Phosphor Web-ui: Server unreachable

Phosphor Web-ui: Server unreachable

[AKASH G J]

[-- Attachment #1: Type: text/plain, Size: 410 bytes --]

Hi Team,

I added phosphor-webui into the Linux image and set up client side of the
web interface. In the client side of web interface I could able to give the
IP address, username and password. After entering all those details, it is
showing "server unreachable". But I could able to ping the server board and
ssh into the system. Please someone help to resolve the problem.



Thanks and Regards,

Akash G J

[-- Attachment #2: Type: text/html, Size: 557 bytes --]

Re: Phosphor Web-ui: Server unreachable

[Ed Tanous]

On 07/30/2018 05:04 AM, AKASH G J wrote:
> Hi Team,
> 
> I added phosphor-webui into the Linux image and set up client side of 
> the web interface. In the client side of web interface I could able to 
> give the IP address, username and password. After entering all those 
> details, it is showing "server unreachable". But I could able to ping 
> the server board and ssh into the system. Please someone help to resolve 
> the problem.
> 
> 
> 
> Thanks and Regards,
> 
> Akash G J

We need some basic information to help you troubleshoot.  You might also 
find faster responses on irc;  Most of the people involved in the web 
infrastructure are online there.

1. What platform are you using?
2. If not one of the upstream platforms, which web server is your 
platform using?  (probably one of phosphor-rest, bmcweb, or 
phosphor-rest+nginx)
3. When you open up the debugger window in your chosen browser (usually 
the F12 key) then go to the network tab and attempt to log in, what do 
you see?  You should see an attempt to get to the /login url, with some 
kind of error code (maybe 401, maybe 500, maybe something else).  We'll 
need that to help troubleshoot.
4. Is there anything else strange about your setup that you might think 
would contribute to your issue?
5. Are you hosting phosphor-webui from a different machine from the BMC. 
  Depending on what server you are using, there are likely security 
settings preventing cross site scripting that are blocking you.

Re: Phosphor Web-ui: Server unreachable

[AKASH G J]

[-- Attachment #1: Type: text/plain, Size: 2238 bytes --]

Hi Ed,

Sorry for the late reply. I was on leave for last week.

I am hosting phosphor-webui on a different machine and trying to connect
the BMC board using its IP address. I am using bmcweb platform. When I
tried to login, the following message appeared in browser console.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
remote resource at https://<BMC-IP>/login. (Reason: CORS request did not
succeed).
<unavailable> activity-stream.bundle.js:3170:9
CSI/tbsd_ cb=gapi.loaded_0:458:127
CSI/_tbnd cb=gapi.loaded_0:458:127
CSI/tbsd_ cb=gapi.loaded_0:458:127
CSI/_tbnd cb=gapi.loaded_0:458:127



Thanks and Regards,

Akash

On Mon, Jul 30, 2018 at 11:06 PM, Ed Tanous <ed.tanous@intel.com> wrote:

> On 07/30/2018 05:04 AM, AKASH G J wrote:
>
>> Hi Team,
>>
>> I added phosphor-webui into the Linux image and set up client side of the
>> web interface. In the client side of web interface I could able to give the
>> IP address, username and password. After entering all those details, it is
>> showing "server unreachable". But I could able to ping the server board and
>> ssh into the system. Please someone help to resolve the problem.
>>
>>
>>
>> Thanks and Regards,
>>
>> Akash G J
>>
>
> We need some basic information to help you troubleshoot.  You might also
> find faster responses on irc;  Most of the people involved in the web
> infrastructure are online there.
>
> 1. What platform are you using?
> 2. If not one of the upstream platforms, which web server is your platform
> using?  (probably one of phosphor-rest, bmcweb, or phosphor-rest+nginx)
> 3. When you open up the debugger window in your chosen browser (usually
> the F12 key) then go to the network tab and attempt to log in, what do you
> see?  You should see an attempt to get to the /login url, with some kind of
> error code (maybe 401, maybe 500, maybe something else).  We'll need that
> to help troubleshoot.
> 4. Is there anything else strange about your setup that you might think
> would contribute to your issue?
> 5. Are you hosting phosphor-webui from a different machine from the BMC.
> Depending on what server you are using, there are likely security settings
> preventing cross site scripting that are blocking you.
>

[-- Attachment #2: Type: text/html, Size: 2923 bytes --]

RE: Phosphor Web-ui: Server unreachable

[Tanous, Ed]

[-- Attachment #1: Type: text/plain, Size: 3599 bytes --]

This a security measure in bmcweb to prevent cross site scripting.  If you’re running phosphor-webui from another machine, you’re essentially running cross site scripting as a development measure, which is exactly what the BMC sees, and the browser squashes the request as a suspected XSS attack.

