Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Path support for saving HAAS URL on the initial, setup screen

See original GitHub issue

I have HASS setup with NGINX reverse proxy that works properly with URL like this: https://haas.domain.com/secretpath/

Basically NGINX converts that secretpath to HttpOnly Secure cookie that will be returned back with the response.

Since HASS don’t support https://haas.domain.com/path/ installations, the very next request will be called directly to the https://haas.domain.com/ but since the cookie is provided by the browser the NGINX will forward the request correctly to the reverse proxy.

That works great in browser, so you only need once to open the https://haas.domain.com/secretpath/ and after that the cookie helps to keep the HASS secure.

The only problem is that when I want to use the Android application the path section is trimmed by the saveUrl method and would be great if the path section is also reconstructed by the Builder. If the path is provided as part of the URL then this setup would work correctly.

The benefit of having this setup is to mitigate the attacks that happens since the sub domain is exposed by the public DNS and all my public services typically face DoS attacks time to time. Hiding HAAS will help greatly from security perspective.

override suspend fun saveUrl(url: String, isInternal: Boolean?) {
        val trimUrl = if (url == "") null else try {
            val httpUrl = url.toHttpUrl()
            HttpUrl.Builder()
                .scheme(httpUrl.scheme)
                .host(httpUrl.host)
                .port(httpUrl.port)
                .toString()
        } catch (e: IllegalArgumentException) {
            throw MalformedHttpUrlException(
                e.message
            )
        }
        localStorage.putString(if (isInternal ?: isInternal()) PREF_LOCAL_URL else PREF_REMOTE_URL, trimUrl)
    }

Current NGINX PoC configuration looks like this:

# https server section below

server {
# ....
	set $secretKey shhtKeepItLow;

        location ~* ^/([^/]*)/? {
                set $secret $1;
                set $authenticated 0;
                if ($secret = $secretKey) {
                        set $authenticated 1;
                }
                if ($http_cookie ~* "shhtKeepItLow=1") {
                        set $authenticated 1;
                }
                if ($authenticated = 0) {
                        return 404;
                }

            rewrite /shhtKeepItLow/(.*) /$1 break;

            proxy_pass http://192.168.0.2:8123;    # my local HAAS instance
            proxy_set_header Host $host;
            proxy_redirect http:// https://;
            proxy_http_version 1.1;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            add_header Set-Cookie "shhtKeepItLow=1; Path=/; HttpOnly; Secure";
        }
# ....
}