[nodebb-plugin-camo] Make embedded images look secure!

  • GNU/Linux Admin

    Oh dear, it seems like @ThingBreaker has gone the way of the dodo... although an account under a new pseodunym may pop up soon™

    In any case, I've used webroot with multiple -d arguments before... hopefully there are no issues with that, since I defined upwards of 20 domains for that cert!


  • @julian said

    In any case, I've used webroot with multiple -d arguments before... hopefully there are no issues with that, since I defined upwards of 20 domains for that cert!

    Oh my. That's quite extensive.

    I took some time tonight to test out implementing both camo and a self-hosting of iframely in a development environment. At first, I had some issues when using the NGINX config generated by this plugin (hey, if it's in plugin form, why self-install ;)). After simplifying my config to be more in line with my original (very similar to @yariplus') the plugin operated without issue.

    Between camo being so easy to implement with NodeBB and Let's Encrypt, I expect that we'll see even NodeBB beginners follow security best practices more closely.


  • @yariplus yep, the SSL config was probably too strong for older NGINX or OpenSSL versions. I simplified it a bit.

    https://github.com/minora-oss/nodebb-plugin-camo/commit/61224dbedd229f043dcede52626fc8d5b7f09eba

  • Community Rep

    Hi @yariplus was this ever resolved? I'm seeing the same kind of issues as ThingBreaker brought up:

    GET https://mysite.com/topic/97/static-gif/eefd50d480e35ecaaa83e925da667ad6b…323466643130303536333931336132363634653234626130333066333565625f6d2e6a7067 404 (Not Found)
    

    I wasn't sure what to put in the Camo Key field, so I echo'd a word to shasum to get a key

    I verified that the ssl cert was working correctly, and other than that, everything else is pretty standard:

    • Camo host: ssl.<site>.com
    • Camo Key; <shasum hash>
    • URL type: encoded path
    • Proxy https images
    • Use internal camo proxy
    • Camo port: 8082

    nginx config generated by config, plus stuff for letsencrypt:

    server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name ssl.<site>.com;
        access_log off;
        error_log /dev/null;
    
        ssl_certificate           /etc/letsencrypt/live/fullchain.pem;
        ssl_certificate_key       /etc/letsencrypt/live/privkey.pem;
    
        location / {
            proxy_redirect                   off;
            proxy_http_version               1.1;
            proxy_pass                       http://localhost:8082;
        }
    }
    
    server {
            listen 80;
            server_name ssl.<site>.com;
    
            root /usr/share/nginx/ssl.camo;
    
            location /.well-known/acme-challenge/ {
                    try_files $uri =404;
            }
    }
    

    EDIT: Hm, ok, I changed the host to https://ssl.<site>.com/ and it's asking for the correct URL ( I think) now, but I'm getting a 502:

    GET https://ssl.<site>.com/858db666915759030a5cc6bdac0d0a026a3ecd02/687474703a2f2f…302f31322f5459504f455f434f4e46455454492d44454154485f315f39303070782e6a7067 502 (Bad Gateway)
    
  • Community Rep

    @Bri Ah, right. I have not fixed the host field yet. You have to enter the full address. I'll get to the asap.

    For the 502, sounds like something's wrong with the camo key. It should actually be auto-populating when Internal Camo proxy is selected.

  • Community Rep

    Ah, I think I figured it out. The Camo url parser is not correctly changing it's key when you reload. Restarting NodeBB should fix it for now hopefully.

  • Community Rep

    Yeah, I disabled it, and re-enabled it, restarted NBB twice, and now it shows "internal" where the key was before. But it's still getting a 502. I suspect the process is crashing or not configured correctly, but I haven't been able to get any error (or any) logs out of the process.

    Is there a process name I can look for? it's just another node process right?

    When I do a netstat -a | grep LISTEN, I don't see anything running on 8082, so I'm guessing the worker is either not getting forked or it's dying immediately

  • Community Rep

    @Bri yep, should definitely be showing on your process list.

    I pushed a small update to pipe errors form the worker to the NodeBB logs. Maybe something insightful will show up.

  • Community Rep

    You're awesome, thanks!

