search

dec0dOS / zero-ui

ZeroUI - ZeroTier Controller Web UI - is a web user interface for a self-hosted ZeroTier network controller.
GNU General Public License v3.0
915 stars 147 forks source link

bug: Log Out option is redundant when using DISABLE_AUTH #80

Closed drtech981 closed 2 years ago

drtech981 commented 2 years ago

When using DISABLE_AUTH, the log out button should be disabled / greyed out. Accidentally clicking on logout breaks my reverse proxy, I have to manually restart NGINx.

9p4 commented 2 years ago

Author of feature here. What does your NGINX config look like? I am not seeing this issue with Apache.

drtech981 commented 2 years ago

@9p4 I am using NGINX Proxy Manager, so the config is not available as such. However if you still want it : 

server {
  set $forward_scheme http;
  set $server         "10.0.0.148";
  set $port           8006;
  listen 80;
  listen [::]:80;
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name zeroui.drtech981.cc;
  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-2/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-2/privkey.pem;
# Asset Caching
  include conf.d/include/assets.conf;
  # Block Exploits
  include conf.d/include/block-exploits.conf;
9p4 commented 2 years ago

Tracked the issue down to here:

https://nginxproxymanager.com/faq/#when-adding-username-and-password-access-control-to-a-proxy-host-i-can-no-longer-login-into-the-app

Having an Access Control List (ACL) with username and password requires the browser to always send this username and password in the Authorization header on each request. If your proxied app also requires authentication (like Nginx Proxy Manager itself), most likely the app will also use the Authorization header to transmit this information, as this is the standardized header meant for this kind of information. However having multiples of the same headers is not allowed in the internet standard and almost all apps do not support multiple values in the Authorization header. Hence one of the two logins will be broken. This can only be fixed by either removing one of the logins or by changing the app to use other non-standard headers for authorization.

The issue is that ZeroUI is sending an Authorization header which overrides Nginx's Authorization header. This would cause the app to not work (401), but I don't know why your Nginx is crashing...

I'll see if I can fix this :)

drtech981 commented 2 years ago

In the retrospect, I believe that the issue might have been due to caching, which I forgot to disable/clear.

I started with a fresh install, and I haven't been able to reproduce the error again.

But as @9p4 Authorization headers may be causing some issue, which I haven't encountered yet, so it's up to you, the holy developers on how to handle this 😅 .