The easiest way to make this work for testing is to go to this file:
https://github.com/openbmc/bmcweb/blob/master/include/security_headers_middleware.hpp

and comment out lines 42-44, which set headers to prevent the bmc squashing the request.

It’s been a while since I’ve developed like that, but you likely also need to add a couple headers as well
req.addHeader(“Access-Control-Allow-Origin”, “*”);
req.addHeader(“Access-Control-Allow-Methods”, “GET, POST, PUT, PATCH”);

I know you’re not the first person to hit this unexpectedly.  If you get a header recipe that allows development, it would be great if you could codify it into an option called BMC_INSECURE_ALLOW_XSS, add it to the build configuration, and put it up for a gerrit review;  I’m fairly certain it would help others.

-Ed

From: AKASH G J [mailto:akashgj91@gmail.com]
Sent: Tuesday, August 7, 2018 3:13 AM
To: Tanous, Ed <ed.tanous@intel.com>
Cc: openbmc@lists.ozlabs.org
Subject: Re: Phosphor Web-ui: Server unreachable

Hi Ed,

Sorry for the late reply. I was on leave for last week.

I am hosting phosphor-webui on a different machine and trying to connect the BMC board using its IP address. I am using bmcweb platform. When I tried to login, the following message appeared in browser console.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://<BMC-IP>/login<https://%3cBMC-IP%3e/login>. (Reason: CORS request did not succeed).
<unavailable> activity-stream.bundle.js:3170:9
CSI/tbsd_ cb=gapi.loaded_0:458:127
CSI/_tbnd cb=gapi.loaded_0:458:127
CSI/tbsd_ cb=gapi.loaded_0:458:127
CSI/_tbnd cb=gapi.loaded_0:458:127



Thanks and Regards,

Akash

On Mon, Jul 30, 2018 at 11:06 PM, Ed Tanous <ed.tanous@intel.com<mailto:ed.tanous@intel.com>> wrote:
On 07/30/2018 05:04 AM, AKASH G J wrote:
Hi Team,

I added phosphor-webui into the Linux image and set up client side of the web interface. In the client side of web interface I could able to give the IP address, username and password. After entering all those details, it is showing "server unreachable". But I could able to ping the server board and ssh into the system. Please someone help to resolve the problem.



Thanks and Regards,

Akash G J

We need some basic information to help you troubleshoot.  You might also find faster responses on irc;  Most of the people involved in the web infrastructure are online there.

1. What platform are you using?
2. If not one of the upstream platforms, which web server is your platform using?  (probably one of phosphor-rest, bmcweb, or phosphor-rest+nginx)
3. When you open up the debugger window in your chosen browser (usually the F12 key) then go to the network tab and attempt to log in, what do you see?  You should see an attempt to get to the /login url, with some kind of error code (maybe 401, maybe 500, maybe something else).  We'll need that to help troubleshoot.
4. Is there anything else strange about your setup that you might think would contribute to your issue?
5. Are you hosting phosphor-webui from a different machine from the BMC.  Depending on what server you are using, there are likely security settings preventing cross site scripting that are blocking you.


[-- Attachment #2: Type: text/html, Size: 9363 bytes --]

Re: Phosphor Web-ui: Server unreachable

[AKASH G J]

[-- Attachment #1: Type: text/plain, Size: 8635 bytes --]

Hi Ed,

I made the changes suggested by you. But in building the system, I am
getting some configuration error. Please find the following log data.

Log data follows:
| DEBUG: Executing shell function do_configure
|
CMAKE_MODULE_PATH=/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/git/cmake
| -- The CXX compiler identification is GNU 7.3.0
| -- The C compiler identification is GNU 7.3.0
| -- Check for working CXX compiler:
/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/recipe-sysroot-native/usr/bin/arm-openbmc-linux-gnueabi/arm-openbmc-linux-gnueabi-g++
| -- Check for working CXX compiler:
/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/recipe-sysroot-native/usr/bin/arm-openbmc-linux-gnueabi/arm-openbmc-linux-gnueabi-g++
-- works
| -- Detecting CXX compiler ABI info
| -- Detecting CXX compiler ABI info - done
| -- Detecting CXX compile features
| -- Detecting CXX compile features - done
| -- Check for working C compiler:
/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/recipe-sysroot-native/usr/bin/arm-openbmc-linux-gnueabi/arm-openbmc-linux-gnueabi-gcc
| -- Check for working C compiler:
/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/recipe-sysroot-native/usr/bin/arm-openbmc-linux-gnueabi/arm-openbmc-linux-gnueabi-gcc
-- works
| -- Detecting C compiler ABI info
| -- Detecting C compiler ABI info - done
| -- Detecting C compile features
| -- Detecting C compile features - done
| -- Boost version: 1.64.0
| -- Found OpenSSL:
/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/recipe-sysroot/usr/lib/libcrypto.so
(found version "1.0.2n")
| OPENSSL_INCLUDE_DIR
/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/recipe-sysroot/usr/include
| CMAKE_BUILD_TYPE=
| -- Found ZLIB:
/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/recipe-sysroot/usr/lib/libz.so
(found version "1.2.11")
| -- Performing Test PAM_MESSAGE_CONST
| -- Performing Test PAM_MESSAGE_CONST - Success
| -- Found PAM:
/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/recipe-sysroot/lib/libpam.so;/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/recipe-sysroot/usr/lib/libdl.so
| -- Configuring done
| CMake Error in CMakeLists.txt:
|

