Comments (5)
timvisee
commented on August 17, 2024
So it seems that somehow the browser requests some resources without passing the authentication header?
I'm not sure.
Is this a known issue? Is there a standard way to deploy send behind a proxy with basic auth?
It is not. I did never deploy Send with BasicAuth myself, though there have been others who did, with success. I don't have much experience with BasicAuth either, it may be worth checking what headers affect it.
Please note that when uploading a file, it is done so over a websocket rather than a regular HTTP request. That might need special attention.
from send.
DavyLandman
commented on August 17, 2024
I've been debugging this, it looks like the XHR request don't use the credentials of the browser? That means that the calls to API fail, and that is what causing the downloads to fail.
I've been reading a bit, and it seems like it might be resolved by setting the withCredentials property on the xhr, but I don't know how to test that currently.
from send.
martin-braun
commented on August 17, 2024
@timvisee I think it would make sense to provide a way to configure credentials in the server configuration that need to be put for home use. I'd like to host send for my partner and me and I wish to prevent strangers from using it on my server.
from send.
ben-64
commented on August 17, 2024
I face exactly the same problem.
Due to basic authentication and reverse proxy, all links are expired, but the real reason is the authentication problem.
from send.
AlassaneWone
commented on August 17, 2024
I don't know if this is relevant or helpful, but I just implemented Send with basic authentication on my Apache server.
I created users and passwords using this command (-c create the file so, if you want to create more users, just get rid of it):
htpasswd -c /etc/apache2/.htpasswd <username>
I also added this bit of code to the VirtualHost so that everyone can access downloads via links, but only authentified users can access the upload page.
<LocationMatch "^/$">
AuthType Basic
AuthName "Send"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
Order Deny,Allow
</LocationMatch>
<LocationMatch "^/download/">
allow from all
Satisfy any
</LocationMatch>
However, there's still an issue I couldn't figure out how to resolve.
Accessing the download page and clicking on the 'Send' logo (up left of the page) redirects an unauthenticated user to the upload page without requiring username or password.
Feel free to notify me if you discover a better solution, security issues, or anything that could be improved.
from send.
Related Issues (20)
- Total max file size of an instance HOT 2
- Transfer speed drops considerably as soon as the tab is not active HOT 3
- SSO or LDAP auth
- Fix permission on upload folder in docker HOT 2
- Anyone figured out a way to force dark mode? HOT 4
- Any way to make the upload accessible only for internal users and download for external? HOT 2
- If you click the logo then you're redirected to the homepage. How can I turn this off? HOT 2
- Logo reverse back after npm run build
- Error with redirection because of the # in the last part of the link url
- Add `unlimited` as an option for max downloads when sharing a file
- Uploading a folder not working HOT 2
- CUSTOM_DESCRIPTION does not seem to work
- Using send with password behind apache reverse proxy failed HOT 2
- Uploads fail after Send has been running for a extended period fo time HOT 1
- Can`t install Send
- Is it possible to recover an expired link data? HOT 1
- customizing the text under Simple, private file sharing HOT 2
- Is there a possibility to keep the unexpired send-archive always visible? HOT 1
- [FEATURE REQUEST] Add folder picker option like WeTransfer HOT 3
- [Request] ARM64 Support HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from send.