- Introduced SafeWebSocketWriter to ensure thread-safe writes to WebSocket connections.
- Updated WebSocket handling in certificate issuance, revocation, Nginx log tailing, and system upgrades to use the new writer.
- Enhanced WebSocket client management in the site navigation module for improved message handling and connection stability.
- Added `InitTokenRouter` to define the `/token/short` endpoint for issuing short tokens.
- Created `IssueShortToken` function to handle short token generation and response.
- Updated WebSocket middleware to require short token for authentication, preventing CSWSH attacks.
- Modified user store and login handling to integrate short token functionality.
- Enhanced documentation to reflect changes in WebSocket security requirements.
- Introduced `WebSocketTrustedOrigins` setting in `app.example.ini` and corresponding documentation.
- Refactored WebSocket origin checks across multiple API endpoints to utilize the new middleware for improved security.
- Added tests for the new origin validation logic to ensure proper handling of trusted origins and node secret requests.
- Added regex pattern for parsing the pid directive in nginx configurations.
- Introduced `getPIDPathFromNginxT` function to extract the pid file path, handling both absolute and relative paths.
- Enhanced `GetPIDPath` function to prioritize user settings, compile-time defaults, and runtime overrides, ensuring robust path resolution.
- Added unit tests for PID regex parsing to validate various scenarios, including standard, indented, and commented directives.
This update improves the handling of pid paths, particularly for nginx-unprivileged setups, and ensures accurate logging and configuration management.
* fix: prevent duplicate include directives in nginx.conf
The FixNginxConfIncludeSites, FixNginxConfIncludeStreams, and
FixNginxConfIncludeConfD functions now check if the include directive
already exists before adding a new one. This prevents duplicate include
directives that could cause nginx to load configurations twice, leading
to errors like 'duplicate upstream' in stream configurations.
Fixes the issue where stream and http includes were being added
multiple times to nginx.conf:
- include /etc/nginx/sites-enabled/*;
- include /etc/nginx/streams-enabled/*;
- include /etc/nginx/conf.d/*.conf;
Added test TestFixNginxConfNoDuplicateIncludes to verify the fix.
Co-authored-by: Jacky <me@jackyu.cn>
* fix: align Fix function patterns with Check functions and defer backup creation
- Change Fix functions to use same glob patterns as Check functions:
- 'sites-enabled/*' instead of 'sites-enabled'
- 'streams-enabled/*' instead of 'streams-enabled'
- 'conf.d/*' instead of 'conf.d'
- Move backup file creation after the duplicate check to avoid
creating unnecessary backup files when no changes are needed
This fixes two issues:
1. Fix functions would incorrectly skip adding includes when a
non-glob include existed (e.g., conf.d/default.conf)
2. Backup files were created even when early-returning due to
duplicate detection
* Fix: Add backup creation for fallback paths in nginx.conf fix functions
The backup creation was moved inside the block-found branch, but the fallback
paths (when no http/stream block exists) still write to the file without
creating a backup first. This fix adds backup creation before each fallback
write operation to restore the original behavior where all code paths that
modify the file are protected by a backup.
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