* Imported target "boost-dbus" includes non-existent path| |
"/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/boost-dbus/1.0+gitAUTOINC+70f79f4d66-r0/recipe-sysroot/usr/include/dbus-1.0"*
|
|   in its INTERFACE_INCLUDE_DIRECTORIES.  Possible reasons include:
|
|   * The path was deleted, renamed, or moved to another location.
|
|   * An install or uninstall procedure did not complete successfully.
|
|   * The installation package was faulty and references files it does not
|   provide.
|
|
|
| CMake Error in CMakeLists.txt:
|

* Imported target "boost-dbus" includes non-existent path| |
"/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/boost-dbus/1.0+gitAUTOINC+70f79f4d66-r0/recipe-sysroot/usr/include/dbus-1.0"*
|
|   in its INTERFACE_INCLUDE_DIRECTORIES.  Possible reasons include:
|
|   * The path was deleted, renamed, or moved to another location.
|
|   * An install or uninstall procedure did not complete successfully.
|
|   * The installation package was faulty and references files it does not
|   provide.
|
|
|
| -- Generating done
| CMake Warning:
|   Manually-specified variables were not used by the project:
|
|     CMAKE_INSTALL_BINDIR
|     CMAKE_INSTALL_DATAROOTDIR
|     CMAKE_INSTALL_INCLUDEDIR
|     CMAKE_INSTALL_LIBDIR
|     CMAKE_INSTALL_LIBEXECDIR
|     CMAKE_INSTALL_LOCALSTATEDIR
|     CMAKE_INSTALL_SBINDIR
|     CMAKE_INSTALL_SHAREDSTATEDIR
|     CMAKE_INSTALL_SYSCONFDIR
|
|
| -- Build files have been written to:
/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/build
| WARNING: exit code 1 from a shell command.
| ERROR: Function failed: do_configure (log file is located at
/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/temp/log.do_configure.17054)



Thanks and Regards,

Akash G J

On Tue, Aug 7, 2018 at 7:54 PM, Tanous, Ed <ed.tanous@intel.com> wrote:

> This a security measure in bmcweb to prevent cross site scripting.  If
> you’re running phosphor-webui from another machine, you’re essentially
> running cross site scripting as a development measure, which is exactly
> what the BMC sees, and the browser squashes the request as a suspected XSS
> attack.
>
>
>
> The easiest way to make this work for testing is to go to this file:
>
> https://github.com/openbmc/bmcweb/blob/master/include/
> security_headers_middleware.hpp
>
>
>
> and comment out lines 42-44, which set headers to prevent the bmc
> squashing the request.
>
>
>
> It’s been a while since I’ve developed like that, but you likely also need
> to add a couple headers as well
>
> req.addHeader(“Access-Control-Allow-Origin”, “*”);
>
> req.addHeader(“Access-Control-Allow-Methods”, “GET, POST, PUT, PATCH”);
>
>
>
> I know you’re not the first person to hit this unexpectedly.  If you get a
> header recipe that allows development, it would be great if you could
> codify it into an option called BMC_INSECURE_ALLOW_XSS, add it to the build
> configuration, and put it up for a gerrit review;  I’m fairly certain it
> would help others.
>
>
>
> -Ed
>
>
>
> *From:* AKASH G J [mailto:akashgj91@gmail.com]
> *Sent:* Tuesday, August 7, 2018 3:13 AM
> *To:* Tanous, Ed <ed.tanous@intel.com>
> *Cc:* openbmc@lists.ozlabs.org
> *Subject:* Re: Phosphor Web-ui: Server unreachable
>
>
>
> Hi Ed,
>
>
>
> Sorry for the late reply. I was on leave for last week.
>
>
>
> I am hosting phosphor-webui on a different machine and trying to connect
> the BMC board using its IP address. I am using bmcweb platform. When I
> tried to login, the following message appeared in browser console.
>
>
>
> Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
> remote resource at https://<BMC-IP>/login. (Reason: CORS request did not
> succeed).
> <unavailable> activity-stream.bundle.js:3170:9
> CSI/tbsd_ cb=gapi.loaded_0:458:127
> CSI/_tbnd cb=gapi.loaded_0:458:127
> CSI/tbsd_ cb=gapi.loaded_0:458:127
> CSI/_tbnd cb=gapi.loaded_0:458:127
>
>
>
>
>
>
>
> Thanks and Regards,
>
>
>
> Akash
>
>
>
> On Mon, Jul 30, 2018 at 11:06 PM, Ed Tanous <ed.tanous@intel.com> wrote:
>
> On 07/30/2018 05:04 AM, AKASH G J wrote:
>
> Hi Team,
>
> I added phosphor-webui into the Linux image and set up client side of the
> web interface. In the client side of web interface I could able to give the
> IP address, username and password. After entering all those details, it is
> showing "server unreachable". But I could able to ping the server board and
> ssh into the system. Please someone help to resolve the problem.
>
>
>
> Thanks and Regards,
>
> Akash G J
>
>
>
> We need some basic information to help you troubleshoot.  You might also
> find faster responses on irc;  Most of the people involved in the web
> infrastructure are online there.
>
> 1. What platform are you using?
> 2. If not one of the upstream platforms, which web server is your platform
> using?  (probably one of phosphor-rest, bmcweb, or phosphor-rest+nginx)
> 3. When you open up the debugger window in your chosen browser (usually
> the F12 key) then go to the network tab and attempt to log in, what do you
> see?  You should see an attempt to get to the /login url, with some kind of
> error code (maybe 401, maybe 500, maybe something else).  We'll need that
> to help troubleshoot.
> 4. Is there anything else strange about your setup that you might think
> would contribute to your issue?
> 5. Are you hosting phosphor-webui from a different machine from the BMC.
> Depending on what server you are using, there are likely security settings
> preventing cross site scripting that are blocking you.
>
>
>

