search

Lissy93 / dashy

🚀 A self-hostable personal dashboard built for you. Includes status-checking, widgets, themes, icon packs, a UI editor and tons more!
https://dashy.to
MIT License
16.97k stars 1.3k forks source link

[BUG] Pages unable to pull remote server config. #1695

Open tuxpowered opened 1 day ago

tuxpowered commented 1 day ago

Environment

Self-Hosted (Docker)

System

docker

Version

current

Describe the problem

Trying to add a page from a remote dashy install, unfortunately it errors out. with the dialog

Dashy has failed to load correctly due to a configuration error.

Ensure that
The configuration file can be found at the specified location
There are no CORS rules preventing client-side access
The YAML is valid, parsable and matches the schema
Error Details
Unable to load config from 'https://username:password@dashy.DOMAIN.COM/conf.yml'
Next Steps
Check the browser console for more details ([see how](https://github.com/Lissy93/dashy/blob/master/docs/troubleshooting.md#how-to-open-browser-console))
View the [Troubleshooting Guide](https://github.com/Lissy93/dashy/blob/master/docs/troubleshooting.md) and [Docs](https://dashy.to/docs/)
If you've verified the config is present, accessible and valid, and cannot find the solution in the troubleshooting, docs or GitHub issues, then [open a ticket on GitHub](https://github.com/Lissy93/dashy/issues/new/choose)
Click 'Ignore Critical Errors' below to not show this warning again

Looking at the browser console, I get this error, however....

Access to XMLHttpRequest at 'https://username:password@dashy.DOMAIN.COM/conf.yml' from origin 'http://172.31.10.227:8004' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.Understand this error
CoolConsole.js:11

The remote dashy is protected by HTTP Basic handled by Nginx Proxy Manager (NPM). When I tried passing the credentials in the url https://username:password@dashy.DOMAIN.COM/conf.yml from an unauthenticated browser it works fine no problem.

* Host dashy.DOMAIN.COM:443 was resolved.
* IPv6: (none)
* IPv4: X.X.X.X
*   Trying X.X.X.X:443...
* Connected to dashy.DOMAIN.COM (X.X.X.X) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=dashy.DOMAIN.COM
*  start date: Sep  9 16:34:20 2024 GMT
*  expire date: Dec  8 16:34:19 2024 GMT
*  subjectAltName: host "dashy.DOMAIN.COM" matched cert's "dashy.DOMAIN.COM"
*  issuer: C=US; O=Let's Encrypt; CN=E6
*  SSL certificate verify ok.
* using HTTP/2
* Server auth using Basic with user 'username'
* [HTTP/2] [1] OPENED stream for https://username:password@dashy.DOMAIN.COM/conf.yml
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: dashy.DOMAIN.COM]
* [HTTP/2] [1] [:path: /conf.yml]
* [HTTP/2] [1] [authorization: Basic BASICAUTHHASH]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET /conf.yml HTTP/2
> Host: dashy.DOMAIN.COM
> Authorization: Basic BASICAUTHHASH
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 200
< server: openresty
< date: Fri, 20 Sep 2024 18:02:32 GMT
< content-type: text/yaml; charset=UTF-8
< content-length: 11886
< x-powered-by: Express
< accept-ranges: bytes
< cache-control: public, max-age=0
< last-modified: Fri, 20 Sep 2024 17:15:59 GMT
< etag: W/"2e6e-192106ef165"
< x-served-by: dashy.DOMAIN.COM
<
appConfig:
  theme: lissy
...

The above curl was ran from the local docker server running dashy.

Additional info

No response

Please tick the boxes

tuxpowered commented 1 day ago

I did a random test using the endpoint https://snippet.host/tvcw/raw used in the documentation and the same errors happen.

So I am thinking there is nothing wrong with the proxy settings, and this is a dashy issue.

hockwill commented 23 hours ago

The error message from the browser console says it did not fetch the remote resource at all as the page that was requesting the resource and the resource are from different origins. Browsers check the Access-Control-Allow-Origin header before requesting content.

While using https you need proper configuration of CORS.