Closed Ghooosstt closed 2 months ago
I have tested the update on umbrelOS 1.0.4 on my Raspberry Pi 5.
Hey @Ghooosstt nice work finding the PROXY_TRUST_UPSTREAM
environment variable for the app_proxy and troubleshooting 👌.
We've looked into this exact issue before https://github.com/getumbrel/umbrel-apps/pull/102#issuecomment-1207184997, but have decided that we cannot have lnbits blindly trusting the upstream as a default setting for the app, as it makes it trivial to spoof certain potentially important HTTP headers. PROXY_TRUST_UPSTREAM="true"
is only safe when running Umbrel's app proxy behind a trusted proxy that sanitizes header values, not when exposing the Umbrel app proxy directly which is the common use case.
While we can't have this set as default for everyone, there is a way that you can set this variable and have it persist across app updates:
You can create a .env.app_proxy
config file in the lnbits directory with PROXY_TRUST_UPSTREAM=true
. This file will persist across app updates so you only need to set it once.
For lnbits the file should live at ~/umbrel/app-data/lnbits/.env.app_proxy
. As of umbrelOS 1.1 you can access the terminal from the Settings page > Advanced settings > Terminal > umbrelOS and run your commands there to add the .env.app_proxy file. After saving the file you'll need to restart lnbits by right-clicking on the app and restarting
I'm going to close this PR, but feel free to tag me to continue the conversation.
Hi @nmfretz thank you for your reply.
If I understand correctly, using my nginx reverse proxy I can use this option without worries, but without reverse proxy we cannot set this option by default because if a user exposes lnbits directly on the clear web this option has an impact on lnbits security?
Thanks for the explanation. Cheerz!
Ghoost
@Ghooosstt, yes that is exactly right!
Add
PROXY_TRUST_UPSTREAM: "true"
in lnbits/docker-compose.yml to make lnbits work in clearnet using nginx reverse proxy with SSL certificate.