I am using node-red and have it set up where abc.domain sends to you to a login page where you authenticate then redirects you to /ui using the node-red-contrib-users where I have the base url path set to /. That works fine. However I found a hole in the security. If you go to abc.domain/ui you bypass the login and go straight into the ui. I experimented with nginx sub-filters and was only able to lock out all requests to /ui. My settings.js are:
httpAdminRoot: 'admin',
ui: { path: "/ui" },
Here is Nginx code:
#proxy for node-red @ port :1880
server {
server_name abc.domain;
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
}
location / {
#subfilter
sub_filter_types text/css text/javascript;
sub_filter ui /;
sub_filter_once on;
proxy_pass http://127.0.0.1:1880;
#Defines the HTTP protocol version for proxying
#by default it it set to 1.0.
#For Websockets and keepalive connections you need to use the version 1.1
proxy_http_version 1.1;
#Sets conditions under which the response will not be taken from a cache.
proxy_cache_bypass $http_upgrade;
#These header fields are required if your application is using Websockets
proxy_set_header Upgrade $http_upgrade;
#These header fields are required if your application is using Websockets
proxy_set_header Connection "upgrade";
#The $host variable in the following order of precedence contains:
#hostname from the request line, or hostname from the Host request header field
#or the server name matching a request.
proxy_set_header Host $host;
#Forwards the real visitor remote IP address to the proxied server
proxy_set_header X-Real-IP $remote_addr;
#A list containing the IP addresses of every server the client has been proxied through
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#When used inside an HTTPS server block, each HTTP response from the proxied server is rewritten to HTTPS.
proxy_set_header X-Forwarded-Proto $scheme;
#Defines the original host requested by the client.
proxy_set_header X-Forwarded-Host $host;
#Defines the original port requested by the client.
proxy_set_header X-Forwarded-Port $server_port;
#Defines sub_filter to accept compressed response.
proxy_set_header Accept-Encoding "";
}
}
The problem is I can filter out the /ui but then then the redirect from node-red--contrib-users is blocked as well.
Mick