[-- Attachment #2: Type: text/html, Size: 13759 bytes --]

RE: Phosphor Web-ui: Server unreachable

[Tanous, Ed]

[-- Attachment #1: Type: text/plain, Size: 9034 bytes --]

That looks like you’re trying to build a version of bmcweb from a couple months ago (SHA1 f4c4dcf438) which still requires boost-dbus.  Can you try building off the latest?

https://github.com/openbmc/openbmc/blob/master/meta-phosphor/common/recipes-phosphor/interfaces/bmcweb.bb

It should get rid of the problem below.

-Ed

From: AKASH G J [mailto:akashgj91@gmail.com]
Sent: Tuesday, August 7, 2018 10:25 PM
To: Tanous, Ed <ed.tanous@intel.com>
Cc: openbmc@lists.ozlabs.org
Subject: Re: Phosphor Web-ui: Server unreachable

Hi Ed,

I made the changes suggested by you. But in building the system, I am getting some configuration error. Please find the following log data.

Log data follows:
| DEBUG: Executing shell function do_configure
| CMAKE_MODULE_PATH=/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/git/cmake
| -- The CXX compiler identification is GNU 7.3.0
| -- The C compiler identification is GNU 7.3.0
| -- Check for working CXX compiler: /home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/recipe-sysroot-native/usr/bin/arm-openbmc-linux-gnueabi/arm-openbmc-linux-gnueabi-g++
| -- Check for working CXX compiler: /home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/recipe-sysroot-native/usr/bin/arm-openbmc-linux-gnueabi/arm-openbmc-linux-gnueabi-g++ -- works
| -- Detecting CXX compiler ABI info
| -- Detecting CXX compiler ABI info - done
| -- Detecting CXX compile features
| -- Detecting CXX compile features - done
| -- Check for working C compiler: /home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/recipe-sysroot-native/usr/bin/arm-openbmc-linux-gnueabi/arm-openbmc-linux-gnueabi-gcc
| -- Check for working C compiler: /home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/recipe-sysroot-native/usr/bin/arm-openbmc-linux-gnueabi/arm-openbmc-linux-gnueabi-gcc -- works
| -- Detecting C compiler ABI info
| -- Detecting C compiler ABI info - done
| -- Detecting C compile features
| -- Detecting C compile features - done
| -- Boost version: 1.64.0
| -- Found OpenSSL: /home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/recipe-sysroot/usr/lib/libcrypto.so (found version "1.0.2n")
| OPENSSL_INCLUDE_DIR /home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/recipe-sysroot/usr/include
| CMAKE_BUILD_TYPE=
| -- Found ZLIB: /home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/recipe-sysroot/usr/lib/libz.so (found version "1.2.11")
| -- Performing Test PAM_MESSAGE_CONST
| -- Performing Test PAM_MESSAGE_CONST - Success
| -- Found PAM: /home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/recipe-sysroot/lib/libpam.so;/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/recipe-sysroot/usr/lib/libdl.so
| -- Configuring done
| CMake Error in CMakeLists.txt:
|   Imported target "boost-dbus" includes non-existent path
|
|     "/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/boost-dbus/1.0+gitAUTOINC+70f79f4d66-r0/recipe-sysroot/usr/include/dbus-1.0"
|
|   in its INTERFACE_INCLUDE_DIRECTORIES.  Possible reasons include:
|
|   * The path was deleted, renamed, or moved to another location.
|
|   * An install or uninstall procedure did not complete successfully.
|
|   * The installation package was faulty and references files it does not
|   provide.
|
|
|
| CMake Error in CMakeLists.txt:
|   Imported target "boost-dbus" includes non-existent path
|
|     "/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/boost-dbus/1.0+gitAUTOINC+70f79f4d66-r0/recipe-sysroot/usr/include/dbus-1.0"
|
|   in its INTERFACE_INCLUDE_DIRECTORIES.  Possible reasons include:
|
|   * The path was deleted, renamed, or moved to another location.
|
|   * An install or uninstall procedure did not complete successfully.
|
|   * The installation package was faulty and references files it does not
|   provide.
|
|
|
| -- Generating done
| CMake Warning:
|   Manually-specified variables were not used by the project:
|
|     CMAKE_INSTALL_BINDIR
|     CMAKE_INSTALL_DATAROOTDIR
|     CMAKE_INSTALL_INCLUDEDIR
|     CMAKE_INSTALL_LIBDIR
|     CMAKE_INSTALL_LIBEXECDIR
|     CMAKE_INSTALL_LOCALSTATEDIR
|     CMAKE_INSTALL_SBINDIR
|     CMAKE_INSTALL_SHAREDSTATEDIR
|     CMAKE_INSTALL_SYSCONFDIR
|
|
| -- Build files have been written to: /home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/build
| WARNING: exit code 1 from a shell command.
| ERROR: Function failed: do_configure (log file is located at /home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/temp/log.do_configure.17054)



