1. Forum
  2. FsxNet
  3. FSX MYS

  • dlreq for web download

    From opicron@21:3/126 to Zip on Mon Apr 21 14:28:15 2025
    Speaking of HTTPS, I see that you have an nginx serving the dlreq page ove HTTPS. How do you make nginx preserve the client IP when forwarding the request to Mystic's web server? (As dlreq checks the client IP and refuses serve anything if the IP doesn't match.)

    The nginx in question is the reverse proxy of Synology. So, in the HTML I change the http requests to HTTPS. The HTTPS requests are forwarded to the Mystic HTTP webserver again.

    I have HTTP on port 61080 leading directly to the Mystic HTTP web server, similarly HTTPS on port 61443 leading to the Mystic HTTPS web server, and experimenting a little with Apache (which runs all HTTPS stuff with the "real" SSL cert) to proxy certain URLs internally to 61443, but the client as seen by Mystic's web server will always be the loopback interface, so d denies the download requests when clicking on the file links.

    Mystic runs in a docker on my synology and the IP of caller/webvisitor get forwarded by the DNS reverse proxy in all cases. I dont know the exact script/command for nginx as synology does it for me.

    Could be one of those things that are easy to do with nginx, but less so w Apache. :)

    I believe it is, I vaguely remember having to do some IP forward some time ago. Wasn't it with x-headers? x-forward?

    (Hmm, maybe I would need to let Apache handle 61080 as well so that the "initial" dlreq requests comes from the loopback interface... Which would trash the client IP checking ability of dlreq, but anyway...)

    Thanks in advance!

    Hope it will be as easy as I had it. Didnt even know that dlreq validated the IP :).

    oP!

    ... Monday is the root of all evil!

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
    * Origin: TheForze - bbs.theforze.eu:23 (21:3/126)
  • From Prof Brown@21:2/160 to Zip on Mon Apr 21 19:00:19 2025
    I am using Nginx Proxy, and have 'streams' to Mystic to my BBS for BinkP and Telnet. The web pages are forwarded to port 80 on the BBS with Let's Encrypt. I have no issues with DLReq doign that.

    -Jeremy

    --- Mystic BBS v1.12 A48 (Linux/64)
    * Origin: Old Time BBS (21:2/160)
  • From Zip@21:1/202 to Prof Brown on Tue Apr 22 20:59:32 2025
    Hello Jeremy!

    On 21 Apr 2025, Prof Brown said the following...

    I am using Nginx Proxy, and have 'streams' to Mystic to my BBS for BinkP and Telnet. The web pages are forwarded to port 80 on the BBS with
    Let's Encrypt. I have no issues with DLReq doign that.

    Thanks! Yep, the Telnet proxying would probably explain why dlreq thinks the IP is OK... Thanks again!

    Best regards
    Zip

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
    * Origin: Star Collision BBS, Uppsala, Sweden (21:1/202)
  • From Zip@21:1/202 to opicron on Tue Apr 22 21:06:32 2025
    Hello opicron!

    On 21 Apr 2025, opicron said the following...

    Mystic runs in a docker on my synology and the IP of caller/webvisitor
    get forwarded by the DNS reverse proxy in all cases. I dont know the
    exact script/command for nginx as synology does it for me.

    Thanks! Yes, the proxying of "everything" is most likely why dlreq thinks everything is OK. (In my case I get a different IP for Telnet vs dlreq/web.)

    I believe it is, I vaguely remember having to do some IP forward some
    time ago. Wasn't it with x-headers? x-forward?

    Yep, X-Forwarded-For and similar ones, although it depends on the receiver (in this case dlreq, or the Mystic web server) to trust it, which it doesn't...

    Hope it will be as easy as I had it. Didnt even know that dlreq
    validated the IP :).

    Actually, I asked g00r00 if it would be possible to turn the IP validation off in some future version (and perhaps also to change the URL displayed inside Mystic, e.g. http:// to https:// and changing/removing the port number), but I'm pretty sure the wishlist for Mystic is long already...

    Thanks again!

    Best regards
    Zip

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
    * Origin: Star Collision BBS, Uppsala, Sweden (21:1/202)
  • From opicron@21:3/126 to Zip on Tue Apr 22 19:42:55 2025
    Hello opicron!

    validated the IP :).

    Actually, I asked g00r00 if it would be possible to turn the IP validation in some future version (and perhaps also to change the URL displayed insid Mystic, e.g. http:// to https:// and changing/removing the port number), b I'm pretty sure the wishlist for Mystic is long already...

    Oh yes, thats a good one, and also how long a d/l is valid. I was thinking it would be so easy to send a download link instead of someone needing to find the file on the board. But 1 hour is too short for that too work. We are all over the world, the timezones are to huge ^^.

    Thanks again!
    Yw and hope you get it working. You could also choose to feed always some local ip to the board and webserver, ok that means no hostname/ip for lookups. But I do not use those anyway, my firewall blocks regions/countries. Not mystic.

    Zip
    oP!

    ... Computers are not intelligent. They only think they are.

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
    * Origin: TheForze - bbs.theforze.eu:23 (21:3/126)