Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Pass through proxy headers from upstream proxies
See original GitHub issueEdit by @mtlynch
TinyPilot’s nginx config apparently drops proxy headers like X-Forwarded-Proto if the user is connecting to TinyPilot through an upstream proxy. @LukeLambert’s proposed fix modifies the nginx config to forward these headers.
Like many, I use a reverse proxy in front of most web services to terminate TLS, provide SSO, and authorize requests (aka Zero Trust). The TinyPilot Nginx config can easily allow for this setup with a few tweaks copied from the nginx-proxy project. It also greatly simplifies the config.
Note: I’m not sure which headers are needed for the /janus/ws location. I haven’t observed my TinyPilot using that endpoint.
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name tinypilot;
root /opt/tinypilot;
index index.html;
proxy_buffers 16 16k;
proxy_buffer_size 16k;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_http_version 1.1;
location /state {
proxy_pass http://ustreamer;
}
location /stream {
postpone_output 0;
proxy_buffering off;
proxy_ignore_headers X-Accel-Buffering;
proxy_pass http://ustreamer;
}
location /snapshot {
proxy_pass http://ustreamer;
}
location /janus/ws {
proxy_pass http://janus-ws;
proxy_set_header X-Scheme $proxy_x_forwarded_proto;
}
location / {
proxy_pass http://tinypilot;
}
location ~* ^/.+\.(html|js|js.map|css|woff|woff2)$ {
root "/opt/tinypilot/app/static";
# We cache assets to prevent the browser from making redundant
# requests to the same files while loading the page. (Observed on
# Chrome 91.) We don’t want caching otherwise, though, in order to
# avoid stale files after users update their device. Note, that in
# addition to `max-age`, the browser’s caching behaviour is relative
# to the `Last-Modified` header, so we make that seem recent.
add_header Last-Modified $date_gmt;
add_header Cache-Control 'public, max-age=10s';
}
location ~* ^/.+\.(jpg|jpeg|png|ico)$ {
root "/opt/tinypilot/app/static";
}
}
Issue Analytics
- State:
- Created a year ago
- Comments:7
Top Results From Across the Web
Smuggling HTTP headers through reverse proxies
Under some conditions, it is possible to smuggle HTTP headers through a reverse proxy, even if it was explicitly unset before.
Read more >NGINX Reverse Proxy | NGINX Plus - NGINX Documentation
Configure NGINX as a reverse proxy for HTTP and other protocols, with support for modifying request headers and fine-tuned buffering of responses.
Read more >Using Client Identification Headers with an upstream proxy - Clearswift
From the Upstream Proxy Settings page, click the Client Identification tab. · Select the headers you want to add. Select Use Base64 Encoding...
Read more >Understanding Nginx HTTP Proxying, Load Balancing ...
The “Host” header is re-written to the value defined by the $proxy_host variable. This will be the IP address or name and port...
Read more >Forward request headers from nginx proxy server
If you want to pass the variable to your proxy backend, you have to set it with the proxy module. location / {...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I tried the config with a few reverse proxies and they all worked.
ngrok
You’ll need a free ngrok authtoken. Open the HTTPS address printed in the terminal. Warning: This is publicly accessible.
Cloudflare Tunnel
In the teams dashboard, under Access > Tunnels, click Create a tunnel and follow the prompts. Open the HTTPS address of the subdomain you created. Warning: This is publicly accessible.
Caddy
Open
http://localhost:8080.Caddy HTTPS
Open
https://localhost:8443and ignore the security warnings.Ah, okay.
Can you make this a PR into the ansible-role-tinypilot repo?
https://github.com/tiny-pilot/ansible-role-tinypilot/blob/14cc40e7e53260628be09597799533e080bfc7f9/tasks/nginx.yml