Courtenay