Rocket.chat.reactnative: Rocket.Chat default user-agent "okhttp"

Created on 15 Oct 2019  路  14Comments  路  Source: RocketChat/Rocket.Chat.ReactNative

  • Your Rocket.Chat Experimental app version: 1.20.1
  • Your Rocket.Chat server version: 2.1.0
  • Device (or Simulator) you're running with: Lenovo K6 (K33a48) - Android 7.0

We have:

  • nginx-1.16.1
  • nginx with ssl enabled
  • nginx listen on a port different to 443
  • nginx that serves rocket.chat on a path different than "/"

So compared to "open.rocket.chat" it would be:
https://open.rocket.chat:20000/something

How looks our nginx config relevant part:

        location /something {
                proxy_pass http://127.0.0.1:3000;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forward-Proto http;
                proxy_set_header X-Nginx-Proxy true;
                proxy_redirect off;
        }
  • The install has been dome manually ( no docker/snap/etc )
  • Server OS: Gentoo Linux x86_64

NOTE:
This issue happened with the rocket.chat-4.0.0 app update and with the rocket.chat-experimental-1.20.1.
It works if we restore rocket.chat-3.5.1

photo_2019-10-15_14-32-26

馃悰 bug

All 14 comments

This is what we are able to see from the nginx log:

"GET /something/api/info HTTP/2.0" 403 251 "-" "okhttp/3.12.1" "-"

However a curl from my shell on that path gives me 200:

$ curl -I -X GET https://myhost:myport/something/api/info/
HTTP/1.1 200 OK

I'm sorry for the spam but it was a server-side issue. There was a block for the user agent "okhttp", this is the reason because it failed with the app and went fine with curl.

Since "okhttp" is a common user agent, sometimes blocked, can the app make the request with a more custom user-agent that refer to rocket.chat?

Hi @asarubbo , can you give me your username on https://open.rocket.chat?

Hi @asarubbo , can you give me your username on https://open.rocket.chat?

Hi, I'm @agostino on open.rocket.chat

A summary after a discussion on open.rocket.chat with @djorkaeffalexandre.

Atm the ReactNative app uses "okhttp" as user-agent:

"GET /something/api/info HTTP/2.0" 403 251 "-" "okhttp/3.12.1" "-"

This user-agent refers to the library and sometimes can result as a bad user-agent because it is used to make scans over the web.
I'd suggest to use a custom user-agent that also can help to identify the client on the server logs.
Atm, the Kotlin version has:

RC Mobile; Android 7.0; v3.5.1 (2075)

where "3.5.1" is the version of the app I'm running.

Thanks.

Hi,
I have noticed exactly the same behavior

I have a rocket chat server v 2.1.0 (on docker)
behing an nginx reverse proxy (normally it's well configured as per the documentation)
From Rocket Chat 4.0.0 (on a Xiaomi phone android 8.1.0) : KO Same error as mentionned above : "Oops! The URL you entered is invalid. Check it and try again, please!"
From the web interface, access and communication are OK
From another phone that has "RC Mobile; Android 7.0; v3.5.0 (2074)" --> application working fine access and communication are OK
From the Rocket Chat Experimental 1.20.1 --> KO Same error as mentionned above

in the nginx logs, i searched for okhttp and i only found these two lines, both containing some GET /avatar/username and a 200 response
(no signs of 403 responses)

I checked websocket, i guess it's fine, here are a few screenshots if it helps
image
image
image

reverse proxy config tested :

############ START FILE

HTTPS Server

server {
    listen 443 ssl http2;
server_name myservername1;

error_log /var/log/nginx/rocketchat_error.log;

    ssl_certificate /etc/nginx/cert/myservername1.crt;
    ssl_certificate_key /etc/nginx/cert/myservername1.key.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 180m;

    location / {
    proxy_pass http://myservername1:3000/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-Proto http;
        proxy_set_header X-Nginx-Proxy true;
        proxy_redirect off;
    }
}
############ END OF FILE

Hi @gdantkat , you know if you block okhttp user-agent?

From the logs, there has been some 200 response to a GET request so i am guessing not
I haven't done somethingn to explicitely block it, but dunno if there's something implicitely blocking that user-agent.

Btw i am on the rc chat my username is @ant_r

Hi @gdantkat , you know if you block okhttp user-agent?

Since the response is 200, it shouldn't be blocked.

The bug was closed but the relative pr was not merged...

@asarubbo Hi, now we changed our User-Agent! You can block okhttp on your proxy! :)

Would you mind to make a minor release to have a way to use the fix? Ty

@asarubbo it was launched on Rocket.Chat 4.0.2 and we'll make an Experimental Release soon, I'll alert you here! Thx.

Ok, it works..I just was focused only on Experimental :D

Was this page helpful?
0 / 5 - 0 ratings

Related issues

diegolmello picture diegolmello  路  4Comments

MatthiasHertel picture MatthiasHertel  路  4Comments

Prateek93a picture Prateek93a  路  6Comments

venkatasubramanis picture venkatasubramanis  路  5Comments

cygnusm picture cygnusm  路  4Comments