New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove custom port from CSRF cookie suffix #4741
Conversation
This pull request has been mentioned on OctoPrint Community Forum. There might be relevant details there: https://community.octoprint.org/t/csrf-reverse-proxy-configuration-issue-or-bug/50066/13 |
Should the fix not be to go the other way around - rather than get the port wrong in both places, OctoPrint should get the correct port? It should match what is actually happening, which is you using the UI from port 12345, not 443. |
Yes.. but no? The current CSRF methodology of OctoPrint is really setting the cookie name via schema, it's just aliasing the port. For instance, This could be handled with an overhaul to force setting a So: Yes, if we want the reverse proxy page to "look better." But no if we want the same functionality as today, ease of setup via not requiring users with custom ports to set custom configurations in |
OK, it didn't take that long to test in the end... I setup haproxy with a self-signed cert, on port 3000 for https, and everything works as expected. So I would be inclined to say there is still something wrong with your nginx configuration, and so I'll hop back to the community forums to have a poke at what might be the issue there. For reference, the haproxy config I used: haproxy.cfg
|
Interesting, I wonder why you're getting a different result. I guess what I'm saying is that the function I changed isn't leveraged by any part of the system other than the CSRF cookie name. The only reason I can think of to even have pre-defined cookie names like this would be to separate HTTP from HTTPS, but if that's the case, there's no reason to use a port in the cookie name at all. It could just be changed to "_SHTTP" and "_SHTTPS" to remove the complexity altogether. The proxy port in headers and/or cookies have no impact on the proxy itself (including file downloads) since the only place it's used is with CSRF (at least that I see calling that function). In any event, if there's a cleaner way to do this, it works for me. I'm just not finding it with nginx. |
@cp2004 Trying to figure out what's different about your setup and mine, and I noticed EDIT: I have confirmed the above function does return 443 for me, and the resulting |
@cp2004 Thank you for the direction, I have figured this out, and it is I traced the calls back to the use of
With success. I will close this PR, resolve my issue, and make a request in the forum for an update on https://community.octoprint.org/t/reverse-proxy-configuration-examples/1107 to include this specificity in the Thanks again! |
This pull request has been mentioned on OctoPrint Community Forum. There might be relevant details there: https://community.octoprint.org/t/reverse-proxy-configuration-examples/1107/47 |
That's great that you've managed to sort it out - and we've learnt something about how nginx works with https ports then I guess. I'll have to play around with nginx closer (I tend to always use haproxy as that's what's included with OctoPi) to see if it has any other slight quirks. |
to a large audience (ideally all users of OctoPrint)
made sure your changes don't interfere with current development by
talking it through with the maintainers, e.g. through a
Brainstorming ticket
devel
branch if it's a completelynew feature, or
maintenance
if it's a bug fix or improvement ofexisting functionality for the current stable version (no PRs
against
master
or anything else please)(no PRs from your version of
master
,maintenance
, ordevel
please), e.g.
dev/my_new_feature
orfix/my_bugfix
no dead code, ideally only one commit - rebase and squash your PR
if necessary!
.less
source files, not the.css
files (those are generatedwith
lessc
)have added unit tests
nothing broke
AUTHORS.md
file :)What does this PR do and why is it necessary?
Addresses: #4740 by utilizing 443 or 80 as the port for the CSRF cookie name even if a custom port is being used.
How was it tested? How can it be tested by the reviewer?
The best method is to set up an NGINX proxy outside of OctoPi running on
https://octoprint.domain.com:12345
and confirm thathttps://octoprint.domain.com:12345/reverse_proxy_test/
is all green. You will see 443 as the port (to align to the server port from OctoPi). Without this fix, logins will fail with a 400, with it, they will succeed regardless of if you are running a standard port, non-standard port, going throughhaproxy
, or direct.Any background context you want to provide?
#4740 has a link to the forum post with a full description and debugging of this issue.
What are the relevant tickets if any?
#4740
Screenshots (if appropriate)
N/A
Further notes
N/A