preflight | preflight helps you verify scripts and executables to mitigate chain of supply attacks such as the r | Security library

We are installing Anthos on VMWare platform and now we have an error in the Admin Cluster deployment procedure of the Seesaw Loadbalancer in HA.

The Deploy of two Seesaw VMs has been created with success, but when checking the health check we get the following error 403:

I have swagger (docker: swaggerapi/swagger-ui) running on swagger.mydomain.com with two definitions for api servers running on a.mydomain.com and b.mydomain.com

Both a and b are flask (python) servers. a.mydomain.com had CORS set up for a while now due to serving a webapp on a fourth subdomain. This works fine both on that subdomain, as well as in swagger. Now I did the same CORS setup for b.mydomain.com, however without success.

The setup on both servers looks like this:

I think I understand CORS pretty well, but I'm still a bit puzzled about the browser's behavior when it comes to the preflight requests.

Let's say the browser issues this preflight request:

I'm trying to connect Spring Security to my project. Created the Security Config class

We have a test environment on a public site. There we use --disable-web-security flag on chrome for the testers to bypass CORS errors for public service calls during manual test phase. And also we have localhost requests on the agent machine. However today with Chrome 98 update we started struggling with the network requests targeting localhost.

The error we get is for the localhost requests from a public site:
Access to XMLHttpRequest at 'https://localhost:3030/static/first.qjson' from origin 'https://....com' has been blocked by CORS policy: Request had no target IP address space, yet the resource is in address space `local`.

The site on localhost is configured to return Access-Control-Allow-* CORS headers including "Access-Control-Allow-Private-Network: true".

And also I do not see any preflight request. Just one GET request with CORS error on it.

We suspect this might be a side effect caused when you disable web security by --disable-web-security. It might be preventing obtaining of the target IP address space. Our assumption is based on the CORS preflight section on https://wicg.github.io/private-network-access/

3.1.2. CORS preflight
The HTTP fetch algorithm should be adjusted to ensure that a preflight is triggered for all private network requests initiated from secure contexts.

The main issue here is again that the response’s IP address space is not known until a connection is obtained in HTTP-network fetch, which is layered under CORS-preflight fetch.

So does anyone know any workaround for Private Network Access with --disable-web-security flag ? Or maybe we are missing something. Thanks for the help.

updated:

To reproduce the issue is very simple with a few steps:

1. Install it on your Ubuntu server by running the following command:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/posthog/posthog/HEAD/bin/deploy-hobby)"

1. During the auto installation process, you will be prompted to enter the domain for your Posthog site, so enter one and wait for the process to finish.

2. Visit the domain you entered and it is accessbile.

3. Now reboot your VPS and visit the domain again it is down forever. Not accessbile even if you use your vps ip address.

I've tried this auto-installation and reboot thing three times on the same vps and ended up with the same result. I've also tried it on another vps by a new hosting provider, yet still the same issue. Fresh installation and the site will be down right after your reboot your vps!

The following is the error log I got from the Caddy container, which is generated after the vps reboot:

{"level":"error","ts":1642534398.9394724,"logger":"http.log.error","msg":"dial tcp 172.18.0.4:8000: connect: connection refused","request":{"remote_addr":"67.198.228.123:35424","proto":"HTTP/2.0","method":"GET","host":"","uri":"/preflight","headers":{"Sec-Ch-Ua":["" Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96""],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"],"Sec-Fetch-Site":["cross-site"],"Accept-Language":["en-US,en;q=0.9"],"Accept-Encoding":["gzip, deflate, br"],"Cookie":["phtoolbar=yes; csrftoken=gsVfpdF56rbYgQQdwywH45zi83i386oe5KZZef3mIE00bumaQCG3i4OM35bdJIxQ; ph_sTMFPsFhdP1Ssg_posthog=%7B%22distinct_id%22%3A%22FpLgrw74q9qcclLSJ1bOrzsiPJmZtHdKswxemTFy9LG%22%7D"],"Cache-Control":["max-age=0"],"Sec-Ch-Ua-Mobile":["?0"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Dest":["document"],"Sec-Ch-Ua-Platform":[""macOS""],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-User":["?1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","proto_mutual":true,"server_name":""}},"duration":0.008754516,"status":502,"err_id":"gicbjv2m4","err_trace":"reverseproxy.statusError (reverseproxy.go:886)"} {"level":"error","ts":1642534401.5881941,"logger":"http.log.error","msg":"dial tcp 172.18.0.4:8000: connect: connection refused","request":{"remote_addr":"67.198.228.123:35424","proto":"HTTP/2.0","method":"GET","host":"","uri":"/preflight","headers":{"Cache-Control":["max-age=0"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua-Platform":[""macOS""],"Sec-Fetch-User":["?1"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"],"Sec-Ch-Ua":["" Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96""],"Sec-Fetch-Mode":["navigate"],"Accept-Encoding":["gzip, deflate, br"],"Upgrade-Insecure-Requests":["1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9"],"Sec-Fetch-Site":["cross-site"],"Sec-Fetch-Dest":["document"],"Accept-Language":["en-US,en;q=0.9"],"Cookie":["phtoolbar=yes; csrftoken=gsVfpdF56rbYgQQdwywH45zi83i386oe5KZZef3mIE00bumaQCG3i4OM35bdJIxQ; ph_sTMFPsFhdP1Ssg_posthog=%7B%22distinct_id%22%3A%22FpLgrw74q9qcclLSJ1bOrzsiPJmZtHdKswxemTFy9LG%22%7D"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","proto_mutual":true,"server_name":""}},"duration":0.001907749,"status":502,"err_id":"27e15xwsj","err_trace":"reverseproxy.statusError (reverseproxy.go:886)"}

By the way, this is their documentaion page FYI: https://posthog.com/docs/self-host/deploy/hobby

Original question:

I've installed Posthog with their so-called hobby installation script on my vps and at first it was working fine. But right after I rebooted ubuntu and visited my self-hosted posthog site again, it would not load and just showed a blank page. It seems that something went wrong after I rebooted my vps. I've checked all the services required by Posthog with the command docker ps, and everything is up and running(check the screenshot attached).

I've been trying to figure it out for 4 days yet with no luck. I am new to docker and kubernetes so I do not know what causes the problem and what I should do. Please shed some light on this and help me :(

I have a React application based on Typescript which is hosted on my PC. I use Spring gateway to forward requests to another microservice. GET requests are working fine but for POST requests I get:

Access to XMLHttpRequest at 'http://1.1.1.1:8080/api/support/tickets/create' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I'm hitting this Spring Cloud Gateway issue: https://github.com/spring-cloud/spring-cloud-gateway/issues/229

Spring cloud configuration:

I've googled few days and haven't found any decisions. I've tried to update k8s from 1.19.0 to 1.19.6 In Ubuntu-20. (cluster manually installed k81 - master and k82 - worker node)

I have this code running in the browser