Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NGX 反代 LomoAgentWin,无法通过 Https 域名登录 #4

Closed
Zerorigin opened this issue Oct 18, 2022 · 9 comments
Closed

NGX 反代 LomoAgentWin,无法通过 Https 域名登录 #4

Zerorigin opened this issue Oct 18, 2022 · 9 comments

Comments

@Zerorigin
Copy link

Zerorigin commented Oct 18, 2022

version: https://github.com/lomorage/LomoAgentWin/releases/tag/2022-04-19.22-31-44.0.080b5fa
LomoAgentWin 使用的是默认端口

    location / {
        client_max_body_size 0;
        proxy_pass http://IP:Port;
        proxy_set_header X-Forwarded-For $remote_addr;
    }

还有个问题就是反代后,Android 也是无法通过反代后的 Https 域名连接的,难道 Android 走的是 TCP/IP 不是 HTTP/HTTPS ?

@Zerorigin
Copy link
Author

看看这个: https://aisnote.com/2022/10/19/windows-%e4%b8%8a%e9%80%9a%e8%bf%87-apache-%e5%8f%8d%e5%90%91%e4%bb%a3%e7%90%86%e6%94%af%e6%8c%81-lomorage%e7%9a%84-https-%e8%bf%9c%e7%a8%8b%e8%ae%bf%e9%97%ae/

找到原因了,LomoAgentWin 关于跨域请求处理的部分可能在设置上有点问题,我把 nginx 上严格的跨域要求去掉后,反代后的 Web 页面能登录了。
但是 Android app 还是无法通过 https://domain:8000/ 来登录

@aisnote
Copy link
Collaborator

aisnote commented Oct 19, 2022

把domain改成ip 试试👀

@Zerorigin
Copy link
Author

把domain改成ip 试试👀

试了下 Android 在内网直接用 LomoAgentWin 的 IP:Port 是能连到 LomoAgentWin
但是过 nginx 就不行

@Zerorigin
Copy link
Author

是因为 Android app 现在还不支持 https 加密传输么?

@Zerorigin
Copy link
Author

把domain改成ip 试试👀

谢谢指导,前面的链接没仔细看,没注意要先在设置页面设置外网访问设置,以为在账号页面设置就能直接在外网登录。
按照链接 Android app 的设置指导,设置完确实可以外网访问了。

@Zerorigin
Copy link
Author

Zerorigin commented Oct 19, 2022

这边给后面的人写些反代的经验
location /块里需要加这条配置命令防止跨域问题,导致无法登录

        add_header Access-Control-Allow-Credentials true;

另外正确配置好反代后,建议增加下列的location配置块,屏蔽 /system的返回信息,防止用户名暴露
暴露用户名+弱密码的话,很容易导致有心之人利用,小心泄露隐私

    location /system {
        # default_type text/html;
        # return 200 "Hello, Lomorage! (https://lomorage.com/)";
        return 301 https://lomorage.com/;
    }

好吧,被啪啪打脸了,不能屏蔽,否则会导致 app 无法获取服务器信息,从而闪退,只能希望开发者尽快修复下了。

最后,配置好 nginx 反代 https 加密后,需要先在 Android/iOS app 的设置页面设置好外网访问设置,才能在用户登录界面使用外网链接访问服务器。
强烈建议正确配置好加密链接,并且不允许忽略证书安全检测,忽略的话容易导致中间人攻击(同上,小心隐私泄露)

@aisnote aisnote closed this as completed Oct 19, 2022
@fuji246
Copy link

fuji246 commented Oct 28, 2022

@Zerorigin/system api只有在同一网段的ip访问会返回用户信息,你用nginx做proxy是从127.0.0.1访问,应该是没有问题的,你可以本机浏览器打开试试。

curl http://127.0.0.1:8000/system
{"OS":"linux","Arch":"arm64","APIVersion":"1.1","LomodVersion":"2022-10-16.12-46-42.0.aa72b47","UUID":"4318e34f-e9d2-4dd4-b1e7-f1f500cbac3f","AllowRegistration":false,"SystemStatus":1,"OSStatus":{"Uptime":"","CPU":{"Count":0},"Memory":{"TotalInMB":0,"UsedInMB":0,"FreeInMB":0,"CachedInMB":0},"Disk":{"Status":"","ErrorCode":0,"FreeSizeInMB":0},"Network":{"Status":"","PublicAddrs":null,"ListenIPs":null},"TimeZone":{"Name":"","Offset":0}},"UserStatus":{},"LastBackup":null,"WebpPreview":true,"PublicAddr":[],"ListenIPs":[],"OSDiskFreeSize":0,"NetworkStatus":"","DiskStatus":"","TimezoneName":"","TimezoneOffset":0,"UserDisks":[]}

@Zerorigin
Copy link
Author

Zerorigin commented Oct 29, 2022

@Zerorigin ,只有在同一网段的ip访问会返回用户信息,你用nginx做proxy是从127.0.0.1访问,应该是没有问题的,你可以本机浏览器打开试试。/system api

好吧,不过我反代的机子不是 LomoAgentWin 本机,而是同网络下其它机子,所以无法通过 127.0.0.1:8000 来反代。
不过这个现象很有意思,应该解决了我的疑虑。测试了,在本机使用 127.0.0.1:8000 来访问这个接口确实是没有用户信息的,但是使用 LAN IP 的话就有用户信息,看起来 LomoAgent 似乎并没有尝试从 X-Forwarded-For 请求头获取真实访问者 IP 来做隐匿用户信息处理。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants