JS API v3 - Incorrect https to http routing

Geisson shared this question 15 days ago
In Progress

When integrating yellowfin using the JS API we had a problem directing https to http generating a block "strict-origin-when-cross-origin" by the browser.

How to simulate:

In the HTML below we can see that it has a javascript tag that will download the code necessary to render the dashboard. When I added the URL epsecified the https protocol "https://<<my-domain>>/JsAPI/v3?dashUUID=<<uuid>>&token=<<token>>".


<html>
  <body>
    <script src="https://<<my-domain>>/JsAPI/v3?dashUUID=<<uuid>>&token=<<token>>&&showToolbar=true"/>
  </body>
</html>

When the browser downloads the javascript inside its body it has a variable called "apiURL" where the generated url has "http" instead of "https". This url is generated by Yellowfin, and as I am running yellowfin in "HTTPS" it is expected that the url dynamically generated by it will also be HTTPS.

Replies (11)

photo
1

Hi Geisson,

Thanks for contacting Yellowfin with your question.

Can I ask you to confirm that you've set your external base URL and the allowed origins domains in Yellowfin, via the Admin Console -> Configuration -> General Settings?

23b3ab149e6589172821692d16858ce3

Kind regards,

Chris

photo
1

Yes, both configurations were made by changing the external url to "https://<my-domain>" and adding the allowed origins to "https://<<my-site>>".

photo
1

Hi Geisson,

Thanks for coming back to me.

Please could you send over a screenshot similar to the one I've created just so I can see what you've got.

Please could you also send a screenshot of the link embed screen that is generated when you browse to a report, click on share and then click embed:

7b442171174a1bb9a8f367de45cb8915

If that also has HTTPS in it then it should be working but if not then that gives us other avenues to explore.

Thanks!

Kind regards,

Chris

photo
1

Here is the image with the settings

72b979d0ef738fd670efcab2f6fb47c9

Below is the example image of the embed link

956fc5bd52f8bd1a14e1f114ed387ac0


As you can see, the embed link is correct. The problem is when this link is executed. As this is a script, in its call it returns a code and within the code returned by this link there is an invalid http link as shown in the next image.

d91df1b1aeb84b04193e3126b33de3cb

photo
1

Hi Geisson,

Thanks for confirming. I see where you mean, it's in the specific embed dashboard script that's returned and you're right in that it doesn't seem to fill that variable from the external base URL as I tried changing it and it doesn't update.

Are you using a proxy server between Yellowfin and the hosting site?

SSL also needs to be configured on Yellowfin with a valid certificate, please let me know if that's already set up.

Finally, can I ask exactly which version of Yellowfin have you got running? The info.jsp found at https://yourYFurl/info.jsp would suffice.

Kind regards,

Chris

photo
1

Hi Geisson,

Can I ask one last thing, as you're using a token for the embed, I assume that comes from your SSO solution. Does the user you're logging in with belong to the default org?

Kind regards,

Chris

photo
1

Hi Chris,

We are using a proxy that, when activated, directs to yellowfin. We are specifically using traefik.

Installation information follows:

Application Version: 9.10.0.1
java.version: 11.0.13
os.name: Linux
os.arch: amd64
os.version: 5.15.0-200.131.27.el9uek.x86_64

Regarding the token and access settings, we already tested it in an environment without a valid SSL certificate running over http and everything worked normally. We had the error reported after configuring an SSL certificate and adding it to HTTPS

photo
1

Hi Geisson,

I think I'm going to ask someone on our consultant team to take a look here as it's been working using HTTP for you and you seem to have Yellowfin configured correctly for using the JS API v3 and HTTPS. There could be something with your network stack that needs looking at.

Were you able to confirm that the user credentials passed through are logging in to the default org? The allowed origins may need to configured for client orgs if it's not already done.

Kind regards,

Chris

photo
1

Hi Chris,
I have already checked all the settings mentioned above regarding the network and the user having access to the default organization and they are all configured correctly.

For testing purposes, we disabled http to https routing and everything worked normally in this new structure.

photo
photo
1

Hello Chris, how are you?

Any feedback regarding the reported problem?

photo
1

Hi Geisson,

I'm good thanks! I hope your week is going well :)

So regarding the issue, I added support for SSL in my 9.10.0.1 environment and the apiURL updated accordingly. I've also asked the account manager just to make the Brazilian Yellowfin reseller aware of your situation as well.

1d8bf6c946ba903157466d95566a668c

Furthermore, on our end someone has a possibly similar setup to you, using a reverse proxy configuration which maps https requests to http on the server side. Does this apply to you or have you got https enabled in Yellowfin as well via modifications made to the web.xml and server.xml files?

The alternative is you might have your proxy, Traefik, forwarding https requests to Yellowfin over http, in which case, this Community post from the Traefik forums may help with forwarding those requests. https://community.traefik.io/t/http-to-https-redirect-does-not-enforce-the-client-to-create-a-new-connection/15103

Let me know.

Kind regards,

Chris

photo
1

Hi Chris,

We are using a Docker environment to run yellowfin in production. I believe the configuration you tested should be native yellowfin. When reading the topic you mentioned, we understand that the problem mentioned does not occur in our structure because https routing works correctly.

When analyzing the situation with our infrastructure, we believe that the problem may not be related to reverse proxy. Would it be possible for you to tell us what logic yellowfin uses to generate the value of the "apiURL" variable? When we add the "URL da base da instância externa" configuration, shouldn't we be using the value of this configuration in the variable as shown in the image below?


3e0d6d2931737eb43b302def40341fa7

Leave a Comment
 
Attach a file