Thanks and Regards,

Akash G J

On Tue, Aug 7, 2018 at 7:54 PM, Tanous, Ed <ed.tanous@intel.com<mailto:ed.tanous@intel.com>> wrote:
This a security measure in bmcweb to prevent cross site scripting.  If you’re running phosphor-webui from another machine, you’re essentially running cross site scripting as a development measure, which is exactly what the BMC sees, and the browser squashes the request as a suspected XSS attack.

The easiest way to make this work for testing is to go to this file:
https://github.com/openbmc/bmcweb/blob/master/include/security_headers_middleware.hpp

and comment out lines 42-44, which set headers to prevent the bmc squashing the request.

It’s been a while since I’ve developed like that, but you likely also need to add a couple headers as well
req.addHeader(“Access-Control-Allow-Origin”, “*”);
req.addHeader(“Access-Control-Allow-Methods”, “GET, POST, PUT, PATCH”);

I know you’re not the first person to hit this unexpectedly.  If you get a header recipe that allows development, it would be great if you could codify it into an option called BMC_INSECURE_ALLOW_XSS, add it to the build configuration, and put it up for a gerrit review;  I’m fairly certain it would help others.

-Ed

From: AKASH G J [mailto:akashgj91@gmail.com<mailto:akashgj91@gmail.com>]
Sent: Tuesday, August 7, 2018 3:13 AM
To: Tanous, Ed <ed.tanous@intel.com<mailto:ed.tanous@intel.com>>
Cc: openbmc@lists.ozlabs.org<mailto:openbmc@lists.ozlabs.org>
Subject: Re: Phosphor Web-ui: Server unreachable

Hi Ed,

Sorry for the late reply. I was on leave for last week.

I am hosting phosphor-webui on a different machine and trying to connect the BMC board using its IP address. I am using bmcweb platform. When I tried to login, the following message appeared in browser console.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://<BMC-IP>/login<https://%3cBMC-IP%3e/login>. (Reason: CORS request did not succeed).
<unavailable> activity-stream.bundle.js:3170:9
CSI/tbsd_ cb=gapi.loaded_0:458:127
CSI/_tbnd cb=gapi.loaded_0:458:127
CSI/tbsd_ cb=gapi.loaded_0:458:127
CSI/_tbnd cb=gapi.loaded_0:458:127



Thanks and Regards,

Akash

On Mon, Jul 30, 2018 at 11:06 PM, Ed Tanous <ed.tanous@intel.com<mailto:ed.tanous@intel.com>> wrote:
On 07/30/2018 05:04 AM, AKASH G J wrote:
Hi Team,

I added phosphor-webui into the Linux image and set up client side of the web interface. In the client side of web interface I could able to give the IP address, username and password. After entering all those details, it is showing "server unreachable". But I could able to ping the server board and ssh into the system. Please someone help to resolve the problem.



Thanks and Regards,

Akash G J

We need some basic information to help you troubleshoot.  You might also find faster responses on irc;  Most of the people involved in the web infrastructure are online there.

