[BUG] Using Nginx $arg_token to get URL parameter as an "Access Key"
vbrowser opened this issue · 3 comments
vbrowser commented
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
I have set $arg_token in the default.conf file as I've used this method of access before. I realized soon after that backend calls were being blocked by Nginx due to the $arg_token. It appeared to be the websocket impacted from my visibility, but there might be more that I am unaware of?
server {
#auth_basic "Login";
#auth_basic_user_file /etc/nginx/.htpasswd;
listen 3000 default_server;
listen [::]:3000 default_server;
set $valid_token "test-1234";
location /public/ {
alias /kclient/public/;
try_files $uri $uri/ =404;
}
location /manifest.json {
alias /kclient/public/manifest.json;
try_files $uri =404;
}
location /favicon.ico {
alias /kclient/public/favicon.ico;
try_files $uri =404;
}
location /audio/socket.io/socket.io.js {
alias /kclient/node_modules/socket.io/client-dist/socket.io.js;
try_files $uri =404;
}
location /audio/socket.io/ {
alias /kclient/node_modules/socket.io/dist/;
try_files $uri =404;
index socket.js;
}
location / {
# Extract the token from the query parameter
set $token $arg_token;
# # Validate the token
if ($token != $valid_token) {
return 403;
}
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Cookie "";
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Cross-Origin-Embedder-Policy' 'require-corp';
add_header 'Cross-Origin-Opener-Policy' 'same-origin';
add_header 'Cross-Origin-Resource-Policy' 'same-site';
proxy_pass http://127.0.0.1:6900;
proxy_buffering off;
}
location SUBFOLDERwebsockify {
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Cookie "";
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Cross-Origin-Embedder-Policy' 'require-corp';
add_header 'Cross-Origin-Opener-Policy' 'same-origin';
add_header 'Cross-Origin-Resource-Policy' 'same-site';
proxy_pass http://127.0.0.1:6901;
proxy_buffering off;
}
}
server {
#auth_basic "Login";
#auth_basic_user_file /etc/nginx/.htpasswd;
listen 3001 ssl;
listen [::]:3001 ssl;
ssl_certificate /config/ssl/cert.pem;
ssl_certificate_key /config/ssl/cert.key;
set $valid_token "test-1234";
location /public/ {
alias /kclient/public/;
try_files $uri $uri/ =404;
}
location /manifest.json {
alias /kclient/public/manifest.json;
try_files $uri =404;
}
location /favicon.ico {
alias /kclient/public/favicon.ico;
try_files $uri =404;
}
location /audio/socket.io/socket.io.js {
alias /kclient/node_modules/socket.io/client-dist/socket.io.js;
try_files $uri =404;
}
location /audio/socket.io/ {
alias /kclient/node_modules/socket.io/dist/;
try_files $uri /socket.js;
index socket.js;
}
location / {
# Extract the token from the query parameter
set $token $arg_token;
# Validate the token
if ($token != $valid_token) {
return 403;
}
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Cookie "";
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Cross-Origin-Embedder-Policy' 'require-corp';
add_header 'Cross-Origin-Opener-Policy' 'same-origin';
add_header 'Cross-Origin-Resource-Policy' 'same-site';
proxy_pass http://127.0.0.1:6900;
proxy_buffering off;
}
location SUBFOLDERwebsockify {
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Cookie "";
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Cross-Origin-Embedder-Policy' 'require-corp';
add_header 'Cross-Origin-Opener-Policy' 'same-origin';
add_header 'Cross-Origin-Resource-Policy' 'same-site';
proxy_pass http://127.0.0.1:6901;
proxy_buffering off;
}
}
I want to use webtop through a HTML iFrame but limit access via a pre-populated URL parameter. This allows me to create a programmatic approach. However, I can't figure out how to get around the $arg_token creating issues with backend communications. Below are some of the access errors I am receiving:
Failed to load resource: the server responded with a status of 403 ()Understand this error
chrome-error://chromewebdata/:1
Failed to load resource: the server responded with a status of 403 ()Understand this error
manager.js:108
It also looks like the following resources fail to load, but I can't find them on the container:
https://localhost/vnc/index.html?autoconnect=1&resize=remote&clipboard_up=true&clipboard_down=true&clipboard_seamless=true&show_control_bar=true
https://localhost/files
Expected Behavior
I expect to give the URL https://localhost/?token=test-1234 and for the requesting user to be given access to the application in its entirety.
Steps To Reproduce
- In my dockerfile I have deleted the old default.conf and replaced it with a new one.
- Copy the above default.conf into a new file.
- RUN rm -f /defaults/default.conf
- COPY default.conf /defaults/default.conf
Environment
- OS: Windows 11
- How docker service was installed: Docker DesktopCPU architecture
x86-64
Docker creation
docker run -d --name=webtop -e PUID=1000 -e PGID=1000 -e TZ=Etc/UTC -p 3000:3000 -p 443:443 -e CUSTOM_HTTPS_PORT=443 --restart unless-stopped webtopContainer logs
Logs are normal compared to a vanilla webtop launch, no errors are present.github-actions commented
Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.
LinuxServer-CI commented
This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.
LinuxServer-CI commented
This issue is locked due to inactivity