    Here we go (running on node v.4.3.2):

    21/4 13:21 [9592] - error: [CamoProxy]: events.js:141
          throw er; // Unhandled 'error' event
          ^
    
    Error: spawn node ENOENT
        at exports._errnoException (util.js:870:11)
        at Process.ChildProcess._handle.onexit (internal/child_process.js:178:32)
        at onErrorNT (internal/child_process.js:344:16)
        at nextTickCallbackWith2Args (node.js:437:9)
        at process._tickCallback (node.js:351:17)
        at Function.Module.runMain (module.js:443:11)
        at startup (node.js:134:18)
        at node.js:962:3
    
  • Community Rep

    @yariplus any ideas what this could be? Are you running node as root? What version are you on?

  • Community Rep

    @Bri I'm running as a regular user.

    I've not been able to find anything useful yet based on that error.

    I pushed another update that cleans up some things, maybe it will give us some more info.

    My node version is v0.10.25

  • Community Rep

    Have you by chance tried re-installing the plugin? It installs camo from github, which can sometimes cause issues.

    Edit: Also, I just noticed, this plugin doesn't consider that you may have camo installed globally, which may cause that error.

  • Community Rep

    @yariplus I definitely haven't installed it globally. I can try and reinstall. I'm also wondering if the key has something to do with it? You were saying that if the internal proxy was selected, then you wouldn't need to specify a key? Looking at the code here, it's still trying to grab a key from the settings module.

    So now the error looks the same, slightly different:

    21/4 21:36 [19483] - info: [Camo]: Starting Camo worker...
    21/4 21:36 [19483] - error: Error: spawn node ENOENT
        at exports._errnoException (util.js:870:11)
        at Process.ChildProcess._handle.onexit (internal/child_process.js:178:32)
        at onErrorNT (internal/child_process.js:344:16)
        at nextTickCallbackWith2Args (node.js:437:9)
        at process._tickCallback (node.js:351:17)
    Error: spawn node ENOENT
        at exports._errnoException (util.js:870:11)
        at Process.ChildProcess._handle.onexit (internal/child_process.js:178:32)
        at onErrorNT (internal/child_process.js:344:16)
        at nextTickCallbackWith2Args (node.js:437:9)
        at process._tickCallback (node.js:351:17)
    

    EDIT: Also, the new version (1.2.2) crashes nodebb, where 1.2.1 fails, but nodebb stays up

  • Community Rep

    And if I go to node v0.10.25, npm rebuild and npm i:

    21/4 22:23 [24989] - error: [CamoProxy]: 
    events.js:72
            throw er; // Unhandled 'error' event
                  ^
    Error: spawn ENOENT
        at errnoException (child_process.js:988:11)
        at Process.ChildProcess._handle.onexit (child_process.js:779:34)
    

    I tried deleting the entire node_modules folder under nodebb, and reinstalling under node v0.10.25, and then manually installing [email protected] Still getting that error :(

    What env are you running on? Did you have to install anything special (like node-gyp or ...? )

  • Community Rep

    Here's some more information: I can actually get it running this way, if I set the plugin to use an external camo instance, and then run camo (the one in your plugin as a dependency) like this:

    ~/NodeBB/node_modules/nodebb-plugin-camo/node_modules/camo$ /usr/bin/env PORT=8082 CAMO_KEY="<key generated by your plugin>" node server.js
    
  • Community Rep

    @Bri Just a normal Ubuntu LTS. Nothing in npm global, no node-gyp in nodebb directory.

    I don't think the there's anything wrong with the key, it checks to make sure it's valid.

  • Community Rep

    @Bri Interesting, I can only think there must be something wrong with the path I give to spawn call.

  • Community Rep

    @yariplus I found the problem, the child process wasn't getting the PATH variable from the parent env, so when child_process.spawn() was called on 'node' it didn't know where to find it. I've made a PR for you.

  • Community Rep

    Perfect! I figured it was something like that. Odd though.

  • Community Rep

    Yeah, curious how it was working for you... I'm using nvm to manage node versions on my server, so it makes sense that the path to node would be different and require the right path in the PATH variable

Suggested Topics

| |