http_sec_fetch with http_referrer fallback

2026-04-03 16:51:24 -07:00 · 2026-01-28 02:13:04 +00:00
parent fed621f690
commit 2bd80d19db
7 changed files with 69 additions and 9 deletions
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -137,7 +137,7 @@ ENV LANG=C.UTF-8
 RUN apk add --no-cache bash mtr libbsd zip lsblk tzdata curl arp-scan iproute2 iproute2-ss nmap fping \
    nmap-scripts traceroute nbtscan net-tools net-snmp-tools bind-tools awake ca-certificates \
    sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 envsubst \
-    nginx supercronic shadow su-exec && \
+    nginx supercronic shadow su-exec jq && \
    rm -Rf /var/cache/apk/*  && \
    rm -Rf /etc/nginx && \
    addgroup -g ${NETALERTX_GID} ${NETALERTX_GROUP} && \
--- a/2
+++ b/2
@@ -134,7 +134,7 @@ ENV LANG=C.UTF-8
 RUN apk add --no-cache bash mtr libbsd zip lsblk tzdata curl arp-scan iproute2 iproute2-ss nmap fping \
    nmap-scripts traceroute nbtscan net-tools net-snmp-tools bind-tools awake ca-certificates \
    sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 envsubst \
-    nginx supercronic shadow su-exec && \
+    nginx supercronic shadow su-exec jq && \
    rm -Rf /var/cache/apk/*  && \
    rm -Rf /etc/nginx && \
    addgroup -g ${NETALERTX_GID} ${NETALERTX_GROUP} && \
--- a/Dockerfile.debian
+++ b/Dockerfile.debian
@@ -134,6 +134,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    mtr \
    procps \
    gosu \
    jq \
    && wget -qO /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg \
    && echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list \
    && apt-get update \
--- a/back/app.conf
+++ b/back/app.conf
@@ -16,7 +16,7 @@
 #
 # Scan multiple interfaces (eth1 and eth0):
 # SCAN_SUBNETS    = [ '192.168.1.0/24 --interface=eth1', '192.168.1.0/24 --interface=eth0' ]
-
+BACKEND_API_URL='/server'
 DISCOVER_PLUGINS=True
 SCAN_SUBNETS=['--localnet']
 TIMEZONE='Europe/Berlin'
@@ -100,6 +100,8 @@ MQTT_PASSWORD='passw0rd'
 MQTT_QOS=0
 MQTT_DELAY_SEC=2
 GRAPHQL_PORT=20212
 #-------------------IMPORTANT INFO-------------------#
 #   This file is ingested by a python script, so if  #
--- a/front/js/api.js
+++ b/front/js/api.js
@@ -4,11 +4,8 @@ function getApiBase()
    if(apiBase == "")
    {
-        const protocol = window.location.protocol.replace(':', '');
+        // Default to the same-origin proxy bridge
-        const host = window.location.hostname;
+        apiBase = "/server";
        const port = getSetting("GRAPHQL_PORT");
        apiBase = `${protocol}://${host}:${port}`;
    }
    // Remove trailing slash for consistency
--- a/install/production-filesystem/services/config/nginx/netalertx.conf.template
+++ b/install/production-filesystem/services/config/nginx/netalertx.conf.template
@@ -94,6 +94,19 @@ http {
 	access_log /tmp/log/nginx-access.log main;
    # Map 1: The Legacy Logic (Referer Match)
    map "$http_referer|$http_host" $sec_legacy {
        "~^https?://(?<ref_host>[^/:]+)(?::\d+)?/.*\|\k<ref_host>(?::\d+)?$" "TRUSTED";
        default "UNTRUSTED";
    }
    # Map 2: Strict Same-Origin Enforcement
    map $http_sec_fetch_site $is_trusted {
        "same-origin" "TRUSTED";
        ""            $sec_legacy; # Fallback only if header is missing
        default       "UNTRUSTED"; # Blocks 'same-site' and 'cross-site'
    }
 	# Virtual host config
    server {
        listen ${LISTEN_ADDR}:${PORT} default_server;
@@ -102,6 +115,30 @@ http {
        index index.php;
        add_header X-Forwarded-Prefix "/app" always;
        location /server/ {
            # 1. Enforcement
            if ($is_trusted != "TRUSTED") {
                return 403;
            }
            # 2. Path Rewriting & Proxy
            rewrite ^/server/(.*)$ /$1 break;
            proxy_pass http://127.0.0.1:${BACKEND_PORT};
            # 3. Performance & SSE (Per #1440)
            proxy_buffering off;
            proxy_cache off;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            client_max_body_size 50m;
 			proxy_read_timeout 3600s;
            # 4. Standard Proxy Headers
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
        location ~* \.php$ {
            # Set Cache-Control header to prevent caching on the first load
--- a/install/production-filesystem/services/start-nginx.sh
+++ b/install/production-filesystem/services/start-nginx.sh
@@ -42,9 +42,32 @@ if [ "$(id -u)" -eq 0 ]; then
    NGINX_USER_DIRECTIVE="user root;"
 fi
 # ------------------------------------------------------------------
 # BACKEND_PORT RESOLUTION
 # ------------------------------------------------------------------
 # Priority 1: APP_CONF_OVERRIDE (parsed via jq)
 # Priority 2: GRAPHQL_PORT env var
 # Priority 3: Default 20212
 # Default
 export BACKEND_PORT=20212
 # Check env var
 if [ -n "${GRAPHQL_PORT:-}" ]; then
    export BACKEND_PORT="${GRAPHQL_PORT}"
 fi
 # Check override (highest priority)
 if [ -n "${APP_CONF_OVERRIDE:-}" ]; then
    override_port=$(echo "${APP_CONF_OVERRIDE}" | jq -r '.GRAPHQL_PORT // empty')
    if [ -n "${override_port}" ]; then
        export BACKEND_PORT="${override_port}"
    fi
 fi
 # Shell check doesn't recognize envsubst variables
 # shellcheck disable=SC2016
-if envsubst '${LISTEN_ADDR} ${PORT} ${NGINX_USER_DIRECTIVE}' < "${SYSTEM_NGINX_CONFIG_TEMPLATE}" > "${TEMP_CONFIG_FILE}" 2>/dev/null; then
+if envsubst '${LISTEN_ADDR} ${PORT} ${NGINX_USER_DIRECTIVE} ${BACKEND_PORT}' < "${SYSTEM_NGINX_CONFIG_TEMPLATE}" > "${TEMP_CONFIG_FILE}" 2>/dev/null; then
 	mv "${TEMP_CONFIG_FILE}" "${SYSTEM_SERVICES_ACTIVE_CONFIG_FILE}"
 else
 	echo "Note: Unable to write to ${SYSTEM_SERVICES_ACTIVE_CONFIG_FILE}. Using default configuration."