Switch to nginx as reverse proxy for geckodriver.

Since geckodriver also checks the Origin header, using a reverse proxy does not disable CSRF protection. e.g. the following request will be rejected: curl -v -H 'Origin:http://example.org/' -H 'Host:geckodriver' -H 'Content-Type:application/json' -d '{"capabilities":{}}' localhost:4444/session While the following request (without the Origin header) will succeed: curl -v -H 'Host:geckodriver' -H 'Content-Type:application/json' -d '{"capabilities":{}}' localhost:4444/session See also: mozilla/geckodriver#1935
blueimp · Sep 24, 2021 · 0a3d94d · 0a3d94d
1 parent a3c7a83
commit 0a3d94d
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 18 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -13,8 +13,8 @@ RUN export DEBIAN_FRONTEND=noninteractive \
     libdbus-glib-1-2 \
     # Bzip2 to extract the Firefox tarball:
     bzip2 \
-    # Reverse proxy for geckodriver, which only allows local connections:
-    tinyproxy-bin \
+    # Reverse proxy for geckodriver:
+    nginx \
   && DL='https://download.mozilla.org/?product=firefox-latest-ssl&os=linux64' \
   && curl -sL "$DL" | tar -xj -C /opt \
   && ln -s /opt/firefox/firefox /usr/local/bin/ \
@@ -37,15 +37,21 @@ RUN BASE_URL=https://github.com/mozilla/geckodriver/releases/download \
   && curl -sL "$BASE_URL/$VERSION/geckodriver-$VERSION-linux64.tar.gz" | \
     tar -xz -C /usr/local/bin
 
-COPY tinyproxy.conf /etc/tinyproxy/
+# Configure nginx to run in a container context:
+RUN ln -sf /dev/stdout /var/log/nginx/access.log
+RUN ln -sf /dev/stderr /var/log/nginx/error.log
+RUN cd /var/lib/nginx && mkdir body proxy fastcgi uwsgi scgi
+RUN touch /run/nginx.pid && chown -R webdriver:webdriver /run/nginx.pid
+
+COPY nginx.conf /etc/nginx/
 COPY reverse-proxy.sh /usr/local/bin/reverse-proxy
 
 USER webdriver
 
 ENTRYPOINT ["entrypoint", "reverse-proxy", "geckodriver"]
 
-# Bind geckodriver to port 4445:
-CMD ["--port", "4445"]
+# Bind geckodriver to port 5555:
+CMD ["--port", "5555"]
 
-# Expose tinyproxy on port 4444, forwarding to geckodriver on port 4445:
+# Expose nginx on port 4444, forwarding to geckodriver on port 5555:
 EXPOSE 4444
diff --git a/nginx.conf b/nginx.conf
@@ -0,0 +1,14 @@
+daemon off;
+worker_processes 1;
+events {
+  worker_connections 1024;
+}
+http {
+  server {
+    listen 4444;
+    location / {
+      proxy_http_version 1.1;
+      proxy_pass http://127.0.0.1:5555;
+    }
+  }
+}
diff --git a/reverse-proxy.sh b/reverse-proxy.sh
@@ -1,7 +1,2 @@
 #!/bin/sh
-
-# Start tinyproxy:
-tinyproxy -d &
-
-# Execute the given command:
-exec "$@"
+nginx & exec "$@"
diff --git a/tinyproxy.conf b/tinyproxy.conf