HFS will not load under reverse proxy

Question

HFS will not load under reverse proxy

Opened this issue 5 months ago · 12 comments

BEFORE

Are you using a reverse-proxy, like nginx?
- Check if your problem is caused by your proxy, try without it.

To Reproduce
Steps to reproduce the behavior:

Load HFS
Load Nginx
Load page under reverse proxy

Describe the bug
When loading the hfs page under reverse proxy it gets stuck on "Wait for loading or use basic interface"
Expected behavior
The page loads correctly under the reverse proxy.

Screenshots

Environment (please complete the following information):

OS: Windows
HFS Version 0.53.0
Browser Firefox

Additional context
Nginx runs as https.

Answer 1 · 2024-09-18T19:32:44.000Z

I can indeed reproduce the same issue with trying to get this to work with nginx. I have followed the documentation and configuration examples as per https://github.com/rejetto/hfs/wiki/Reverse-proxy and issue remains the same.

The nginx error log reports tons of upstream timed out and barely any resource loads. No errors seen in hfs.

Answer 2 · 2024-09-18T19:37:24.000Z

I was just able to figure out why... Just few minutes as I posted above. In the local console I was able to see this:

20:34:56 plugin antibrute: delaying x.x.x.x for 5
20:35:01 plugin antibrute: delaying x.x.x.x for 10
20:35:01 plugin antibrute: delaying x.x.x.x for 25
20:35:45 plugin antibrute: delaying x.x.x.x for 2
20:35:46 plugin antibrute: delaying x.x.x.x for 25

This is my public IP and I was already delayed/blocked after accessing the site the first time. After disabling the plugin HFS does work just fine behind a reverse proxy.

Answer 3 · 2024-09-18T19:51:10.000Z

20:35:46 plugin antibrute: delaying x.x.x.x for 25
This is my public IP and I was already delayed/blocked after accessing the site the first time. After disabling the plugin HFS does work just fine behind a reverse proxy.

antibrute plugin only acts when you make repeated login attempts, otherwise does nothing

Answer 4 · 2024-09-18T19:53:04.000Z

antibrute plugin only acts when you make repeated login attempts, otherwise does nothing

I'd have expected this as well. But somehow it still seem to break reverse proxy ability without even submitting any login form (I don't have any admin accounts created and solely use localhost)

Answer 5 · 2024-09-18T19:53:55.000Z

When loading the hfs page under reverse proxy it gets stuck on "Wait for loading or use basic interface"

Sorry for the late reply, I've lost track of this.
The problem can happen if you didn't configure the proxy correctly.
Did you follow this guide? https://github.com/rejetto/hfs/wiki/Reverse-proxy

Answer 6 · 2024-09-18T20:04:35.000Z

antibrute plugin only acts when you make repeated login attempts, otherwise does nothing

I'd have expected this as well. But somehow it still seem to break reverse proxy ability without even submitting any login form (I don't have any admin accounts created and solely use localhost)

hmmm,
this can be triggered also by credentials passed with http-basic-authentication (like passwords inside URLs)

Answer 7 · 2024-09-18T20:06:30.000Z

That's a good point. I have indeed configured HTTP Basic Auth on reverse proxy-level, before any traffic goes through HFS. That would make sense.

And due to some caching or whatsoever, it might try to access CSS, JS, etc resources and exceed threshold, ending up in blocking the IP.

Answer 8 · 2024-09-18T20:07:08.000Z

consider that a lot of people is using hfs behind nginx without this problem, and antibrute is enabled by default.
if it doesn't work for you, there must be something peculiar

Answer 9 · 2024-09-18T20:08:50.000Z

That's a good point. I have indeed configured HTTP Basic Auth on reverse proxy-level, before any traffic goes through HFS. That would make sense.

ok, so maybe you should add a line in nginx to override the content of "authentication". Make it empty, or delete it, if you don't need this feature in HFS.

HFS supports this kind of authentication.

Answer 10 · 2024-09-18T20:19:18.000Z

HFS supports this kind of authentication.

Is there any way disabling HTTP BASIC Auth? I really would like to have nginx do the authentication. Also because I'm using HFS unauthenticated in my internal network.

Answer 11 · 2024-09-18T20:21:36.000Z

there's no such option at the moment, but you can solve the way i wrote.
you don't want to send this authentication to HFS, do you?
try adding this in the nginx configuration for hfs
proxy_set_header authentication "";
so that nginx gets it, but doesn't forward it to hfs.

Answer 12 · 2024-09-18T20:25:39.000Z

Aaah, sorry. Misunderstood your idea. Sorry! Brilliant one!

I just tested it, and this one does the trick with antibrute enabled:

proxy_set_header Authorization "";