basic authentication with nginx

[sakoula]

Hi There,

I am trying to install send on a docker host behind an nginx proxy with basic authentication.

Upload works just find over basic auth but when I try to use the link

https://send.xxx.xx/download/aa7eb17b6ecad900/#1H8YgkdfhmUq1dd6ebnMcg

it pops up the window regarding the authentication and then I always get the link expired page. This behaviour is consistent across all browsers. By looking on the networking tab in the browser I can see that some of the requests resources such as app.webmanifest get a 401 http code. So it seems that somehow the browser requests some resources without passing the authentication header?

Is this a known issue? Is there a standard way to deploy send behind a proxy with basic auth? I can provide more details but I was just wondering if I am missing something basic (e.g. explicitly tell nginx to pass a specific header).

Thanks!

[timvisee]

So it seems that somehow the browser requests some resources without passing the authentication header?

I'm not sure.

Is this a known issue? Is there a standard way to deploy send behind a proxy with basic auth?

It is not. I did never deploy Send with BasicAuth myself, though there have been others who did, with success. I don't have much experience with BasicAuth either, it may be worth checking what headers affect it.

Please note that when uploading a file, it is done so over a websocket rather than a regular HTTP request. That might need special attention.

[DavyLandman]

I've been debugging this, it looks like the XHR request don't use the credentials of the browser? That means that the calls to API fail, and that is what causing the downloads to fail.

I've been reading a bit, and it seems like it might be resolved by setting the withCredentials property on the xhr, but I don't know how to test that currently.

[martin-braun]

@timvisee I think it would make sense to provide a way to configure credentials in the server configuration that need to be put for home use. I'd like to host send for my partner and me and I wish to prevent strangers from using it on my server.

[ben-64]

I face exactly the same problem. Due to basic authentication and reverse proxy, all links are expired, but the real reason is the authentication problem.

[AlassaneWone]

I don't know if this is relevant or helpful, but I just implemented Send with basic authentication on my Apache server.

I created users and passwords using this command (-c create the file so, if you want to create more users, just get rid of it):

htpasswd -c /etc/apache2/.htpasswd <username>

I also added this bit of code to the VirtualHost so that everyone can access downloads via links, but only authentified users can access the upload page.

        <LocationMatch "^/$">
                AuthType Basic
                AuthName "Send"
                AuthUserFile /etc/apache2/.htpasswd
                Require valid-user
                Order Deny,Allow
        </LocationMatch>

        <LocationMatch "^/download/">
                allow from all
                Satisfy any
        </LocationMatch>

However, there's still an issue I couldn't figure out how to resolve. Accessing the download page and clicking on the 'Send' logo (up left of the page) redirects an unauthenticated user to the upload page without requiring username or password.

Feel free to notify me if you discover a better solution, security issues, or anything that could be improved.

[nickelswitte]

Has anyone else here found a solution that works with Nginx Proxy Manager?

[martin-braun]

@nickelswitte Can't help with that, but I'd like to mention that I switched to psitransfer which provides a simple password protection layer in the GUI itself that prevents strangers from uploading files to your server.