search

HemmeligOrg / Hemmelig.app

Keep your sensitive information out of chat logs, emails, and more with encrypted secrets.
https://hemmelig.app
MIT License
684 stars 59 forks source link

[OTHER] Serving Hemmelig behind reverse proxy with subpath #239

Closed guillaumearnx closed 7 months ago

guillaumearnx commented 9 months ago

What would you like to share?

Hello, I'm trying to server my Hemmelig instance behind a reverse proxy with a root path in my FQDN. Eg : share.tld.com for a website and share.tld.com/secret for hemmelig. It is possible without modifying the source code ? Here is my nginx vhost

server {

  location /secret/ {
    proxy_pass http://share.tld.com:3000;
    #add_header X-Content-Type-Options "nosniff" always;
    sub_filter_types *;
    sub_filter '="/assets/' '="/secret/assets/';
    sub_filter '="/fonts/' '="/secret/fonts/';
    sub_filter '="/api/' '="/secret/api/';
    sub_filter '="/locales/' '="/secret/locales/';
    sub_filter 'icons/' 'secret/icons/';
    sub_filter_once off;  
}

  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header      X-Forwarded-For    $proxy_add_x_forwarded_for;
  proxy_set_header      X-Forwarded-Proto  $scheme;
  proxy_max_temp_file_size 0;
  proxy_connect_timeout 600s;
  proxy_send_timeout 600s;
  proxy_read_timeout 600s;
  send_timeout 600s;
}

This gave me that error : image

Any idea ? Thank's a lot and very good project by the way ❤️

Additional information

Hemmelig last version Host Ubuntu 22.04 nginx version: nginx/1.22.0 (Ubuntu)

bjarneo commented 9 months ago

Interesting. Maybe it is possible if relative urls are used by the frontend. If not, it should be possible to add a config for this, and then use the config everywhere (frontend and backend).

However, by default you do have to do the rewrites. Wouldnt this be better to use? https://www.nginx.com/blog/creating-nginx-rewrite-rules/

Would this be sufficient? (have not tested): rewrite ^/$ /secret last;

guillaumearnx commented 9 months ago

Not working, always this MIME error. I dont think we can fix it without modifying the way the app is build

bjarneo commented 9 months ago

Oh, it is possible without rewriting the app, but you would have to set the correct mime type for the paths / routes.

I do not think I would add support for this as that would add complexity that is really not something that would be used by most.

guillaumearnx commented 9 months ago

yeah i understand. i will make some tests and let you informed

have a good day