From 1b120c277c6d974908d29a16134b3f0e3998305a Mon Sep 17 00:00:00 2001 From: root Date: Thu, 29 Jan 2026 18:28:58 +0200 Subject: [PATCH] Fix ingress: redirect to include token; fix ttyd base path; bump 0.3.2 --- moltbot_assistant/nginx.conf.tpl | 21 +++++++++++---------- moltbot_assistant/run.sh | 9 +++++---- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/moltbot_assistant/nginx.conf.tpl b/moltbot_assistant/nginx.conf.tpl index d831a5a..f5578aa 100644 --- a/moltbot_assistant/nginx.conf.tpl +++ b/moltbot_assistant/nginx.conf.tpl @@ -16,12 +16,6 @@ http { sendfile on; keepalive_timeout 65; - # Inject gateway token server-side. Token is substituted into this template at runtime. - map $args $args_with_token { - "" "token=__GATEWAY_TOKEN__"; - default "$args&token=__GATEWAY_TOKEN__"; - } - server { listen 8099; @@ -32,18 +26,25 @@ http { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; } - # Everything else -> Clawdbot gateway UI (websocket capable) + # Gateway UI + # Ensure the browser URL includes token=... (Clawdbot UI expects it client-side). location / { - proxy_pass http://127.0.0.1:18789$uri?$args_with_token; + if ($arg_token = "") { + return 302 $scheme://$host$request_uri?token=__GATEWAY_TOKEN__; + } + + proxy_pass http://127.0.0.1:18789; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; } } diff --git a/moltbot_assistant/run.sh b/moltbot_assistant/run.sh index 401c1f1..8dc48f0 100644 --- a/moltbot_assistant/run.sh +++ b/moltbot_assistant/run.sh @@ -266,7 +266,8 @@ if [ "$ENABLE_TERMINAL" = "true" ]; then # -p: port # bind localhost only; exposed to HA via ingress reverse proxy # ttyd is writable by default; use -R for read-only. (Some builds don't support -W) - ttyd -i 127.0.0.1 -p 7681 bash & + # -b sets the base path so it works behind Ingress (/terminal/) + ttyd -i 127.0.0.1 -p 7681 -b /terminal bash & TTYD_PID=$! else echo "Terminal disabled (enable_terminal=false)" @@ -276,6 +277,8 @@ fi # Token is injected server-side; never put it in the browser URL. # Render nginx config from template with the gateway token. +# NOTE: This intentionally exposes the token in the browser URL via a redirect. +# This matches Clawdbot Control UI's current expectations. GW_TOKEN="$GW_TOKEN" python3 - <<'PY' import os from pathlib import Path @@ -283,9 +286,7 @@ from pathlib import Path tpl = Path('/etc/nginx/nginx.conf.tpl').read_text() token = os.environ.get('GW_TOKEN','') if not token: - # Keep nginx running, but gateway UI will remain inaccessible. - # This avoids breaking the add-on UI completely if token is unset. - print('WARN: gateway_token is empty; ingress proxy will not be able to authenticate to gateway UI.') + print('WARN: gateway_token is empty; ingress UI will redirect with an empty token and Control UI will not authenticate.') conf = tpl.replace('__GATEWAY_TOKEN__', token) Path('/etc/nginx/nginx.conf').write_text(conf)