search

janeczku / calibre-web

:books: Web app for browsing, reading and downloading eBooks stored in a Calibre database
GNU General Public License v3.0
13.06k stars 1.39k forks source link

Cloudflare Logouts #2381

Closed arctichomelab closed 2 years ago

arctichomelab commented 2 years ago

Describe the bug/problem

A clear and concise description of what the bug is. If you are asking for support, please check our Wiki if your question is already answered there. Checked the wiki and issues

I'm running into a similar issue as #1466, but without the tolino. My issue relates to regluar use of the webui.

Since 6.12 (last usable release for me), the session seems to reset on navigating to a new page and forces login again.

I have my setup as follows:

Public > Cloudflare WAF > Nginx reverse proxy > Calibre-web

I believe this may be due to the application seeing multiple IPs and not trusting the session.

To Reproduce

Steps to reproduce the behavior: This is a global issue, create your setup as above and compare 6.12 to the latest release.

Logfile

Add content of calibre-web.log file or the relevant error, try to reproduce your problem with "debug" log-level to get more output.

[2022-04-22 13:53:45,142]  INFO {cps:140} Starting Calibre Web...
[2022-04-22 13:53:45,366]  INFO {cps.server:205} Starting Gevent server on [::]:8083
[2022-04-22 13:53:54,482] DEBUG {cps.ub:80} Login and store session : 0f1e779136caa75511990b85159a4fb401fea3ef5eb41143c9559f3ea7580af006ba44327088f2233f514e522477b70adfaa3d8335f7e595dad4750038867048
[2022-04-22 13:53:54,484] DEBUG {cps.ub:82} Found stored session: 0f1e779136caa75511990b85159a4fb401fea3ef5eb41143c9559f3ea7580af006ba44327088f2233f514e522477b70adfaa3d8335f7e595dad4750038867048
[2022-04-22 13:53:54,487] DEBUG {cps.web:1550} You are now logged in as: 'xxxxxx'
[2022-04-22 13:53:57,069] DEBUG {cps.updater:324} Stable version: {'version': '0.6.18'}
[2022-04-22 13:54:22,003] DEBUG {cps.updater:324} Stable version: {'version': '0.6.18'}
[2022-04-22 13:54:48,020] DEBUG {cps.ub:82} Found stored session: 0f1e779136caa75511990b85159a4fb401fea3ef5eb41143c9559f3ea7580af006ba44327088f2233f514e522477b70adfaa3d8335f7e595dad4750038867048
[2022-04-22 13:54:48,022] DEBUG {cps.ub:82} Found stored session: 0f1e779136caa75511990b85159a4fb401fea3ef5eb41143c9559f3ea7580af006ba44327088f2233f514e522477b70adfaa3d8335f7e595dad4750038867048
[2022-04-22 13:54:48,022] DEBUG {cps.web:1550} You are now logged in as: 'xxxxxx'
[2022-04-22 13:54:51,469] DEBUG {cps.updater:324} Stable version: {'version': '0.6.18'}
[2022-04-22 13:55:14,032] DEBUG {cps.updater:324} Stable version: {'version': '0.6.18'}
[2022-04-22 13:55:31,245] DEBUG {cps.updater:324} Stable version: {'version': '0.6.18'}
[2022-04-22 13:55:33,782] DEBUG {cps.updater:324} Stable version: {'version': '0.6.18'}
[...]
[2022-04-22 13:56:58,487] DEBUG {cps.ub:82} Found stored session: 0f1e779136caa75511990b85159a4fb401fea3ef5eb41143c9559f3ea7580af006ba44327088f2233f514e522477b70adfaa3d8335f7e595dad4750038867048
[2022-04-22 13:56:58,488] DEBUG {cps.ub:82} Found stored session: 0f1e779136caa75511990b85159a4fb401fea3ef5eb41143c9559f3ea7580af006ba44327088f2233f514e522477b70adfaa3d8335f7e595dad4750038867048
[2022-04-22 13:56:58,488] DEBUG {cps.web:1550} You are now logged in as: 'xxxx'
[2022-04-22 13:57:00,218] DEBUG {cps.updater:324} Stable version: {'version': '0.6.18'}

Expected behavior

A clear and concise description of what you expected to happen. I expect to be able to browse normally and not be logged out randomly.

Environment

please complete the following information:

Additional context

Add any other context about the problem here. [e.g. access via reverse proxy, database background sync, special database location] None

OzzieIsaacs commented 2 years ago

I believe this may be due to the application seeing multiple IPs and not trusting the session.

Correct.

In the same issue (https://github.com/janeczku/calibre-web/issues/1466#issuecomment-1000231549) a solution was suggested, I'm not sure about this, therefore it's not changed yet. The sideeffect in my opinion would be that every user could only get logged in on one device and as soon as you open Calibre-Web on another computer you would get logged out on the last computer. I'm using a web service which behalf like this and I find it very annoying.

arctichomelab commented 2 years ago

Honestly, I'm not sure how one would go about this. As I mentioned in that post, I'm not a software person at all - I do have a strong red-team/IT Security background though.

I personally see a few options here:

  1. Remove Cloudflare/WAF from the equation
    • I really don't like this idea as alot of security issues can be mitigated here and its an easy pane of glass to manage access
  2. Add a switch/security section either as a config or UI to allow users to control what they wish
    • One could set the defaults to what they are now, and allow further tightening/loosening of said controls
yeraycito commented 2 years ago

If you use Cloudflare/Waf Nginx is unnecessary. Cloudflare always uses the same ips to access your server, you just have to filter them in your router-firewall. You can see them here: https://www.cloudflare.com/ips/

arctichomelab commented 2 years ago

Fixed with:

https://github.com/janeczku/calibre-web/issues/2422#issuecomment-1174411840