lywsvip/nginx-ui
1
0
Fork 0
mirror of https://github.com/0xJacky/nginx-ui.git synced 2026-05-07 22:41:41 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
cursor/interface-conversion-error-36ec
nginx-ui/docs/guide/config-http.md
0xJacky fb37c94276 feat: implement short token endpoint for WebSocket authentication 
- Added `InitTokenRouter` to define the `/token/short` endpoint for issuing short tokens.
- Created `IssueShortToken` function to handle short token generation and response.
- Updated WebSocket middleware to require short token for authentication, preventing CSWSH attacks.
- Modified user store and login handling to integrate short token functionality.
- Enhanced documentation to reflect changes in WebSocket security requirements.
2026-04-02 00:06:04 +08:00

37 lines
1.3 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Http
## GithubProxy
- Type: `string`
- Version: `>= v2.0.0-beta.37`
- Suggestion: `https://cloud.nginxui.com/`
For users who may experience difficulties downloading resources from GitHub (such as in mainland China), this option
allows them to set a proxy for github.com to improve accessibility.
## InsecureSkipVerify
- Version`>= v2.0.0-beta.37`
- Type: `bool`
This option is used to skip the verification of the certificate of servers when Nginx UI sends requests to them.
## WebSocketTrustedOrigins
- Type: `[]string`
- Default: empty
- Example: `http://localhost:5173,https://admin.example.com`
::: tip
Since Nginx UI uses ticket-based WebSocket authentication, this option is **no longer required** for most deployments.
WebSocket security is now enforced by requiring an explicit short token in the URL query parameter, which can only be obtained through a CSRF-protected API endpoint.
This setting is retained as an optional defense-in-depth measure.
:::
This option allows additional trusted browser origins for authenticated WebSocket connections.
Use it when Nginx UI is accessed through a reverse proxy with a different public origin, through multiple management domains, or during local development where the frontend and backend run on different ports.
Keep this list as small as possible. Same-origin WebSocket requests do not need to be added here.
Reference in New Issue View Git Blame Copy Permalink