check .well-known presence upstream

this is required for apps like nextcloud which have caldav/cardav routes
remove bogus internal route
2020-04-15 16:56:41 -07:00 · 2020-04-14 23:11:44 -07:00 · 2020-04-11 18:45:39 -07:00 · 2020-04-11 17:11:55 -07:00 · 2020-04-11 14:21:05 -07:00 · 2020-04-10 09:49:06 -07:00
7 changed files with 47 additions and 13 deletions
@@ -1899,3 +1899,16 @@
 * graphs: sort disk contents by usage
 * backups: show apps that are not automatically backed up in backup view
 * turn: deny local address peers https://www.rtcsec.com/2020/04/01-slack-webrtc-turn-compromise/
+
+[5.1.3]
+* Fix crash with misconfigured reverse proxy
+* Fix issue where invitation links are not working anymore
+
+[5.1.4]
+* Add support for custom .well-known documents to be served
+* Add ECDHE-RSA-AES128-SHA256 to cipher list
+* Fix GPG signature verification
+
+[5.1.5]
+* Check for .well-known routes upstream as fallback. This broke nextcloud's caldav/carddav
+
@@ -56,6 +56,7 @@ mkdir -p "${BOX_DATA_DIR}/profileicons"
 mkdir -p "${BOX_DATA_DIR}/certs"
 mkdir -p "${BOX_DATA_DIR}/acme" # acme keys
 mkdir -p "${BOX_DATA_DIR}/mail/dkim"
+mkdir -p "${BOX_DATA_DIR}/well-known" # .well-known documents

 # ensure backups folder exists and is writeable
 mkdir -p /var/backups
@@ -49,6 +49,6 @@ exports = module.exports = {

    FOOTER: '&copy; 2020  &nbsp;  [Cloudron](https://cloudron.io) &nbsp; &nbsp; &nbsp;  [Forum <i class="fa fa-comments"></i>](https://forum.cloudron.io)',

-    VERSION: process.env.BOX_ENV === 'cloudron' ? fs.readFileSync(path.join(__dirname, '../VERSION'), 'utf8').trim() : '4.2.0-test'
+    VERSION: process.env.BOX_ENV === 'cloudron' ? fs.readFileSync(path.join(__dirname, '../VERSION'), 'utf8').trim() : '5.1.1-test'
 };

@@ -65,7 +65,7 @@ server {
    # https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#25-use-forward-secrecy
    # ciphers according to https://ssl-config.mozilla.org/#server=nginx&version=1.14.0&config=intermediate&openssl=1.1.1&guideline=5.4
    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256;
    ssl_prefer_server_ciphers off;

    ssl_dhparam /home/yellowtent/boxdata/dhparams.pem;
@@ -135,8 +135,21 @@ server {
        # internal means this is for internal routing and cannot be accessed as URL from browser
        internal;
    }
-    location /appstatus.html {
-        internal;
+
+    location @wellknown-upstream {
+<% if ( endpoint === 'admin' ) { %>
+        proxy_pass http://127.0.0.1:3000;
+<% } else if ( endpoint === 'app' ) { %>
+        proxy_pass http://127.0.0.1:<%= port %>;
+<% } else if ( endpoint === 'redirect' ) { %>
+        return 302 https://<%= redirectTo %>$request_uri;
+<% } %>
+    }
+
+    # user defined .well-known resources
+    location ~ ^/.well-known/(.*)$ {
+        root /home/yellowtent/boxdata/well-known/$host;
+        try_files /$1 @wellknown-upstream;
    }

    location / {
@@ -645,11 +645,12 @@ function exec(req, res, next) {

    if (safe.query(req.resource, 'manifest.addons.docker') && req.user.role !== users.ROLE_OWNER) return next(new HttpError(403, '"owner" role is requied to exec app with docker addon'));

+    // in a badly configured reverse proxy, we might be here without an upgrade
+    if (req.headers['upgrade'] !== 'tcp') return next(new HttpError(404, 'exec requires TCP upgrade'));
+
    apps.exec(req.resource, { cmd: cmd, rows: rows, columns: columns, tty: tty }, function (error, duplexStream) {
        if (error) return next(BoxError.toHttpError(error));

-        if (req.headers['upgrade'] !== 'tcp') return next(new HttpError(404, 'exec requires TCP upgrade'));
-
        req.clearTimeout();
        res.sendUpgradeHandshake();

@@ -683,6 +684,9 @@ function execWebSocket(req, res, next) {

    var tty = req.query.tty === 'true' ? true : false;

