search

HemmeligOrg / Hemmelig.app

Keep your sensitive information out of chat logs, emails, and more with encrypted secrets.
https://hemmelig.app
MIT License
681 stars 57 forks source link

Restricting to specific IP Adress not working in behind Traefik proxy #267

Closed SajidK25 closed 6 months ago

SajidK25 commented 6 months ago

Description

Hi, @bjarneo Greeting! I have deployed Hemmelig.app to my VPS behind a Traefik proxy. Everything is working well so far but Restricting IP feature. When I generated a secret using that feature the secret could not be opened even there was no error message showed. Browser console showed a error Uncaught (in promise) SyntaxError: Unexpected token '<', "<!DOCTYPE "... is not valid JSON

Screenshots

001 Secret not showing

001 browser console error

Additional information

I have hemmelig with docker compose behind Traefik.

services:
    hemmelig:
        image: hemmeligapp/hemmelig:v5.19.4 # https://github.com/HemmeligOrg/Hemmelig.app/tags
        container_name: hemmeligapp
        hostname: hemmelig
        init: true
        volumes:
            - ./data/hemmelig/:/var/tmp/hemmelig/upload/files
            - ./database/:/home/node/hemmelig/database/
        environment:
            - SECRET_LOCAL_HOSTNAME=0.0.0.0 # The local hostname for the fastify instance
            - SECRET_PORT=3000 # The port number for the fastify instance
            - SECRET_HOST=!changeme! # Used for i.e. set cors/cookies to your domain name
            - SECRET_ROOT_USER=groot # User as the root admin user
            - SECRET_ROOT_PASSWORD=iamroot # The admin user password (change this after signed in)
            - SECRET_ROOT_EMAIL=groot@hemmelig.app # The email for the admin user
            - SECRET_FILE_SIZE=4 # Set the total allowed upload file size in mb
            - SECRET_FORCED_LANGUAGE=en # Set the default language for the application
            - SECRET_JWT_SECRET=!changeme! # Override this for the secret signin JWT tokens for log in
            - SECRET_MAX_TEXT_SIZE=256 # The max text size for the secret. Is set in kb. i.e. 256 for 256kb
        labels:
            traefik.docker.network: "traefik-net"
            traefik.enable: "true"
            traefik.http.routers.hm.entrypoints: "https"
            traefik.http.routers.hm.middlewares: "default@file"
            traefik.http.routers.hm.rule: "Host(`${PROJECT_DOMAIN}`)"
            traefik.http.routers.hm.tls.certresolver: "letsEncrypt"
            traefik.http.routers.hm.tls.options: "modern@file"
            traefik.http.routers.hm.tls: "true"
            traefik.http.services.hm.loadbalancer.server.port: 3000
            traefik.http.services.hm.loadbalancer.sticky.cookie.httpOnly: "true"
            traefik.http.services.hm.loadbalancer.sticky.cookie.secure: "true"
        networks:
            - traefik-net
        ports:
            - '3002:3000'
        restart: always
        stop_grace_period: 1m
        healthcheck:
            test: 'wget -O /dev/null localhost:3000 || exit 1'
            timeout: 5s
            retries: 1
networks:
  traefik-net:
    external: true

My Traefik header configuration:-

 default:
      chain:
        middlewares:
          - default-security-headers
          - hemmelig
          - error-pages
          - gzip

    default-security-headers:
      headers:
        browserXssFilter: true                           
        contentTypeNosniff: true                    
        forceSTSHeader: true                              
        frameDeny: true                                   
        referrerPolicy: "strict-origin-when-cross-origin"
        sslRedirect: true                                
        stsIncludeSubdomains: true                      
        stsPreload: true                                  
        stsSeconds: 63072000                              

    hemmelig:
      headers:
        referrerPolicy: "no-referrer"
        browserXSSFilter: true
        contentTypeNosniff: true
        customFrameOptionsValue: "SAMEORIGIN"
        customRequestHeaders: 
          X-Forwarded-Proto: https
          forwardedHeaders:
            insecure: true
          proxyProtocol:
            insecure: true
bjarneo commented 6 months ago

Most likely this is a bug with your setup. Not the application itself.

bjarneo commented 6 months ago

How about have a look at the docker logs for the container? What is the error message there?

SajidK25 commented 6 months ago

@bjarneo thanks for reply. There is no error here on docker logs for Hemmilig container. Screenshot from 2024-02-04 03-05-27

Here is the whoami out :-

Hostname: 65f15d368a8f
IP: 127.0.0.1
IP: 192.168.32.6
RemoteAddr: 192.168.32.2:39620
GET / HTTP/1.1
Host: whoami.domain
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,fr;q=0.8,hi;q=0.7,bn;q=0.6
Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120", "Google Chrome";v="120"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: Client_Public_IP
X-Forwarded-Host: whoami.domain
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: d9c59586ddc7
X-Real-Ip: Client_Public_IP
SajidK25 commented 6 months ago

The Restrict IP feature is working perfectly. However, When I try to access the secret from a different IP there should be raised a errorbox . That errorbox is not showing whole over the deployment.

bjarneo commented 6 months ago

I am not helping people taking donation and credit of a product they copied and changed the text, and logo.

It is also custom modified.

Even though this is code is under the MIT, it does not mean I do tech support in cases like this.