-
Notifications
You must be signed in to change notification settings - Fork 463
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: absolute URL prevent the use of a reverse proxy with a different path in front of the stats #294
Comments
@netchild Hi, sorry for late.
The below doc says that https://github.com/vozlt/nginx-module-vts?tab=readme-ov-file#to-customize-after-the-module-installed |
The FreeBSD port doesn't install the template. I have to dig into the sources and give it a try. Nevertheless, having a relative path instead of an absolute path would reduce the need to modify it and have it simply work out of the box in more cases. |
Indeed, we tested to exchange nginx.conf
if it is applicable for your usecase with above configuration is used, it probably should protect the endpoint But, it is unnecessary |
I don't understand why you have /format/json in the nginx config. The relative path should resolve to /status/./format/json which should resolve to /status/format/json, so this location part should not be needed in the nginx config. Real world example of what I try:
So the /status goes to the oauth2 proxy, which accesses https://localhost/vstatus after successful auth. The browser only has access to /status, as such it shall retrieve /status/xxx. What the oauth2 proxy fetches is /vstatus/xxx. Any reference inside xxx should ideally be relative, so that the browser generates the URL /status/xyz when he sees "./xyz" or "xyz" instead of "/vstatus/xyz". While your module only knows about /vstatus, the browser can only access /status. The oauth2 proxy accesses /vstatus, but doesn't rewrite URLs in java script. I can not instruct nginx to rewrite URLs from /vstatus to /status, as the oauth proxy makes the internal request to this URL (which is allowed from localhost). As such the most practical solution is to let the browser construct the real path to access on it's own. A relative path solves this. |
Hi,
I want to protect access to the vts stats. So at the official URL (let's assume "/vts") nginx proxies to an oauth2 proxy which does the autentication, and then passes the request to "/realvts" on the same nginx (it has access rules to allow only the internal access on the same machine). "/realvts" is configured with the vhost_traffic_status_display.
If I access with a browser /vts, the oauth2 proxy is doing its job, gives me the content of /realvts, but then the browser tries to access /realvts/format/json instead of /vts/format/json. This is because the html source has
var vtsStatusURI = "/realvts//format/json",
instead of using a relative url (untested:var vtsStatusURI = "./format/json",
or maybevar vtsStatusURI = "format/json",
).So:
This doesn't work, as the browser on a remote system is not allowed to access /realvts.
Bye,
Alexander.
The text was updated successfully, but these errors were encountered: