Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[2.5/2.6] Nginx config issus resulting in CORS and other headers not working as expetced. #15436

Closed
defnull opened this issue Jul 23, 2022 · 0 comments
Closed

[2.5/2.6] Nginx config issus resulting in CORS and other headers not working as expetced. #15436

defnull opened this issue Jul 23, 2022 · 0 comments
Assignees
@schrd
Labels
module: client priority: normal
Milestone
Release 2.6

Comments

@defnull
Copy link
Contributor

defnull commented Jul 23, 2022
edited

Describe the bug
When $bbb_loadbalancer_node has a value, then some headers are missing (problem A) and at other places, the expected CORS headers are not set (problem B).

Problem A) Nginx if blocks work in strange and sometimes very counter-intuitive ways, and add_header is especially unsafe to use in if-blocks. An add_header directive in an if or location block will cancel all add_header directives defined outside of the block. As a result the P3P header (IE workaround) for locations defined in web.nginx is missing if $bbb_loadbalancer_node is set. There might be more issues in other places, but this is the one I found.

Problem B): Support for $bbb_loadbalancer_node was not implemented in notes.nginx. Etherpad sends a blanket Access-Control-Allow-Origin: * but the CORS spec does not allow to send credentials in that case. An explicit origin is needed. As a result, the new "Move notes to whiteboard" feature won't work in a cluster using $bbb_loadbalancer_node. Browsers will perform the (expensive) request but then deny access to the result because of bad CORS headers.

A solution would be to unconditionally set add_header Access-Control-Allow-Origin $bbb_loadbalancer_node always; and add_header Access-Control-Allow-Credentials true always; without the guarding if-block. add_header does nothing if the value is empty, and the Access-Control-Allow-Credentials has no effect if Access-Control-Allow-Origin is not present, so this should work for all setups equally well. To get pads working, an additional proxy_hide_header Access-Control-Allow-Origin; is needed because otherwise there would be two headers.

I also noticed that web.nginx has a location /bigbluebutton block nested in another location /bigbluebutton block. Why?

While we are at it: Pads won't load in Safari due to their strict third-party cookie policy if the html5clieht and etherpad run on different domains. This is a different issue, but another place where $bbb_loadbalancer_node mode breaks.

Expected behavior
A cluster using a single front-end domain using $bbb_loadbalancer_node should work as documented.

Actual behavior
$bbb_loadbalancer_node has issues, resulting in breaking features.

BBB version:
2.5 and 2.6-alpha2

Additional context
Add any other context about the problem here.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@schrd schrd

Labels
module: client priority: normal
Projects
None yet
Milestone
Release 2.6
Development

No branches or pull requests
3 participants
@defnull @schrd @antobinary