Using a Web Application on a fortigate via jump issues a CORS error and does not work

[Atroskelis]

Expected behavior:

Web App on fortigate mgmt should open mgmt

Current behavior:

Errors in console :

Access to manifest at 'https://:6060/web/launch/.?path=%2Ffavicon%2Fsite.webmanifest' (redirected from 'https://.:6060/favicon/site.webmanifest')

from origin 'https://.:6060' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

It seems that it tries from firewall.teleport.example.com to access something teleport.example.com

Bug details:

• Teleport version - 15.4.9
• Recreation steps
• Debug logs

I've tried using many variants of rewrite but nothing works

    headers:
    - "Origin: https://<frw>.<hq-teleport>" # Teleport application subdomain prepended with "https://"
    - "Host: <frw>.<hq-teleport>" # Teleport application subdomain itself
    redirect:
    - "<frw>.<hq-teleport>:6060"

Any feedback is appreciated.

[webvictim]

Your Origin and Host headers should reference the Teleport version of the URL (https://firewall.teleport.example.com and firewall.teleport.example.com respectively) while the redirect line should reference the underlying app URL, e.g. firewall.internal or similar.

You also don't need a port on the redirect.

[Atroskelis]

Hello,

It seems no matter what i put in the headers, it doesnt seem to make a difference.

I've also tried this, and removed the redirect.

    - name: "client-frw"
      uri: "https://172.16.31.1/"
      public_addr: "client-frw.teleport.hq.ro"
      insecure_skip_verify: true
      rewrite:
        headers:
        - "Origin: https://client-frw.teleport.hq.ro" # Teleport application subdomain prepended with "https://"
        - "Host: client-frw.teleport.hq.ro" # Teleport application subdomain itself

The CORS error is still there

[Atroskelis]

Maybe it is relevant, as i have little knowledge about this, but we also had difficulty using a proxypass for fortigates as the return content was always with the IP of the fortigate and not with the IP of the host doing the proxypass

[webvictim]

It's almost definitely related. Unfortunately Teleport doesn't implement body rewrites on content that passes through it, and some systems are just built in a way that makes them quite incompatible with reverse proxying. It seems like Fortigate's web UI is one of these systems.