Fix ingress: redirect to include token; fix ttyd base path; bump 0.3.2
This commit is contained in:
@@ -16,12 +16,6 @@ http {
|
|||||||
sendfile on;
|
sendfile on;
|
||||||
keepalive_timeout 65;
|
keepalive_timeout 65;
|
||||||
|
|
||||||
# Inject gateway token server-side. Token is substituted into this template at runtime.
|
|
||||||
map $args $args_with_token {
|
|
||||||
"" "token=__GATEWAY_TOKEN__";
|
|
||||||
default "$args&token=__GATEWAY_TOKEN__";
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 8099;
|
listen 8099;
|
||||||
|
|
||||||
@@ -32,18 +26,25 @@ http {
|
|||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "upgrade";
|
proxy_set_header Connection "upgrade";
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Everything else -> Clawdbot gateway UI (websocket capable)
|
# Gateway UI
|
||||||
|
# Ensure the browser URL includes token=... (Clawdbot UI expects it client-side).
|
||||||
location / {
|
location / {
|
||||||
proxy_pass http://127.0.0.1:18789$uri?$args_with_token;
|
if ($arg_token = "") {
|
||||||
|
return 302 $scheme://$host$request_uri?token=__GATEWAY_TOKEN__;
|
||||||
|
}
|
||||||
|
|
||||||
|
proxy_pass http://127.0.0.1:18789;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "upgrade";
|
proxy_set_header Connection "upgrade";
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -266,7 +266,8 @@ if [ "$ENABLE_TERMINAL" = "true" ]; then
|
|||||||
# -p: port
|
# -p: port
|
||||||
# bind localhost only; exposed to HA via ingress reverse proxy
|
# bind localhost only; exposed to HA via ingress reverse proxy
|
||||||
# ttyd is writable by default; use -R for read-only. (Some builds don't support -W)
|
# ttyd is writable by default; use -R for read-only. (Some builds don't support -W)
|
||||||
ttyd -i 127.0.0.1 -p 7681 bash &
|
# -b sets the base path so it works behind Ingress (/terminal/)
|
||||||
|
ttyd -i 127.0.0.1 -p 7681 -b /terminal bash &
|
||||||
TTYD_PID=$!
|
TTYD_PID=$!
|
||||||
else
|
else
|
||||||
echo "Terminal disabled (enable_terminal=false)"
|
echo "Terminal disabled (enable_terminal=false)"
|
||||||
@@ -276,6 +277,8 @@ fi
|
|||||||
# Token is injected server-side; never put it in the browser URL.
|
# Token is injected server-side; never put it in the browser URL.
|
||||||
|
|
||||||
# Render nginx config from template with the gateway token.
|
# Render nginx config from template with the gateway token.
|
||||||
|
# NOTE: This intentionally exposes the token in the browser URL via a redirect.
|
||||||
|
# This matches Clawdbot Control UI's current expectations.
|
||||||
GW_TOKEN="$GW_TOKEN" python3 - <<'PY'
|
GW_TOKEN="$GW_TOKEN" python3 - <<'PY'
|
||||||
import os
|
import os
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
@@ -283,9 +286,7 @@ from pathlib import Path
|
|||||||
tpl = Path('/etc/nginx/nginx.conf.tpl').read_text()
|
tpl = Path('/etc/nginx/nginx.conf.tpl').read_text()
|
||||||
token = os.environ.get('GW_TOKEN','')
|
token = os.environ.get('GW_TOKEN','')
|
||||||
if not token:
|
if not token:
|
||||||
# Keep nginx running, but gateway UI will remain inaccessible.
|
print('WARN: gateway_token is empty; ingress UI will redirect with an empty token and Control UI will not authenticate.')
|
||||||
# This avoids breaking the add-on UI completely if token is unset.
|
|
||||||
print('WARN: gateway_token is empty; ingress proxy will not be able to authenticate to gateway UI.')
|
|
||||||
|
|
||||||
conf = tpl.replace('__GATEWAY_TOKEN__', token)
|
conf = tpl.replace('__GATEWAY_TOKEN__', token)
|
||||||
Path('/etc/nginx/nginx.conf').write_text(conf)
|
Path('/etc/nginx/nginx.conf').write_text(conf)
|
||||||
|
|||||||
Reference in New Issue
Block a user