From 7a07caa46847d15f51f693060e84098dc4fd18a5 Mon Sep 17 00:00:00 2001 From: Wiebe Cazemier Date: Thu, 6 Feb 2025 12:25:17 +0100 Subject: [PATCH] Allow GUIv2 WASM to be downloaded without auth in all security profiles Before, only this would work: * In unsecured: http and https * In weak: not at all * In secured: only http This would break loading custom WASMs on VRM, which are downloaded over the HttpProxyOverSshTunnels over plain-text HTTP. --- .../recipes-httpd/nginx/files/http-explanation.site | 2 +- meta-venus/recipes-httpd/nginx/files/http.site | 13 +++++++++---- meta-venus/recipes-httpd/nginx/files/https.site | 13 +++++++++---- 3 files changed, 19 insertions(+), 9 deletions(-) diff --git a/meta-venus/recipes-httpd/nginx/files/http-explanation.site b/meta-venus/recipes-httpd/nginx/files/http-explanation.site index 8afdbf672..1562a55aa 100644 --- a/meta-venus/recipes-httpd/nginx/files/http-explanation.site +++ b/meta-venus/recipes-httpd/nginx/files/http-explanation.site @@ -17,7 +17,7 @@ server { # This is needed because the wasm is downloaded as XHR. The proxying system # VRM uses, which also ends up here, has stricter rules and doesn't just # return 'origin', so add them here. - location /gui-beta/venus-gui-v2 { + location ~ /gui-(v2|beta)/venus-gui-v2 { root /var/www/venus/; gzip_static always; diff --git a/meta-venus/recipes-httpd/nginx/files/http.site b/meta-venus/recipes-httpd/nginx/files/http.site index 687c87891..f2653c2f8 100644 --- a/meta-venus/recipes-httpd/nginx/files/http.site +++ b/meta-venus/recipes-httpd/nginx/files/http.site @@ -54,10 +54,15 @@ server { proxy_set_header Host $host; } - # This is needed because the wasm is downloaded as XHR. The proxying system - # VRM uses, which also ends up here, has stricter rules and doesn't just - # return 'origin', so add them here. - location /gui { + # The normal auth+cookie flow when opening /gui-v2 needs to function, also + # to make the websocket works, but the wasm(-related) asset files need to + # be available without cookie, for the HttpProxyOverSshTunnels (VRM). + location ~ /gui-(v2|beta)/venus-gui-v2 { + auth_request off; + + # This is needed because the wasm is downloaded as XHR. The proxying system + # VRM uses, which also ends up here, has stricter rules and doesn't just + # return 'origin', so add them here. add_header Cache-Control "no-cache"; add_header Access-Control-Allow-Origin "$http_origin"; add_header Access-Control-Allow-Credentials true; diff --git a/meta-venus/recipes-httpd/nginx/files/https.site b/meta-venus/recipes-httpd/nginx/files/https.site index 5a3d9bc64..275c74f6c 100644 --- a/meta-venus/recipes-httpd/nginx/files/https.site +++ b/meta-venus/recipes-httpd/nginx/files/https.site @@ -56,10 +56,15 @@ server { proxy_set_header Host $host; } - # This is needed because the wasm is downloaded as XHR. The proxying system - # VRM uses, which also ends up here, has stricter rules and doesn't just - # return 'origin', so add them here. - location /gui { + # The normal auth+cookie flow when opening /gui-v2 needs to function, also + # to make the websocket works, but the wasm(-related) asset files need to + # be available without cookie, for the HttpProxyOverSshTunnels (VRM). + location ~ /gui-(v2|beta)/venus-gui-v2 { + auth_request off; + + # This is needed because the wasm is downloaded as XHR. The proxying system + # VRM uses, which also ends up here, has stricter rules and doesn't just + # return 'origin', so add them here. add_header Cache-Control "no-cache"; add_header Access-Control-Allow-Origin "$http_origin"; add_header Access-Control-Allow-Credentials true;