[BUG] Using Nginx $arg_token to get URL parameter as an "Access Key" #259
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
I have set $arg_token in the default.conf file as I've used this method of access before. I realized soon after that backend calls were being blocked by Nginx due to the $arg_token. It appeared to be the websocket impacted from my visibility, but there might be more that I am unaware of?
server {
#auth_basic "Login";
#auth_basic_user_file /etc/nginx/.htpasswd;
listen 3000 default_server;
listen [::]:3000 default_server;
set $valid_token "test-1234";
location /public/ {
alias /kclient/public/;
try_files $uri $uri/ =404;
}
location /manifest.json {
alias /kclient/public/manifest.json;
try_files $uri =404;
}
location /favicon.ico {
alias /kclient/public/favicon.ico;
try_files $uri =404;
}
location /audio/socket.io/socket.io.js {
alias /kclient/node_modules/socket.io/client-dist/socket.io.js;
try_files $uri =404;
}
location /audio/socket.io/ {
alias /kclient/node_modules/socket.io/dist/;
try_files $uri =404;
index socket.js;
}
location / {
# Extract the token from the query parameter
set $token $arg_token;
# # Validate the token
if ($token != $valid_token) {
return 403;
}
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Cookie "";
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Cross-Origin-Embedder-Policy' 'require-corp';
add_header 'Cross-Origin-Opener-Policy' 'same-origin';
add_header 'Cross-Origin-Resource-Policy' 'same-site';
proxy_pass http://127.0.0.1:6900;
proxy_buffering off;
}
location SUBFOLDERwebsockify {
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Cookie "";
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Cross-Origin-Embedder-Policy' 'require-corp';
add_header 'Cross-Origin-Opener-Policy' 'same-origin';
add_header 'Cross-Origin-Resource-Policy' 'same-site';
proxy_pass http://127.0.0.1:6901;
proxy_buffering off;
}
}
server {
#auth_basic "Login";
#auth_basic_user_file /etc/nginx/.htpasswd;
listen 3001 ssl;
listen [::]:3001 ssl;
ssl_certificate /config/ssl/cert.pem;
ssl_certificate_key /config/ssl/cert.key;
set $valid_token "test-1234";
location /public/ {
alias /kclient/public/;
try_files $uri $uri/ =404;
}
location /manifest.json {
alias /kclient/public/manifest.json;
try_files $uri =404;
}
location /favicon.ico {
alias /kclient/public/favicon.ico;
try_files $uri =404;
}
location /audio/socket.io/socket.io.js {
alias /kclient/node_modules/socket.io/client-dist/socket.io.js;
try_files $uri =404;
}
location /audio/socket.io/ {
alias /kclient/node_modules/socket.io/dist/;
try_files $uri /socket.js;
index socket.js;
}
location / {
# Extract the token from the query parameter
set $token $arg_token;
# Validate the token
if ($token != $valid_token) {
return 403;
}
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Cookie "";
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Cross-Origin-Embedder-Policy' 'require-corp';
add_header 'Cross-Origin-Opener-Policy' 'same-origin';
add_header 'Cross-Origin-Resource-Policy' 'same-site';
proxy_pass http://127.0.0.1:6900;
proxy_buffering off;
}
location SUBFOLDERwebsockify {
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Cookie "";
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Cross-Origin-Embedder-Policy' 'require-corp';
add_header 'Cross-Origin-Opener-Policy' 'same-origin';
add_header 'Cross-Origin-Resource-Policy' 'same-site';
proxy_pass http://127.0.0.1:6901;
proxy_buffering off;
}
}
I want to use webtop through a HTML iFrame but limit access via a pre-populated URL parameter. This allows me to create a programmatic approach. However, I can't figure out how to get around the $arg_token creating issues with backend communications. Below are some of the access errors I am receiving:
Failed to load resource: the server responded with a status of 403 ()Understand this error
chrome-error://chromewebdata/:1
Failed to load resource: the server responded with a status of 403 ()Understand this error
manager.js:108
It also looks like the following resources fail to load, but I can't find them on the container:
https://localhost/vnc/index.html?autoconnect=1&resize=remote&clipboard_up=true&clipboard_down=true&clipboard_seamless=true&show_control_bar=true
https://localhost/files
Expected Behavior
I expect to give the URL https://localhost/?token=test-1234 and for the requesting user to be given access to the application in its entirety.
Steps To Reproduce
- In my dockerfile I have deleted the old default.conf and replaced it with a new one.
- Copy the above default.conf into a new file.
- RUN rm -f /defaults/default.conf
- COPY default.conf /defaults/default.conf
Environment
- OS: Windows 11
- How docker service was installed: Docker DesktopCPU architecture
x86-64
Docker creation
docker run -d --name=webtop -e PUID=1000 -e PGID=1000 -e TZ=Etc/UTC -p 3000:3000 -p 443:443 -e CUSTOM_HTTPS_PORT=443 --restart unless-stopped webtopContainer logs
Logs are normal compared to a vanilla webtop launch, no errors are present.