1. What platform are you using?
2. If not one of the upstream platforms, which web server is your platform using?  (probably one of phosphor-rest, bmcweb, or phosphor-rest+nginx)
3. When you open up the debugger window in your chosen browser (usually the F12 key) then go to the network tab and attempt to log in, what do you see?  You should see an attempt to get to the /login url, with some kind of error code (maybe 401, maybe 500, maybe something else).  We'll need that to help troubleshoot.
4. Is there anything else strange about your setup that you might think would contribute to your issue?
5. Are you hosting phosphor-webui from a different machine from the BMC.  Depending on what server you are using, there are likely security settings preventing cross site scripting that are blocking you.



[-- Attachment #2: Type: text/html, Size: 20928 bytes --]

Re: Phosphor Web-ui: Server unreachable

[AKASH G J]

[-- Attachment #1: Type: text/plain, Size: 11331 bytes --]

Adding the lines

req.addHeader(“Access-Control-Allow-Origin”, “*”);

req.addHeader(“Access-Control-Allow-Methods”, “GET, POST, PUT, PATCH”); to
the file https://github.com/openbmc/bmcweb/blob/master/include/
security_headers_middleware.hpp gives error in compilation of bmcweb. The
following are some error messages I got.


|
/home/akash/Pictures/openbmcNew/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+55c7b7a2e5-r0/git/include/security_headers_middleware.hpp:44:20:
error: stray '\200' in program
|      req.addHeader(“Access-Control-Allow-Origin”, “*”);


|
/home/akash/Pictures/openbmcNew/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+55c7b7a2e5-r0/git/include/security_headers_middleware.hpp:45:9:
error: 'struct crow::Request' has no member named 'addHeader'
|      req.addHeader(“Access-Control-Allow-Methods”, “GET, POST, PUT,
PATCH”);


|
/home/akash/Pictures/openbmcNew/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+55c7b7a2e5-r0/git/include/security_headers_middleware.hpp:45:43:
error: 'Methods' was not declared in this scope
|      req.addHeader(“Access-Control-Allow-Methods”, “GET, POST, PUT,
PATCH”);
|                                            ^~~~~~~
|
/home/akash/Pictures/openbmcNew/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+55c7b7a2e5-r0/git/include/security_headers_middleware.hpp:45:58:
error: 'GET' was not declared in this scope
|      req.addHeader(“Access-Control-Allow-Methods”, “GET, POST, PUT,
PATCH”);



Thanks and Regards,


Akash G J


On Wed, Aug 8, 2018 at 8:43 PM, Tanous, Ed <ed.tanous@intel.com> wrote:

