Update to 1.23.9 How to set an environment variable UPTIME_KUMA_WS_ORIGIN_CHECK #4210
Comments
|
Add docker run -d --restart=always -p 3001:3001 -e UPTIME_KUMA_WS_ORIGIN_CHECK="bypass" -v uptime-kuma:/app/data --name uptime-kuma louislam/uptime-kuma:1 |
|
But I am curious, how could it be affected by this in details? Because for my instance, my SSL cert is provided by Cloudflare. It is still working without bypass: https://status.kuma.pet |
|
That fixed it, thank you very much. That command you gave me, for newbies like me who was just introduced to your project, would be great to have in the release notes. I was not aware of how to pass those variables using the command line. I thought I needed to edit a config file and change the option to "bypass" |
|
So my install for the SSL I followed a tutorial. Installed Apache and used certbot for a Let's Encrypt SSL. |
|
Could you have a look if you have these paramerters enabled? louislam/uptime-kuma-wiki#73 (The same issue was raised last week in #4168, but @luchris did not respond if this addressed the issue [and therefore should be added to the wiki]) |
|
Encountered the same issue today when updating to the latest version of Uptime Kuma. Faced a WebSocket connection problem, but after incorporating the following into my Docker Compose file: |
|
Actually, using If anyone encountered this, can you check your log and show me the error here? Should be similar to this: I want to see why the hostname do not match. @BabyYodaOne Appreciated! Will try to reproduce this with Apache reverse proxy |
|
Never mind, I am able to reproduce it now. compose.yaml version: "3.8"
services:
uptime-kuma:
image: louislam/uptime-kuma:1
volumes:
- ./data:/app/data
restart: unless-stopped
apache:
restart: unless-stopped
image: php:8.2-apache-bullseye
ports:
- 80:80
volumes:
- ./sites-enabled:/etc/apache2/sites-enabled
command: |
sh -c 'a2enmod rewrite proxy_http && apache2-foreground'
networks: {}./sites-enabled/uptime-kuma.conf <VirtualHost *:80>
ServerName instance-tokyo-arm
ProxyPass / http://uptime-kuma:3001/
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) "ws://uptime-kuma:3001/$1" [P,L]
</VirtualHost>Error: It seems that the Let's see how to handle this smoothly. |
|
Ah, so the better solution would be using <VirtualHost *:80>
ServerName instance-tokyo-arm
# ADD THIS
ProxyPreserveHost on
ProxyPass / http://uptime-kuma:3001/
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) "ws://uptime-kuma:3001/$1" [P,L]
</VirtualHost>Added a caution message in the changelog https://github.com/louislam/uptime-kuma/releases/tag/1.23.9 |
chakflying
changed the title
|
Maybe I was too confident and underestimated it (again). The breaking change impact of this security fix is very big, since it is not just affecting Apache only. It is affecting across many reverse proxy apps.
|
|
It is a pretty big security risk if someone is running no-auth mode. Personally I think passing through the host header is a pretty reasonable thing for a reverse proxy to do, and the config change is not difficult (just 1 line), there should be no need to revert. |
|
Anyone got this to work with IIS? I can set UPTIME_KUMA_WS_ORIGIN_CHECK to bypass but I cannot seem to get rewrite to work. |
|
Assuming you are talking about this specific reverse proxy websocket connection issue, according to this answer, there is a specific setting for preserving the host header. Have you tried setting this setting? |
Thanks, that worked. |
|
Sorry, I'm still confused. Where is the file I need to set the UPTIME_KUMA_WS_ORIGIN_CHECK variable? I have searched the installed uptime-kima directory/subdirectories with grep to find if it already exists and got a null response. Apologies if it's so obvious I missed it. (It's a plain, not a Docker install). |
|
@brainsys I am now working on 1.23.10 which should not cause this breaking change anymore. You can stick back to 1.23.8 first. |
|
Anyone know if this breaks cloudflare tunnels formerly argo tunnels ? |
It is OK, my intance is using Cloudflare Tunnel: https://status.kuma.pet/dashboard |
Great Updating now (Good to know CF is used to test updates) |
Is this working as intended for you? My setup will block the connection using the CF tunnel linked to it. It's unusually not blocking the status page itself, which is set to default. But when I try to open the manager, it gets the websocket error. |
Works for me no issues |
|
1.23.10 has been released, it should cause no issue now. If you added |
|
Closing as #4216 was merged and 1.23.10 released |
don't work .. |
|
@opvexe |
🛡️ Security Policy
📝 Describe your problem
Hi,
I have updated to 1.23.9 and as listed in the warning banner, it broke my SSL domain origin. I used your docker install method and updated using your default values. I don't know where or which file contains the environment variable to change to bypass.
Could you please point me to the file name and location so I can change the variable to bypass?
Thank you for your help.
Additional verification of the HTTP Origin header has been added to the socket.io connection handler. By default, if the Origin header is present, it would be checked against the Host header. Connection would be denied if the hostnames do not match, which would indicate that the request is cross-origin. Connection would be allowed if the Origin header is not present.
Users can override this behaviour by setting environment variable UPTIME_KUMA_WS_ORIGIN_CHECK=bypass.
(What is the file name and location to make this change? Using the Docker default values and method)
📝 Error Message(s) or Log
No response
🐻 Uptime-Kuma Version
1.23.9
💻 Operating System and Arch
Ubunut 22
🌐 Browser
Firefox
🐋 Docker Version
No response
🟩 NodeJS Version
No response
The text was updated successfully, but these errors were encountered: