Allow GUIv2 WASM to be downloaded without auth in all security profiles

Before, only this would work: * In unsecured: http and https * In weak: not at all * In secured: only http This would break loading custom WASMs on VRM, which are downloaded over the HttpProxyOverSshTunnels over plain-text HTTP.
victronenergy · Feb 10, 2025 · 7a07caa · 7a07caa
1 parent 320188e
commit 7a07caa
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 9 deletions.
diff --git a/meta-venus/recipes-httpd/nginx/files/http-explanation.site b/meta-venus/recipes-httpd/nginx/files/http-explanation.site
@@ -17,7 +17,7 @@ server {
     # This is needed because the wasm is downloaded as XHR. The proxying system
     # VRM uses, which also ends up here, has stricter rules and doesn't just
     # return 'origin', so add them here.
-    location /gui-beta/venus-gui-v2 {
+    location ~ /gui-(v2|beta)/venus-gui-v2 {
         root /var/www/venus/;
 
         gzip_static always;

diff --git a/meta-venus/recipes-httpd/nginx/files/http.site b/meta-venus/recipes-httpd/nginx/files/http.site
@@ -54,10 +54,15 @@ server {
         proxy_set_header Host $host;
     }
 
-    # This is needed because the wasm is downloaded as XHR. The proxying system
-    # VRM uses, which also ends up here, has stricter rules and doesn't just
-    # return 'origin', so add them here.
-    location /gui {
+    # The normal auth+cookie flow when opening /gui-v2 needs to function, also
+    # to make the websocket works, but the wasm(-related) asset files need to
+    # be available without cookie, for the HttpProxyOverSshTunnels (VRM).
+    location ~ /gui-(v2|beta)/venus-gui-v2 {
+        auth_request off;
+
+        # This is needed because the wasm is downloaded as XHR. The proxying system
+        # VRM uses, which also ends up here, has stricter rules and doesn't just
+        # return 'origin', so add them here.
         add_header Cache-Control "no-cache";
         add_header Access-Control-Allow-Origin "$http_origin";
         add_header Access-Control-Allow-Credentials true;

diff --git a/meta-venus/recipes-httpd/nginx/files/https.site b/meta-venus/recipes-httpd/nginx/files/https.site
@@ -56,10 +56,15 @@ server {
         proxy_set_header Host $host;
     }
 
-    # This is needed because the wasm is downloaded as XHR. The proxying system
-    # VRM uses, which also ends up here, has stricter rules and doesn't just
-    # return 'origin', so add them here.
-    location /gui {
+    # The normal auth+cookie flow when opening /gui-v2 needs to function, also
+    # to make the websocket works, but the wasm(-related) asset files need to
+    # be available without cookie, for the HttpProxyOverSshTunnels (VRM).
+    location ~ /gui-(v2|beta)/venus-gui-v2 {
+        auth_request off;
+
+        # This is needed because the wasm is downloaded as XHR. The proxying system
+        # VRM uses, which also ends up here, has stricter rules and doesn't just
+        # return 'origin', so add them here.
         add_header Cache-Control "no-cache";
         add_header Access-Control-Allow-Origin "$http_origin";
         add_header Access-Control-Allow-Credentials true;