> That looks like you’re trying to build a version of bmcweb from a couple
> months ago (SHA1 f4c4dcf438) which still requires boost-dbus.  Can you
> try building off the latest?
>
>
>
> https://github.com/openbmc/openbmc/blob/master/meta-
> phosphor/common/recipes-phosphor/interfaces/bmcweb.bb
>
>
>
> It should get rid of the problem below.
>
>
>
> -Ed
>
>
>
> *From:* AKASH G J [mailto:akashgj91@gmail.com]
> *Sent:* Tuesday, August 7, 2018 10:25 PM
>
> *To:* Tanous, Ed <ed.tanous@intel.com>
> *Cc:* openbmc@lists.ozlabs.org
> *Subject:* Re: Phosphor Web-ui: Server unreachable
>
>
>
> Hi Ed,
>
>
>
> I made the changes suggested by you. But in building the system, I am
> getting some configuration error. Please find the following log data.
>
>
>
> Log data follows:
> | DEBUG: Executing shell function do_configure
> | CMAKE_MODULE_PATH=/home/akash/Pictures/openbmc/build/tmp/
> work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+gitAUTOINC+
> f4c4dcf438-r0/git/cmake
> | -- The CXX compiler identification is GNU 7.3.0
> | -- The C compiler identification is GNU 7.3.0
> | -- Check for working CXX compiler: /home/akash/Pictures/openbmc/
> build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+
> gitAUTOINC+f4c4dcf438-r0/recipe-sysroot-native/usr/bin/
> arm-openbmc-linux-gnueabi/arm-openbmc-linux-gnueabi-g++
> | -- Check for working CXX compiler: /home/akash/Pictures/openbmc/
> build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+
> gitAUTOINC+f4c4dcf438-r0/recipe-sysroot-native/usr/bin/
> arm-openbmc-linux-gnueabi/arm-openbmc-linux-gnueabi-g++ -- works
> | -- Detecting CXX compiler ABI info
> | -- Detecting CXX compiler ABI info - done
> | -- Detecting CXX compile features
> | -- Detecting CXX compile features - done
> | -- Check for working C compiler: /home/akash/Pictures/openbmc/
> build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+
> gitAUTOINC+f4c4dcf438-r0/recipe-sysroot-native/usr/bin/
> arm-openbmc-linux-gnueabi/arm-openbmc-linux-gnueabi-gcc
> | -- Check for working C compiler: /home/akash/Pictures/openbmc/
> build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+
> gitAUTOINC+f4c4dcf438-r0/recipe-sysroot-native/usr/bin/
> arm-openbmc-linux-gnueabi/arm-openbmc-linux-gnueabi-gcc -- works
> | -- Detecting C compiler ABI info
> | -- Detecting C compiler ABI info - done
> | -- Detecting C compile features
> | -- Detecting C compile features - done
> | -- Boost version: 1.64.0
> | -- Found OpenSSL: /home/akash/Pictures/openbmc/
> build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+
> gitAUTOINC+f4c4dcf438-r0/recipe-sysroot/usr/lib/libcrypto.so (found
> version "1.0.2n")
> | OPENSSL_INCLUDE_DIR /home/akash/Pictures/openbmc/
> build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+
> gitAUTOINC+f4c4dcf438-r0/recipe-sysroot/usr/include
> | CMAKE_BUILD_TYPE=
> | -- Found ZLIB: /home/akash/Pictures/openbmc/
> build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+
> gitAUTOINC+f4c4dcf438-r0/recipe-sysroot/usr/lib/libz.so (found version
> "1.2.11")
> | -- Performing Test PAM_MESSAGE_CONST
> | -- Performing Test PAM_MESSAGE_CONST - Success
> | -- Found PAM: /home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-
> linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/
> recipe-sysroot/lib/libpam.so;/home/akash/Pictures/openbmc/
> build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+
> gitAUTOINC+f4c4dcf438-r0/recipe-sysroot/usr/lib/libdl.so
> | -- Configuring done
> | CMake Error in CMakeLists.txt:
> |
>
> * Imported target "boost-dbus" includes non-existent path | |
> "/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/boost-dbus/1.0+gitAUTOINC+70f79f4d66-r0/recipe-sysroot/usr/include/dbus-1.0"*
> |
> |   in its INTERFACE_INCLUDE_DIRECTORIES.  Possible reasons include:
> |
> |   * The path was deleted, renamed, or moved to another location.
> |
> |   * An install or uninstall procedure did not complete successfully.
> |
> |   * The installation package was faulty and references files it does not
> |   provide.
> |
> |
> |
> | CMake Error in CMakeLists.txt:
> |
>
> * Imported target "boost-dbus" includes non-existent path | |
> "/home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-linux-gnueabi/boost-dbus/1.0+gitAUTOINC+70f79f4d66-r0/recipe-sysroot/usr/include/dbus-1.0"*
> |
> |   in its INTERFACE_INCLUDE_DIRECTORIES.  Possible reasons include:
> |
> |   * The path was deleted, renamed, or moved to another location.
> |
> |   * An install or uninstall procedure did not complete successfully.
> |
> |   * The installation package was faulty and references files it does not
> |   provide.
> |
> |
> |
> | -- Generating done
> | CMake Warning:
> |   Manually-specified variables were not used by the project:
> |
> |     CMAKE_INSTALL_BINDIR
> |     CMAKE_INSTALL_DATAROOTDIR
> |     CMAKE_INSTALL_INCLUDEDIR
> |     CMAKE_INSTALL_LIBDIR
> |     CMAKE_INSTALL_LIBEXECDIR
> |     CMAKE_INSTALL_LOCALSTATEDIR
> |     CMAKE_INSTALL_SBINDIR
> |     CMAKE_INSTALL_SHAREDSTATEDIR
> |     CMAKE_INSTALL_SYSCONFDIR
> |
> |
> | -- Build files have been written to: /home/akash/Pictures/openbmc/
> build/tmp/work/armv6-openbmc-linux-gnueabi/bmcweb/1.0+
> gitAUTOINC+f4c4dcf438-r0/build
> | WARNING: exit code 1 from a shell command.
> | ERROR: Function failed: do_configure (log file is located at
