search

digitalfondue / lavagna

Lavagna: issue tracker/project management tool
http://lavagna.io
GNU General Public License v3.0
635 stars 109 forks source link

websocket 403 if use caddy for reverse proxy #128

Closed hdhog closed 3 years ago

hdhog commented 4 years ago

Caddy config

kb kb.example.com {
    tls admin@example.com {
        ca https://ca.example.com/acme/acme/directory
    }

    proxy / http://127.0.0.1:8080 {
        insecure_skip_verify
        websocket
        transparent
    }

    log /var/log/caddy/access.kb.log {
        rotate_size 10
        rotate_age 10
        rotate_keep 10
        rotate_compress
    }

    errors /var/log/caddy/errors.kb.log {
        rotate_size 10
        rotate_age 10
        rotate_keep 10
        rotate_compress
    }
}

Lavagna running in official docker container.

Browser console image

traffic info

image

Response headers

HTTP/1.1 403 Forbidden
Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token
Access-Control-Allow-Origin: *
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Date: Mon, 20 Jan 2020 08:49:30 GMT
Expires: 0
Host: localhost
Pragma: no-cache
Server: Jetty(9.4.24.v20191120)
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Body-Type-Options: nosniff
X-Csrf-Token: b7ed263d-2010-4538-90a3-10ed5dd8a44f
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Content-Length: 20
Content-Type: text/plain; charset=utf-8

Request headers

Host: kb.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Sec-WebSocket-Version: 13
Origin: https://kb.example.com
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: v0LLYSAvZ3IaWrBDH82Fxw==
DNT: 1
Connection: keep-alive, Upgrade
Cookie: LAVAGNA_SESSION_ID=node0cbqy9r5dhff91927w9tl69qo81.node0
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
SitoCH commented 4 years ago

Unfortunately we don't know much about Caddy, you can search other issues for the configuration of Apache or NGINX, maybe it'll hep you.

joegyoung commented 4 years ago

I had the same problem with apache. It took several days of fiddling. I had an open issue right before yours even. Here is what I remember adding to my apache config.

    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"
    RequestHeader set  Origin "http://project.<domain>"
    RequestHeader set Access-Control-Allow-Origin: "https://project.<domain>"
    Header always set Access-Control-Allow-Origin "*"

Lavagna does a CORS like check and then denies the connection.

EDIT: I included my full apache config in my closed issue.

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

sup39 commented 5 months ago

I had the same problem but resolved by removing the Origin header sending to upstream as SitoCH mentioned in https://github.com/digitalfondue/lavagna/issues/123#issuecomment-557836783:

example.com {
  reverse_proxy 127.0.0.1:8080 {
    header_up -Origin
  }
}