Error on open/click tracker with another host

[vlacour97]

Describe the bug

My postal http server was served by postal.xxxxxxx.com and i configure click.xxxxxxx.com and click.yyyyyyy.com for tracker domain. When i access to click.xxxxxxx.com or click.yyyyyyy.com i have an error on ruby on rails server like [35] [2023-04-18T20:00:37.992] ERROR -- : [ActionDispatch::HostAuthorization::DefaultResponseApp] Blocked host: click.xxxxxx.com and any response on my browser

To Reproduce

1. Set http.host in postal.yml
2. Initialize server
3. Add domain tracker with another host than http.post in postal.yml
4. Call this host on browser

Expected behaviour

This error is due to config.hosts << Postal.config.web.host in config/application.rb.
When the application.rb config one host another hosts was rejected.
More informations: https://guides.rubyonrails.org/configuring.html

How to bypass this problem ?

Currently i have set my http.host to .xxxxxxxx.com. And the click.xxxxxxxx.com is accepted but not click.yyyyyyy.com.

Proposition for fix it

• Don't use config.hosts or use /.*/ regex for value (I'm not sure this is a good solution)
• Autorise multiple host in http.host(s) in postal.yml

[willpower232]

Have you definitely configured the X-Postal-Track-Host: 1 header for the proxied request?

I'm not fully sure how it works but I think if the header is set correctly then the middleware should trigger before the config.hosts line

postal/config/application.rb

Lines 37 to 41 in 5222263

	config.middleware.use Postal::TrackingMiddleware
	config.logger = Postal.logger_for(:rails)
	config.hosts << Postal.config.web.host

[vlacour97]

The header is correctly configured and tested with this docker image brndnmtthws/nginx-echo-headers behind my reverse proxy

GET / HTTP/1.1
Host: click.xxxxxxx.com
sec-ch-ua: "Chromium";v="112", "Google Chrome";v="112", "Not:A-Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,pt;q=0.6
Cookie: ajs_anonymous_id=d33fdf6c-df50-4f77-a723-68519aa850b6
X-Postal-Track-Host: 1
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-For: XXX.XXX.XXX.XXX

The problem comes from postal

When i configure .xxxxxxx.com in http.host config it's work for click.xxxxxxx.com

[willpower232]

Thanks for confirming, looks like @adamcooke added the hosts line as part of the recent upgrade to Ruby and Rails so a very recent breakage.

957b784#diff-c1fd91cb1911a0512578b99f657554526f3e1421decdb9e908712beab57e10f9

[PeterXQChen]

Is there a temporary fixed in the meantime until a fix is released?

[rbustos]

This is absolutely a critical one. It appears on 2.1.4.

I can confirm what @vlacour97 found.

[griffinhosting]

Please release a fix for this. open/click webhooks are critical for many users.

[rbustos]

@griffinhosting : Rollback to 2.1.2 meanwhile.

[dronerdk]

same issue here. Please fix

[marvinhinz]

i have the same issue, this proposed fix looks simple, is a release planned in the near future?

[HugoDL]

I've been trying to run web-server on AWS ECS but my Target Group is receiving this 403 and I'm not able to allow it in the Production.rb file.

Running version 2.1.4

[Pacerino]

Are there any updates to this issue? Got Postal up an running but experience the same issue....

[lfdominguez]

Hi, This bug is already fixed in a looooong wait PR already tested, but i dont known why is not take it in account. (#2568)