software/headless-chromium: use custom nginx to rewrite host

This is necessary because Chromium needs to think that the Host header is an IP address (for security reasons), but the browser needs to think that the Host header is a domain name (for TLS purposes). The easiest way to do this is to use the Nginx http_sub module, but this isn't enabled in the default SlapOS Nginx build.

software/headless-chromium: use custom nginx to rewrite host
This is necessary because Chromium needs to think that the Host header is an IP address (for security reasons), but the browser needs to think that the Host header is a domain name (for TLS purposes). The easiest way to do this is to use the Nginx http_sub module, but this isn't enabled in the default SlapOS Nginx build.
b09ba20b · Eric Zheng · 64f7234c · b09ba20b · b09ba20b · b09ba20b
Commit b09ba20b authored Jul 12, 2021 by Eric Zheng
3 changed files
--- a/software/headless-chromium/buildout.hash.cfg
+++ b/software/headless-chromium/buildout.hash.cfg
@@ -12,7 +12,7 @@ md5sum = 578df08913415c427486093787b4aea6

 [template-nginx-conf]
 _update_hash_filename_ = templates/nginx.conf.in
-md5sum = 297b09e8732be8fbc406eff3c6a1cb7b
+md5sum = 027ec1003e0b621ccb90ccd2caabaeba

 [template-nginx-launcher]
 _update_hash_filename_ = templates/nginx_launcher.in

--- a/software/headless-chromium/software.cfg
+++ b/software/headless-chromium/software.cfg
@@ -4,12 +4,26 @@ extends =
  ../../stack/slapos.cfg
  ../../component/headless-chromium/buildout.cfg
  ../../component/dash/buildout.cfg
-  ../../component/nginx/buildout.cfg

 parts =
  slapos-cookbook
  template-cfg

+# We are compiling a custom version of Nginx because we need the http_sub module enabled.
+[nginx]
+recipe = slapos.recipe.cmmi
+shared = false
+url = https://nginx.org/download/nginx-1.19.2.tar.gz
+md5sum = 3dc55f6451ed6f819f1c796f4e5e9617
+configure-options=
+  --with-http_ssl_module
+  --with-http_v2_module
+  --with-http_gzip_static_module
+  --with-http_realip_module
+  --with-http_sub_module
+  --with-ld-opt="-L ${openssl:location}/lib -L ${pcre:location}/lib -L ${zlib:location}/lib -Wl,-rpath=${openssl:location}/lib -Wl,-rpath=${pcre:location}/lib -Wl,-rpath=${zlib:location}/lib"
+  --with-cc-opt="-I ${openssl:location}/include -I ${pcre:location}/include -I ${zlib:location}/include"
+
 [template-cfg]
 recipe = slapos.recipe.template:jinja2
 rendered = ${buildout:directory}/template.cfg

--- a/software/headless-chromium/templates/nginx.conf.in
+++ b/software/headless-chromium/templates/nginx.conf.in
@@ -33,6 +33,11 @@ http {
      proxy_http_version 1.1;
      proxy_set_header Host [{{ param_chromium_headless['ip'] }}]:{{ param_chromium_headless['remote-debugging-port'] }};
      proxy_pass http://[{{ param_chromium_headless['ip']}}]:{{ param_chromium_headless['remote-debugging-port'] }};
+
+      # The browser security policy will prevent us from loading the Websocket connection without TLS, so we have to go through the frontend CDN URL. The tricky thing is that the frontend URL is not available yet when this file is built; what we do instead is use the given Host header. This is possibly fragile; perhaps alternatives are worth investigating.
+      sub_filter "ws=[{{ param_chromium_headless['ip'] }}]:{{ param_chromium_headless['remote-debugging-port'] }}" "wss=$host";
+      sub_filter_once on;
+      sub_filter_types application/json;
    }
  }
 }