Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Using Nginx $arg_token to get URL parameter as an "Access Key" #259

Open
1 task done
vbrowser opened this issue Sep 13, 2024 · 2 comments
Open
1 task done

[BUG] Using Nginx $arg_token to get URL parameter as an "Access Key" #259

vbrowser opened this issue Sep 13, 2024 · 2 comments
Labels
no-issue-activity

Comments

@vbrowser
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

I have set $arg_token in the default.conf file as I've used this method of access before. I realized soon after that backend calls were being blocked by Nginx due to the $arg_token. It appeared to be the websocket impacted from my visibility, but there might be more that I am unaware of?

server {
  #auth_basic               "Login";
  #auth_basic_user_file     /etc/nginx/.htpasswd;
  listen 3000 default_server;
  listen [::]:3000 default_server;

  set $valid_token "test-1234";

  location /public/ {
    alias /kclient/public/; 
    try_files $uri $uri/ =404;
  }

  location /manifest.json {
    alias /kclient/public/manifest.json;
    try_files $uri =404;
  }

  location /favicon.ico {
    alias /kclient/public/favicon.ico;
    try_files $uri =404;
  }

  location /audio/socket.io/socket.io.js {
    alias /kclient/node_modules/socket.io/client-dist/socket.io.js;
    try_files $uri =404;
  }

  location /audio/socket.io/ {
    alias /kclient/node_modules/socket.io/dist/;
    try_files $uri =404;
    index socket.js;
  }
  
  location / {
    # Extract the token from the query parameter
    set $token $arg_token;

    # # Validate the token
    if ($token != $valid_token) {
      return 403;
    }
    proxy_http_version      1.1;
    proxy_set_header        Host $host;
    proxy_set_header        Upgrade $http_upgrade;
    proxy_set_header        Connection "upgrade";
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_set_header        Cookie "";
    proxy_read_timeout      3600s;
    proxy_send_timeout      3600s;
    add_header              'Access-Control-Allow-Origin' '*' always;
    add_header              'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
    add_header              'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
    add_header              'Access-Control-Allow-Credentials' 'true';
    add_header              'Cross-Origin-Embedder-Policy' 'require-corp';
    add_header              'Cross-Origin-Opener-Policy' 'same-origin';
    add_header              'Cross-Origin-Resource-Policy' 'same-site';
    proxy_pass               http://127.0.0.1:6900;
    proxy_buffering          off;
  }

  location SUBFOLDERwebsockify {
    proxy_http_version      1.1;
    proxy_set_header        Host $host;
    proxy_set_header        Upgrade $http_upgrade;
    proxy_set_header        Connection "upgrade";
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_set_header        Cookie "";
    proxy_read_timeout      3600s;
    proxy_send_timeout      3600s;
    add_header              'Access-Control-Allow-Origin' '*' always;
    add_header              'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
    add_header              'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
    add_header              'Access-Control-Allow-Credentials' 'true';
    add_header              'Cross-Origin-Embedder-Policy' 'require-corp';
    add_header              'Cross-Origin-Opener-Policy' 'same-origin';
    add_header              'Cross-Origin-Resource-Policy' 'same-site';
    proxy_pass               http://127.0.0.1:6901;
    proxy_buffering          off;
  }
}

server {
  #auth_basic               "Login";
  #auth_basic_user_file     /etc/nginx/.htpasswd;
  listen 3001 ssl;
  listen [::]:3001 ssl;
  ssl_certificate           /config/ssl/cert.pem;
  ssl_certificate_key       /config/ssl/cert.key;

  set $valid_token "test-1234";

  location /public/ {
    alias /kclient/public/; 
    try_files $uri $uri/ =404;
  }

  location /manifest.json {
    alias /kclient/public/manifest.json;
    try_files $uri =404;
  }

  location /favicon.ico {
    alias /kclient/public/favicon.ico;
    try_files $uri =404;
  }

  location /audio/socket.io/socket.io.js {
    alias /kclient/node_modules/socket.io/client-dist/socket.io.js;
    try_files $uri =404;
  }

  location /audio/socket.io/ {
    alias /kclient/node_modules/socket.io/dist/;
    try_files $uri /socket.js;
    index socket.js;
  }


  
  location / {
    # Extract the token from the query parameter
    set $token $arg_token;

    # Validate the token
    if ($token != $valid_token) {
      return 403;
    }
    proxy_http_version      1.1;
    proxy_set_header        Host $host;
    proxy_set_header        Upgrade $http_upgrade;
    proxy_set_header        Connection "upgrade";
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_set_header        Cookie "";
    proxy_read_timeout      3600s;
    proxy_send_timeout      3600s;
    add_header              'Access-Control-Allow-Origin' '*' always;
    add_header              'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
    add_header              'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
    add_header              'Access-Control-Allow-Credentials' 'true';
    add_header              'Cross-Origin-Embedder-Policy' 'require-corp';
    add_header              'Cross-Origin-Opener-Policy' 'same-origin';
    add_header              'Cross-Origin-Resource-Policy' 'same-site';
    proxy_pass               http://127.0.0.1:6900;
    proxy_buffering          off;
  }

  location SUBFOLDERwebsockify {
    proxy_http_version      1.1;
    proxy_set_header        Host $host;
    proxy_set_header        Upgrade $http_upgrade;
    proxy_set_header        Connection "upgrade";
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_set_header        Cookie "";
    proxy_read_timeout      3600s;
    proxy_send_timeout      3600s;
    add_header              'Access-Control-Allow-Origin' '*' always;
    add_header              'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
    add_header              'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
    add_header              'Access-Control-Allow-Credentials' 'true';
    add_header              'Cross-Origin-Embedder-Policy' 'require-corp';
    add_header              'Cross-Origin-Opener-Policy' 'same-origin';
    add_header              'Cross-Origin-Resource-Policy' 'same-site';
    proxy_pass               http://127.0.0.1:6901;
    proxy_buffering          off;
  }
}

I want to use webtop through a HTML iFrame but limit access via a pre-populated URL parameter. This allows me to create a programmatic approach. However, I can't figure out how to get around the $arg_token creating issues with backend communications. Below are some of the access errors I am receiving:

Failed to load resource: the server responded with a status of 403 ()Understand this error
chrome-error://chromewebdata/:1 
        
        
Failed to load resource: the server responded with a status of 403 ()Understand this error
manager.js:108

It also looks like the following resources fail to load, but I can't find them on the container:

https://localhost/vnc/index.html?autoconnect=1&resize=remote&clipboard_up=true&clipboard_down=true&clipboard_seamless=true&show_control_bar=true

https://localhost/files

Expected Behavior

I expect to give the URL https://localhost/?token=test-1234 and for the requesting user to be given access to the application in its entirety.

Steps To Reproduce

  1. In my dockerfile I have deleted the old default.conf and replaced it with a new one.
  2. Copy the above default.conf into a new file.
  3. RUN rm -f /defaults/default.conf
  4. COPY default.conf /defaults/default.conf

Environment

- OS: Windows 11
- How docker service was installed: Docker Desktop

CPU architecture

x86-64

Docker creation

docker run -d --name=webtop -e PUID=1000 -e PGID=1000 -e TZ=Etc/UTC -p 3000:3000 -p 443:443 -e CUSTOM_HTTPS_PORT=443 --restart unless-stopped webtop

Container logs

Logs are normal compared to a vanilla webtop launch, no errors are present.
@github-actions GitHub Actions
Copy link

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

@LinuxServer-CI
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
no-issue-activity
Projects
Issue & PR Tracker
Status: Issues
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LinuxServer-CI @vbrowser