> /home/akash/Pictures/openbmc/build/tmp/work/armv6-openbmc-
> linux-gnueabi/bmcweb/1.0+gitAUTOINC+f4c4dcf438-r0/temp/
> log.do_configure.17054)
>
>
>
>
>
>
>
> Thanks and Regards,
>
>
>
> Akash G J
>
>
>
> On Tue, Aug 7, 2018 at 7:54 PM, Tanous, Ed <ed.tanous@intel.com> wrote:
>
> This a security measure in bmcweb to prevent cross site scripting.  If
> you’re running phosphor-webui from another machine, you’re essentially
> running cross site scripting as a development measure, which is exactly
> what the BMC sees, and the browser squashes the request as a suspected XSS
> attack.
>
>
>
> The easiest way to make this work for testing is to go to this file:
>
> https://github.com/openbmc/bmcweb/blob/master/include/
> security_headers_middleware.hpp
>
>
>
> and comment out lines 42-44, which set headers to prevent the bmc
> squashing the request.
>
>
>
> It’s been a while since I’ve developed like that, but you likely also need
> to add a couple headers as well
>
> req.addHeader(“Access-Control-Allow-Origin”, “*”);
>
> req.addHeader(“Access-Control-Allow-Methods”, “GET, POST, PUT, PATCH”);
>
>
>
> I know you’re not the first person to hit this unexpectedly.  If you get a
> header recipe that allows development, it would be great if you could
> codify it into an option called BMC_INSECURE_ALLOW_XSS, add it to the build
> configuration, and put it up for a gerrit review;  I’m fairly certain it
> would help others.
>
>
>
> -Ed
>
>
>
> *From:* AKASH G J [mailto:akashgj91@gmail.com]
> *Sent:* Tuesday, August 7, 2018 3:13 AM
> *To:* Tanous, Ed <ed.tanous@intel.com>
> *Cc:* openbmc@lists.ozlabs.org
> *Subject:* Re: Phosphor Web-ui: Server unreachable
>
>
>
> Hi Ed,
>
>
>
> Sorry for the late reply. I was on leave for last week.
>
>
>
> I am hosting phosphor-webui on a different machine and trying to connect
> the BMC board using its IP address. I am using bmcweb platform. When I
> tried to login, the following message appeared in browser console.
>
>
>
> Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
> remote resource at https://<BMC-IP>/login. (Reason: CORS request did not
> succeed).
> <unavailable> activity-stream.bundle.js:3170:9
> CSI/tbsd_ cb=gapi.loaded_0:458:127
> CSI/_tbnd cb=gapi.loaded_0:458:127
> CSI/tbsd_ cb=gapi.loaded_0:458:127
> CSI/_tbnd cb=gapi.loaded_0:458:127
>
>
>
>
>
>
>
> Thanks and Regards,
>
>
>
> Akash
>
>
>
> On Mon, Jul 30, 2018 at 11:06 PM, Ed Tanous <ed.tanous@intel.com> wrote:
>
> On 07/30/2018 05:04 AM, AKASH G J wrote:
>
> Hi Team,
>
> I added phosphor-webui into the Linux image and set up client side of the
> web interface. In the client side of web interface I could able to give the
> IP address, username and password. After entering all those details, it is
> showing "server unreachable". But I could able to ping the server board and
> ssh into the system. Please someone help to resolve the problem.
>
>
>
> Thanks and Regards,
>
> Akash G J
>
>
>
> We need some basic information to help you troubleshoot.  You might also
> find faster responses on irc;  Most of the people involved in the web
> infrastructure are online there.
>
> 1. What platform are you using?
> 2. If not one of the upstream platforms, which web server is your platform
> using?  (probably one of phosphor-rest, bmcweb, or phosphor-rest+nginx)
> 3. When you open up the debugger window in your chosen browser (usually
> the F12 key) then go to the network tab and attempt to log in, what do you
> see?  You should see an attempt to get to the /login url, with some kind of
> error code (maybe 401, maybe 500, maybe something else).  We'll need that
> to help troubleshoot.
> 4. Is there anything else strange about your setup that you might think
> would contribute to your issue?
> 5. Are you hosting phosphor-webui from a different machine from the BMC.
> Depending on what server you are using, there are likely security settings
> preventing cross site scripting that are blocking you.
>
>
>
>
>

[-- Attachment #2: Type: text/html, Size: 21656 bytes --]

Re: Phosphor Web-ui: Server unreachable

[Ed Tanous]

> gives error in compilation of bmcweb. The following are some error 
> messages I got.

I had a minor transcription typo in what I said in my email, and it 
looks like chrome must've increased their security threshold since the 
last time I tried this.  I've done this the right way, and added these 
headers (and a couple other things) under the 
BMCWEB_INSECURE_DISABLE_XSS_PREVENTION option flag.  To develop this way.

Check out this code review.
https://gerrit.openbmc-project.xyz/#/c/openbmc/bmcweb/+/11887

and add this to the bottom of bmcweb.bb

EXTRA_OECMAKE += "-DBMCWEB_INSECURE_DISABLE_XSS_PREVENTION=ON"

This can also be done in a bmcweb.bbappend file if you want to check it 
into some kind of development meta layer.

That should build you a copy of bmcweb into your system image with the 
XSS protections disabled, and the correct header responses for 
developing phosphor-webui this way.  I tried locally on my machine, 
using the "npm run-script server" and it seemed to work correctly, 
although I didn't poke too hard at it, so there may still be bugs here 
or there.

If this works for you, it would be great if you could add your comments 
to the code review above.