frondeus / fvtt-syrin-control

Syrinscape Online Control plugin for FoundryVTT
MIT License
16 stars 6 forks source link

Question/Help --- CORS #32

Closed karpana closed 2 years ago

karpana commented 2 years ago

TL;DR Does the CORS-anywhere service/app need to be 'presented' to Foundry server within the same domain that's running a foundry instance? Or can I run it on a different server/device?

Backgrounder: I run my foundry setup on a self-hosted Raspberry Pi 4. This physical server, is running 4 separate copies of the foundry Server, each running a different campaign. This setup is required to allow my players to access their character sheets, journal notes, etc... at any time, without any involvement from me. To facilitate the "distinction" of these 4 servers, each is served up behind a reverse proxy, with each having it's own FQDN. e.g. campaign1.domain.net, campaign2.domain.net, etc...

While I have Syrinscape working fine in all 4 campaigns using the CSV model, it's quite the pain to keep on top of the updates coming from Syrinscape, and I'm wanting to move to CORS-anywhere.

What I can't figure out is where CORS-anywhere should be "presented" from a foundry perspective? Can I have a single CORS-anywhere instanced running on a different host/server for all the instances to share? Do I have to run this single instance on the server hosting my 4 foundry VTT instances? Or do I need to have 4 copies of the CORS-anywhere stack running inside my host? Does the cors-anywhere instance need to be on my reverse proxy?

frondeus commented 2 years ago

As far as I know, you can run one CORS server on your RP4 and put it behind a reverse proxy under a unique name like cors.domain.net.

There are two things to consider:

  1. SyrinControl is a plugin used only by GM, and it is running on the GM browser only. That means you can run the CORS server on your local machine and point the SyrinControl to the localhost address. This is my setup:
    https://localhost:8443/cors/https://syrinscape.com/online/frontend-api/

    When my campaign is hosted on xyz.eu.forge-vtt.com/game

Then you are 100% sure that only you can use CORS. It's the best option for security, but it's inconvenient because every time you change the PC, you need to install and set up CORS.

It also means it has to be available to your browser, either by making it public to the whole world or your intranet or local network.

  1. CORS can be dangerous., especially if you are going to host it on a publicly available machine. a) One could use your server as a proxy for an attack. b) By default, CORS allows to route requests from any domain to any URL address. I suggest limiting it so it can be only used from campaign.domain.net AND by hardwiring that only Syrinscape Online Frontend API can be the target. I would even consider doing an IP allowlist.

By doing so, you make sure that no one can use CORS to, for example, attack your internal network.

karpana commented 2 years ago

so to clarify ... the https://localhost:8443/cors/https://syrinscape.com/online/frontend-api/ URL is not the URL from the context of the server (in my case, RPI in my own network), but rather the URL from the context of the GM's PC?

frondeus commented 2 years ago

Yes, that is correct. AFAIK all FoundryVTT modules are running on a browser-side instead of a server-side. Otherwise, CORS wouldn't be a problem because CORS is a browser feature and does not exist on a server-side.

frondeus commented 2 years ago

@karpana - Is this issue solved?

karpana commented 2 years ago

Officially no.
But the issues are on my side with trying to get cors to work.

This ticket/question can be closed

frondeus commented 2 years ago

Since the CORS issue is out of my jurisdiction I would recommend writing a comment here: https://forum.syrinscape.com/t/syrincontrol-wip-foundryvtt-module-integration/13274 to show Syrinscape Team how important it is.