-
-
Notifications
You must be signed in to change notification settings - Fork 704
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
webui: Implement support for reverse proxies #2343
base: master
Are you sure you want to change the base?
Conversation
67c5a54
to
c6d52da
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## nightly #2343 +/- ##
==========================================
- Coverage 6.50% 6.50% -0.01%
==========================================
Files 85 85
Lines 18382 18406 +24
Branches 8348 8355 +7
==========================================
+ Hits 1196 1197 +1
+ Misses 16136 16081 -55
- Partials 1050 1128 +78
Flags with carried forward coverage won't be shown. Click here to find out more.
|
7e2b222
to
eaca72d
Compare
src/confighttp.cpp
Outdated
if (!config::nvhttp.web_ui_address.empty()) { | ||
BOOST_LOG(info) << "Configuration UI available at ["sv << config::nvhttp.web_ui_address << "]"sv; | ||
} | ||
BOOST_LOG(info) << "Configuration UI available at [https://localhost:"sv << port << "]"sv; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe make an array of the addresses it's available at, and only have one log message?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Related to this, I have some reservations about the PR related to privacy: users may not want their reverse proxy address to be exposed when sending logs.
In my case, I use a reverse proxy for all my home services with the intention not to expose anything outside of my LAN, but I'm forced to use a DNS AAAA record, as my ISP uses DNS spoofing to block A records that refer to a private network space. I use the reverse proxy for multiple services, but none are exposed to the external network, and I'd prefer not to be leaking the address online unnecessarily.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point... I think it's safe to only log the localhost address.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Backed out the logging, but keep in mind that the proxy address will be exposed by open_url()
& resolve_command_str()
invocations.
src/entry_handler.cpp
Outdated
|
||
if (!config::nvhttp.web_ui_address.empty()) { | ||
// Don't append internal TCP port as port is mapped by reverse proxy | ||
url = config::nvhttp.web_ui_address; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would we want to use the reverse proxy address from the server itself?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You mean via the link handler as used by the tray icon on the host? At least in my case, yes. The main benefit of using the reverse proxy for Sunshine in particular is so that I can use my own valid SSL cert that's managed on a different machine than the Sunshine host. Having the tray icon open the self-signed site means I need to deal with the SSL warnings each time, which cancels out most of the benefit of using the proxy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think this should be optional? In the event of an internet outage, people won't be able to open ui via the tray icon.
Or fallback to the localhost address if the proxy address is unreachable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've implemented the latter suggestion as it seems to make the best sense and keep things simpler.
2a70c10
to
bce31e3
Compare
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0); // ignore self-signed cert | ||
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); // ignore self-signed cert |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These lines will let the function detect a proxied or other address that is still using a self-signed cert. For example, you can test functionality without a reverse proxy by setting the url to https://sunshinehost:47990
.
It might be OK to leave this here, but if we want to enforce valid SSL checking, I can remove the lines and perhaps add a note that a valid SSL cert will be required to the docs.
23758c0
to
3a49fef
Compare
<!-- Web UI Address --> | ||
<div class="mb-3"> | ||
<label for="web_ui_address" class="form-label">{{ $t('config.web_ui_address') }}</label> | ||
<input type="text" class="form-control" id="web_ui_address" placeholder="https://localhost:47990" v-model="config.web_ui_address" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should I change the placeholder to a reverse proxy example? If yes, is https://example.com:80/sunshine
appropriate here (and elsewhere)? I'm asking because the External IP
entry is using an example IP range, so I assume users won't get confused that the placeholder is only an example and not the actual default when unset.
* Add "web_ui_address" option to UI Network tab. * Add tray icon link handling, with proxy connectivity check to decide which link to open. * Add reverse proxy suggestion to Setup document as a hint to circumvent self-signed SSL warnings.
3a49fef
to
4c6f5b8
Compare
Description
Screenshot
Issues Fixed or Closed
Resolves #1034
N.B.: this PR doesn't implement the stated proposal in title of #1034 (insecure http support in Sunshine), but instead enhances the url handler to use a proxied address if set by the user, and add some basic documentation on reverse proxying. A reverse proxy should typically proxy the secure
https://<host>:47990
address, and self-signed certs shouldn't cause issues (if using Nginx Proxy Manager, at the very least).Type of Change
.github/...
)Checklist
Branch Updates
LizardByte requires that branches be up-to-date before merging. This means that after any PR is merged, this branch
must be updated before it can be merged. You must also
Allow edits from maintainers.