nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-04-29 10:10:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
FreedomBox/plinth/modules/cockpit/data/etc/apache2/conf-available/cockpit-freedombox.conf
Sunil Mohan Adapa c163601b6c
cockpit: Reconfigure to allow any origin 
When Cockpit is not configured any origins, it uses the host and protocol of the
incoming request to set the allowed origin for WebSocket connections. By
ensuring that the original host/protocol is passed on to Cockpit from the
browser, we can eliminate the need for configuring a pre-determined list of
origins. Passing the host and protocol from the browser is done by setting
ProxyPreserveHost and using https:// for proxying.

For a cross-site request, Origin: and Host: entries won't match and '403
Forbidden' is thrown. So, this approach is still safe.

Tests:

- Without the patch, access Cockpit using IP address and it fails. Apply the
patch. Cockpit setup should run. Origins= directive in the configuration file
/etc/cockpit/cockpit.conf should get removed. Accessing with IP address and
logging in succeeds.

- Freshly setup a container with the patch and access Cockpit using IP address.
This works and login succeeds.

- Test on stable and testing containers.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2022-07-15 20:37:04 -04:00

31 lines
815 B
Plaintext
Raw Blame History

##
## On all sites, provide cockpit on the path: /_cockpit/
##
## Requires the following Apache modules to be enabled:
## mod_headers
## mod_proxy
## mod_proxy_http
## mod_proxy_wstunnel
##
<Location /_cockpit/>
# Redirect to HTTPS in case of not already using it. This can happen since
# we don't redirect for .onion domains.
RewriteEngine on
ReWriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L]
ProxyPass https://localhost:9090/_cockpit/
ProxyPreserveHost On
</Location>
<Location /_cockpit/cockpit/socket>
ProxyPass wss://localhost:9090/_cockpit/socket
ProxyPreserveHost On
</Location>
<ProxyMatch "^(https|wss)://localhost:9090/_cockpit/.*">
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerName off
</ProxyMatch>
Reference in New Issue View Git Blame Copy Permalink