CloudFront redirect to cheddargetter.tenderapp.com
Hello,
After reading the public support discussion around "Custom SSL Certificate" (13299), we've implemented a CloudFront distribution for support.getcheddar.com.
In most cases it works as expected, but when logging in (using SSO), the site is redirected to cheddargetter.tenderapp.com rather than staying at support.getcheddar.com. Is this something you've encountered before? We are forwarding cookies and query strings (see attached image).
The support.getcheddar.com CNAME does not yet point to the CloudFront distribution.
To test it, one can add the following lines to their /etc/hosts file.
# AWS Cloudfront test
52.85.101.49 support.getcheddar.com support.cheddargetter.com
Also, here is example output of curl following the redirect.
Marks-Mac-Pro:~ msbaltz$ curl -L --head http://support.getcheddar.com/kb?sso=Bp1jwAmH6zDdstuDBGv-ZZ0JZN9ZVsuENIqYe6cOjLE8JpZLR4NSrlxANXPNKo0gdFJu1ytx3OLt7gIQOFUQX-u0lHRsS3wHFWA39KXLKYuLjWNIjdxzsRcPugHDPyHs_lIDU1wLHcp4ZLHj0gNpVQ%3D
HTTP/1.1 301 Moved Permanently
Server: CloudFront
Date: Tue, 29 May 2018 16:48:16 GMT
Content-Type: text/html
Content-Length: 183
Connection: keep-alive
Location: https://support.getcheddar.com/kb?sso=Bp1jwAmH6zDdstuDBGv-ZZ0JZN9ZVsuENIqYe6cOjLE8JpZLR4NSrlxANXPNKo0gdFJu1ytx3OLt7gIQOFUQX-u0lHRsS3wHFWA39KXLKYuLjWNIjdxzsRcPugHDPyHs_lIDU1wLHcp4ZLHj0gNpVQ%3D
X-Cache: Redirect from cloudfront
Via: 1.1 f65bda8bf2dccd41d20af73214f75094.cloudfront.net (CloudFront)
X-Amz-Cf-Id: asR6Z3XkLIo8Yk72OySJ9Bj2BThRVDuVFrMrwzVS9Bh7izrsJqlcgg==
HTTP/2 302
content-type: text/html; charset=utf-8
location: https://cheddargetter.tenderapp.com/kb
server: nginx/1.8.1
date: Tue, 29 May 2018 16:48:16 GMT
x-ua-compatible: IE=Edge,chrome=1
cache-control: no-cache
set-cookie: _tender19_session=BAh7CEkiD3Nlc3Npb25faWQGOgZFVEkiJTk2ZjM4YjNmZjFmMGUwMTk3ODEwODZhMzIwYzRjYWQ1BjsAVEkiDHVzZXJfaWQGOwBGaQM8EkBJIg9jcm9zc19zaXRlBjsARlQ%3D--38690830d0a30a91e30f13a0ccac3374dcc60110; path=/; HttpOnly; SameSite=Lax
set-cookie: sso_multipass=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; HttpOnly; SameSite=Lax
x-request-id: b6fda71e9b0340ed7edad47879d9edd0
x-runtime: 0.063093
x-rack-cache: miss
content-security-policy: default-src https: http: 'unsafe-inline' 'unsafe-eval'; connect-src 'self' wss://*.tawk.to *.tawk.to nrpc.olark.com hooks.slack.com; img-src 'self' http: https: data:; report-uri https://help.tenderapp.com/csp_report
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: allowall
x-permitted-cross-domain-policies: none
x-xss-protection: 1; mode=block
x-cache: Miss from cloudfront
via: 1.1 188b1ed2d0788bf81a654d83fd67a543.cloudfront.net (CloudFront)
x-amz-cf-id: D52cCZ1maEWuJn2DkmaRzdmAKNegc5-PlusJLV3MImadZ5dQ-aqvcA==
HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Tue, 29 May 2018 16:48:17 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
P3P: CP="ALL DSP COR CUR ADM DEV OUR IND UNI"
X-UA-Compatible: IE=Edge,chrome=1
ETag: "bb6263334bafe6e2fb06ec8cbbbc511a"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: anon_token=0b22f3ba5; path=/; expires=Wed, 29-May-2019 16:48:17 GMT; HttpOnly; SameSite=Lax
Set-Cookie: _tender19_session=BAh7B0kiD3Nlc3Npb25faWQGOgZFVEkiJWQxMzNmMDM1OTRmNDhjYThlMjE1YjM4OWE2YjM0Y2NmBjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiRWI0YjFmMDA5NjdjOTBkZjhjNDgyYTYzZWYyMTVlYWVjZWFmOTJiOWQ3ZTlmZTg5ZmQ2ODUzOTRhZTc1MWYzZWUGOwBG--fe6e5d8e298361ff6ea00aa4e710ce61d2c703e5; path=/; HttpOnly; SameSite=Lax
X-Request-Id: a4ab31f08acb61d34144fd20e6d19e5c
X-Runtime: 0.118958
X-Rack-Cache: miss
Content-Security-Policy: default-src https: http: 'unsafe-inline' 'unsafe-eval'; connect-src 'self' wss://*.tawk.to *.tawk.to nrpc.olark.com hooks.slack.com; img-src 'self' http: https: data:; report-uri https://help.tenderapp.com/csp_report
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: allowall
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
Thank you for your assistance!
Mark
--
Mark Baltzegar
[email blocked]
(812) 361-3815
Screen_Shot_2018-05-30_at_10.35.11_AM.png
Discussions are closed to public comments.
If you need help with Tender please
start a new discussion.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
1 Posted by Mark Baltzegar on 31 May, 2018 02:09 PM
Notice in the second hop that the tender cookie has been set. This feels like the redirect is occurring on the Tender end and is a consequence of the SSO.
Please acknowledge.
Support Staff 2 Posted by Courtenay on 31 May, 2018 10:10 PM
do you have a redirect string encoded in the SSO?
3 Posted by Mark Baltzegar on 01 Jun, 2018 04:05 PM
Hi Courtenay,
Thank you for investigating this.
I have confirmed that we are *not* including the "to" field as outlined here:
https://help.tenderapp.com/kb/customizing-your-tender-site/share-your-own-sites-authentication-with-tender
Here are two examples of the information encoded in the SSO:
{"email":"[email blocked]","expires":"Fri, 01 Jun 2018 11:54:37 -0400","name":"Marc Guyer","product":"Unit Test Product (UNIT_TEST)"}
{"email":"[email blocked]","expires":"Tue, 22 May 2018 18:38:56 -0400","name":"Mark Baltzegar"}
I have also confirmed that the issue only occurs when the sso query string is present.
Support Staff 4 Posted by Courtenay on 01 Jun, 2018 05:45 PM
I've made some changes, try now! :)
5 Posted by Mark Baltzegar on 01 Jun, 2018 06:25 PM
Hi Courtenay,
I saw a new alert message that the Multipass token was expired. However, I'm still having the issue.
While logged in (with a fresh browser), clicking the "View Knowledge Base" button here still exhibits the issue:
https://www.getcheddar.com/support
Support Staff 6 Posted by Courtenay on 01 Jun, 2018 09:36 PM
the issue before was that tender wasn’t set to allow your site to use custom/arbitrary ssl; which is just a flag i set on your site. this should have fixed the issue. do you know what hostname cloudflare is sending? and when it redirects, is it the same url as before? i added an extra url parameter for some redirects that has extra debugging info in it.
Support Staff 7 Posted by Courtenay on 02 Jun, 2018 05:30 AM
I was able to look at some logs and reproduce - it looks like cloudfront isn't sending the right host header, compared to what we normally expect and receive.
Tender is receiving
cheddargetter.tenderapp.comas the hostname, which will always retain and override for the request. What you want to do is sendsupport.getcheddar.comas the hostname. I know there are a few possible headers and ways to do this.. i THINK the way to do it is outlined here - https://serversforhackers.com/c/cloudfront-and-your-app - by adding 'host' to the forwarded headers whitelist8 Posted by Mark Baltzegar on 04 Jun, 2018 03:40 PM
It looks like the CloudFront interface has changed since that article. I tried adding a custom host, but was unsuccessful. I've attached a screenshot of the message from AWS and the relevant section from their documentation.
Is there another custom header that Tender could read from for this purpose?
Thanks again for your help!
Mark
Support Staff 9 Posted by Courtenay on 04 Jun, 2018 06:28 PM
I THINK this is the solution, but I'm setting up my own cloudfront distribution right now to try and figure it out: "whitelist headers" in the cache section
https://aws.amazon.com/premiumsupport/knowledge-center/configure-cl...
if this doesn't work, you might also try X-Forwarded-Host header
10 Posted by Mark Baltzegar on 04 Jun, 2018 06:41 PM
Awesome! Whitelisting the cache headers appears to have worked. We'll continue to test on our end.
Thank you!!
Mark
Support Staff 11 Posted by Courtenay on 04 Jun, 2018 06:48 PM
OK great, I'll stop smashing my head on this awful aws UI :) Let me know if there's anything else I can help with.
Courtenay closed this discussion on 04 Jun, 2018 06:48 PM.