search

getumbrel / umbrel-apps

The official app repository of the Umbrel App Store. Submit apps and updates here. Learn how → https://github.com/getumbrel/umbrel-apps#readme
https://apps.umbrel.com
482 stars 357 forks source link

[FIX] [BUG] Update lnbits docker-compose.yml (#1033) #1037

Closed Ghooosstt closed 2 months ago

Ghooosstt commented 2 months ago

Add PROXY_TRUST_UPSTREAM: "true" in lnbits/docker-compose.yml to make lnbits work in clearnet using nginx reverse proxy with SSL certificate.

Ghooosstt commented 2 months ago

I have tested the update on umbrelOS 1.0.4 on my Raspberry Pi 5.

nmfretz commented 2 months ago

Hey @Ghooosstt nice work finding the PROXY_TRUST_UPSTREAM environment variable for the app_proxy and troubleshooting 👌.

We've looked into this exact issue before https://github.com/getumbrel/umbrel-apps/pull/102#issuecomment-1207184997, but have decided that we cannot have lnbits blindly trusting the upstream as a default setting for the app, as it makes it trivial to spoof certain potentially important HTTP headers. PROXY_TRUST_UPSTREAM="true" is only safe when running Umbrel's app proxy behind a trusted proxy that sanitizes header values, not when exposing the Umbrel app proxy directly which is the common use case.

Solution

While we can't have this set as default for everyone, there is a way that you can set this variable and have it persist across app updates:

You can create a .env.app_proxy config file in the lnbits directory with PROXY_TRUST_UPSTREAM=true. This file will persist across app updates so you only need to set it once.

For lnbits the file should live at ~/umbrel/app-data/lnbits/.env.app_proxy. As of umbrelOS 1.1 you can access the terminal from the Settings page > Advanced settings > Terminal > umbrelOS and run your commands there to add the .env.app_proxy file. After saving the file you'll need to restart lnbits by right-clicking on the app and restarting

I'm going to close this PR, but feel free to tag me to continue the conversation.

Ghooosstt commented 2 months ago

Hi @nmfretz thank you for your reply.

If I understand correctly, using my nginx reverse proxy I can use this option without worries, but without reverse proxy we cannot set this option by default because if a user exposes lnbits directly on the clear web this option has an impact on lnbits security?

Thanks for the explanation. Cheerz!

Ghoost

nmfretz commented 2 months ago

@Ghooosstt, yes that is exactly right!