Reverse Proxy HTTPS and Basic Authentication to Theia for use on iPadPro #9397
Replies: 8 comments
-
@marcdumais-work @geropl @32leaves @AlexTugarev maybe you have some insights? I don't have enough exp with nginx to answer. |
Beta Was this translation helpful? Give feedback.
-
@maximsachs Firstly, you cannot do Anyway, for the first part(http) it should simply be like this:
The above will redirect(301) all http connection to your site to https.
And lastly remove below code from your nginx.conf
Here's a simple gist which i basically use(except the basic_ath, I use cloudflare access for authentication) |
Beta Was this translation helpful? Give feedback.
-
I too get the spinning wheel using SSL/Basic Auth with nginx as reverse proxy and Safari 13.0.2.
|
Beta Was this translation helpful? Give feedback.
-
I can acknowledge this problem, too. Both iOS and Safari Browsers cannot show Theia with activated basic authentication in the reverse proxy. I am using a Kubernetes Ingress based on nginx. |
Beta Was this translation helpful? Give feedback.
-
Me too, theia with nginx auth is Ok in MACOS and WIN,But it is some wrong with ipados and IOS |
Beta Was this translation helpful? Give feedback.
-
In the end, I dealt with the problem,But wss location is not with basic auth; server {
}
} |
Beta Was this translation helpful? Give feedback.
-
I am also using the above mentioned solution of https for everything except the websocket. Additionally now after an update of the theia plugins, the pdf files for example would no longer be shown inside the browser. I identified the issue to be due to the mini-browser plugin. By default it uses a host pattern of "{{uuid}}.mini-browser.{{hostname}}". This of course does not work with the reverse proxy, first because the uuid is a different subdomain everytime, and secondly even without it a second ssl certificate would be required for the mini-browser. domain. what worked for me is setting the following environment variable before running theia and then the existing reverse proxy config continues to work just fine:
|
Beta Was this translation helpful? Give feedback.
-
Note that while it works to set Theia's webviews use the same mechanism. |
Beta Was this translation helpful? Give feedback.
-
Description
Hello,
Im trying to set up all my tools to be completely browser based for a mobile and secure office experience, while using a light device to interact with everything. In my case specifically I am using a iPadPro with iPadOs beta to make use of the extended browser capabilities.
So far I have got most things working, the last hang up unfortunately is the Theia-IDE. Theia is working great, also on the iPad, however when trying to make things more secure things stop working.
With https and http-basic authentication, Chrome on my desktop is able to access theia fine, but on the iPadPro, the spinning loading icon appears and then just spins forever, instead of loading the workspace etc.
Heres what I found out so far:
Reproduction Steps
I used this guide https://www.theia-ide.org/doc/composing_applications to build Theia on my computer at home which is running Ubuntu 16.04 LTS Desktop. Running Theia locally works like a charm. When I am on the road, I use openVpn to connect home, which then allows me to access the different browser based tools. However that is not good enough, so using Letsencrypt I have set up certificates to switch all tools to use https.
Since I couldnt find any internal https support for Theia I followed the advice from other issues to set up a reverse proxy using NGINX.
This is however not sufficient still in my opinion, as an attacker as long as they are in the local network could easily access my entire computer through the terminal that Theia provides. Therefore I wanted to add http basic authentication to the reverse proxy. This would mean an attacker would have to bypass the vpn, or have dirrect physical access to the local network, then would have to intercept the https traffic to be able to get the username and password, which is hard because my local network is configured to use its own DNS server which is secured itself. So in my opinion that is sufficiently secure against a casual attacker, or accidental access by friends on my local network.
This is my NGINX configuration. (Theia is running on localhost with port 8126):
/etc/nginx/nginx.conf
:And
/etc/nginx/sites-enabled/default
:The configuration above works well on my normal computer with chrome (also ubuntu 16.04). It is supposed to use https for any request (an http request should automatically be changing to https), and additionally send the http basic authentication with each request. Then they are supposed to be forwarded internally to the theia server running on localhost.
The Problem
While chrome on ubuntu has no issues, the iPadPro doesnt seem to like this set up. When connecting it promts for the login credentials for basic authentication, which are entered and if correct proceeds to load the website. It is getting the server itself, however then it is stuck on the theia loading icon, which is spinning forever. After some trial and error with different settings, I think the problem is something to do with the connection upgrade for the websocket connection. If I understand correctly, the websocket is what gets the actual files and such from the current workspace open in theia. It would make sense that if everything but the websocket is accessible, that the website partially loads and is then stuck on the loading icon, because it gets some error when trying to get data from the websocket. From some googling I found that Apple apparently made some harsh choices to improve security with http-basic authentication, which is not allowed in safari unless its going over a https connection. I have a feeling that the problem lies somewhere there, that the websocket is not correctly upgraded to a secure connection, which results in safari on the iPad not including the correct http-basic authentication, which then results in unauthenticated error on the reverse proxy. I am not sure if this is a problem of my configuration, or if the theia frontend for some reason is sending requests that are not upgraded to https or maybe another cause.
For testing I also tried to disable the http-basic authentication in the reverse proxy, however still using ssl. That works just fine to load and use theia on the ipad, but with http-basic auth it doesnt work anymore.
Any help would be greatly appreciated. I tried to make this as detailed as possible. Thank you all very much.
Is my reverse proxy configuration correct?
Diagnostics:
Nginx access log:
Beta Was this translation helpful? Give feedback.
All reactions