+    // in a badly configured reverse proxy, we might be here without an upgrade
+    if (req.headers['upgrade'] !== 'websocket') return next(new HttpError(404, 'exec requires websocket'));
+
    apps.exec(req.resource, { cmd: cmd, rows: rows, columns: columns, tty: tty }, function (error, duplexStream) {
        if (error) return next(BoxError.toHttpError(error));

@@ -64,13 +64,16 @@ function gpgVerify(file, sig, callback) {
    debug(`gpgVerify: ${cmd}`);

    child_process.exec(cmd, { encoding: 'utf8' }, function (error, stdout, stderr) {
-        if (error) return callback(new BoxError(BoxError.NOT_SIGNED, `The signature in ${path.basename(sig)} could not verified`));
+        if (error) {
+            debug(`gpgVerify: command failed. error: ${error}\n stdout: ${stdout}\n stderr: ${stderr}`);
+            return callback(new BoxError(BoxError.NOT_SIGNED, `The signature in ${path.basename(sig)} could not verified (command failed)`));
+        }

-        if (stdout.indexOf('[GNUPG:] VALIDSIG 0EADB19CDDA23CD0FE71E3470A372F8703C493CC')) return callback();
+        if (stdout.indexOf('[GNUPG:] VALIDSIG 0EADB19CDDA23CD0FE71E3470A372F8703C493CC') !== -1) return callback();

        debug(`gpgVerify: verification of ${sig} failed: ${stdout}\n${stderr}`);

-        return callback(new BoxError(BoxError.NOT_SIGNED, `The signature in ${path.basename(sig)} could not verified`));
+        return callback(new BoxError(BoxError.NOT_SIGNED, `The signature in ${path.basename(sig)} could not verified (bad sig)`));
    });
 }

@@ -584,13 +584,13 @@ function createInvite(user, callback) {

    if (user.source) return callback(new BoxError(BoxError.CONFLICT, 'User is from an external directory'));

-    let resetToken = hat(256);
-    user.resetToken = resetToken;
+    const resetToken = hat(256), resetTokenCreationTime = new Date();

-    userdb.update(user.id, { resetToken }, function (error) {
+    userdb.update(user.id, { resetToken, resetTokenCreationTime }, function (error) {
        if (error) return callback(error);

-        callback(null, { resetToken: user.resetToken, inviteLink: inviteLink(user) });
+        user.resetToken = resetToken;
+        callback(null, { resetToken, inviteLink: inviteLink(user) });
    });
 }
Author	SHA1	Message	Date
Girish Ramakrishnan	7eafa661fe	check .well-known presence upstream this is required for apps like nextcloud which have caldav/cardav routes	2020-04-15 16:56:41 -07:00
Girish Ramakrishnan	2fe323e587	remove bogus internal route	2020-04-14 23:11:44 -07:00
Girish Ramakrishnan	4e608d04dc	5.1.4 changes	2020-04-11 18:45:39 -07:00
Girish Ramakrishnan	531d314e25	Show error message if gpg failed	2020-04-11 17:11:55 -07:00
Girish Ramakrishnan	1ab23d2902	fix indexOf value comparison	2020-04-11 14:21:05 -07:00
Girish Ramakrishnan	b3496e1354	Add ECDHE-RSA-AES128-SHA256 to cipher list one of our users had the site reverse proxied. it broke after the 5.1 cipher change and they nailed it down to using this cipher. https://security.stackexchange.com/questions/72926/is-tls-ecdhe-rsa-with-aes-128-cbc-sha256-a-safe-cipher-suite-to-use says this is safe The following prints the cipher suite: log_format combined2 '$remote_addr - [$time_local] ' '$ssl_protocol/$ssl_cipher ' '"$request" $status $body_bytes_sent $request_time ' '"$http_referer" "$host" "$http_user_agent"';	2020-04-10 09:49:06 -07:00
Girish Ramakrishnan	2efa0aaca4	serve custom well-known documents via nginx	2020-04-09 00:15:56 -07:00
Girish Ramakrishnan	ef9aeb0772	Bump default version for tests	2020-04-08 14:24:58 -07:00
Girish Ramakrishnan	924a0136eb	5.1.3 changes	2020-04-08 13:52:53 -07:00
Girish Ramakrishnan	c382fc375e	Set the resetTokenCreationTime in invitation links	2020-04-08 13:11:24 -07:00
Girish Ramakrishnan	2544acddfa	Fix crash with misconfigured reverse proxy https://forum.cloudron.io/topic/2288/mastodon-terminal-not-starting	2020-04-08 09:43:43 -07:00