wireapp · jschaul · May 31, 2022 · May 30, 2022
@@ -0,0 +1,3 @@
+charts/{cannon,nginz}: values listed in
+`nginx_conf.randomport_allowlisted_origins` must be full hostnames. Hostnames
+listed here will be allowlisted with and without TLS.
@@ -132,7 +132,7 @@ http {
     # Allow additional origins at random ports. This is useful for testing with an HTTP proxy.
     # It should not be used in production.
     {{ range $origin := .Values.nginx_conf.randomport_allowlisted_origins }}
-      "~^https://{{ $origin }}.{{ $.Values.nginx_conf.external_env_domain}}(:[0-9]{2,5})?$" "$http_origin";
+      "~^https?://{{ $origin }}(:[0-9]{2,5})?$" "$http_origin";
     {{ end }}
    }
 

@@ -39,15 +39,16 @@ nginx_conf:
     # * https://wearezeta.atlassian.net/browse/FS-444
     ciphers: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
 
-  # -- The origins from which we allow CORS requests. These are combined with 'external_env_domain' to form a full url
+  # The origins from which we allow CORS requests. These are combined with
+  # 'external_env_domain' to form a full url
   allowlisted_origins:
     - webapp
     - teams
     - account
-  # -- The origins from which we allow CORS requests at random ports. This is
+  # The origins from which we allow CORS requests at random ports. This is
   # useful for testing with HTTP proxies and should not be used in production.
-  # The list entries are combined with 'external_env_domain' to form a full url
-  # regex that matches for all ports.
+  # The list entries must be full hostnames (they are **not** combined with
+  # 'external_env_domain'). http and https URLs are allow listed.
   randomport_allowlisted_origins: [] # default is empty by intention
   upstreams:
     cannon:

@@ -132,7 +132,7 @@ http {
     # Allow additional origins at random ports. This is useful for testing with an HTTP proxy.
     # It should not be used in production.
     {{ range $origin := .Values.nginx_conf.randomport_allowlisted_origins }}
-      "~^https://{{ $origin }}.{{ $.Values.nginx_conf.external_env_domain}}(:[0-9]{2,5})?$" "$http_origin";
+      "~^https?://{{ $origin }}(:[0-9]{2,5})?$" "$http_origin";
     {{ end }}
    }
 

@@ -51,15 +51,16 @@ nginx_conf:
   - /conversations/([^/]*)/call/state
   - /search/top
   - /search/common
-  # -- The origins from which we allow CORS requests. These are combined with 'external_env_domain' to form a full url
+  # The origins from which we allow CORS requests. These are combined with
+  # 'external_env_domain' to form a full url
   allowlisted_origins:
     - webapp
     - teams
     - account
-  # -- The origins from which we allow CORS requests at random ports. This is
+  # The origins from which we allow CORS requests at random ports. This is
   # useful for testing with HTTP proxies and should not be used in production.
-  # The list entries are combined with 'external_env_domain' to form a full url
-  # regex that matches for all ports.
+  # The list entries must be full hostnames (they are **not** combined with
+  # 'external_env_domain'). http and https URLs are allow listed.
   randomport_allowlisted_origins: [] # default is empty by intention
   # Add 'cannon' to 'ignored_upstreams' if you wish to make use of separate
   # network traffic to cannon-with-its-own-nginz