Passphrase lockdown with 'ephemeral' setup

[bodomartin]

Hi,

thanks for pwpush!
.. I am hosting a private instance via docker container) behind nginx.
This works (via sub_filter rewrites) but the 'Passphrase Lockdown' does not (keeps asking for the
passphrase when I click the pushed link)

Is a database required for the Passphrase Lockdown to function ?

[pglombardo]

Hi @bodomartin - database not required. Could you trace the request and response headers and post them here?

[bodomartin]

I have tried to simplify my setup as much as possible;
http://internal.de:8081 (docker host) -> nginx reverse proxy to external.de:443/pwp

Everything works except setting a passphrase (keeps asking)

Thanks for having a look into this

environment variables for PasswortPusher:

  PWP__RELATIVE_ROOT: "pwp"
  PWP__HOST_DOMAIN: "external.de"
  PWP__HOST_PROTOCOL: "https"
  PWP__OVERRIDE_BASE_URL: "https://external.de"

nginx:

location ^~ /pwp/ {                                                                                                                                                                                                                                
     proxy_cookie_path / /pwp/;                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                    
     proxy_pass http://internal:8081/pwp/;                                                                                                                                                                                                                                                                                                                                                                                                                                               
     proxy_set_header        X-Forwarded-Server $host;                                                                                                                                                                                                                                                                                                                                                             
     proxy_set_header X-Forwarded-Proto http;                                                                                                                                                              
                                                                                                                                                                                                                                                  
 }                                                                                                                                                                                                                                                  
                                                                                                                                                                                                                                                                                                                                                                                                                                                      
 location ^~ /assets/ {                                                                                                                                                                                                                             
    proxy_pass http://internal.de:8081/assets/;                                                                                                                                                                                    
    proxy_buffering off;                                                                                                                                                                                                                            
                                                                                                                                                                                                                                                    
 }                                                                                                                                                                                                                                                  

(rewriting to e.g. /pwp/assets with sub_filter rules works)

Access logs (nginx access.log) :

1.2.3.4 - - [11/Jul/2023:20:31:05 +0200] "POST /pwp/en/p HTTP/1.1" 302 154 "https://external.de/pwp/en" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) G
ecko/20100101 Firefox/115.0"
1.2.3.4 - - [11/Jul/2023:20:31:05 +0200] "GET /pwp/en/p/rohjtutm9zlpl8itd_g/preview HTTP/1.1" 200 4930 "https://external.de/pwp/en" "Mozilla/5.0 (X1
1; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
1.2.3.4 - - [11/Jul/2023:20:31:15 +0200] "GET /pwp/en/p/rohjtutm9zlpl8itd_g/r HTTP/1.1" 200 1698 "https://external.de/pwp/en/p/rohjtutm9zlpl8itd_g/p\
review" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
1.2.3.4 - - [11/Jul/2023:20:31:24 +0200] "GET /pwp/en/p/rohjtutm9zlpl8itd_g HTTP/1.1" 302 157 "https://external.de/pwp/en/p/rohjtutm9zlpl8itd_g/r" "
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
1.2.3.4 - - [11/Jul/2023:20:31:24 +0200] "GET /pwp/en/p/rohjtutm9zlpl8itd_g/passphrase HTTP/1.1" 200 1928 "https://external.de/pwp/en/p/rohjtutm9zlp\
l8itd_g/r" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
1.2.3.4 - - [11/Jul/2023:20:31:31 +0200] "POST /pwp/en/p/rohjtutm9zlpl8itd_g/access HTTP/1.1" 302 146 "https://external.de/pwp/en/p/rohjtutm9zlpl8it\
d_g/passphrase" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
1.2.3.4 - - [11/Jul/2023:20:31:31 +0200] "GET /pwp/en/p/rohjtutm9zlpl8itd_g HTTP/1.1" 302 157 "https://external.de/pwp/en/p/rohjtutm9zlpl8itd_g/pass\
phrase" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
1.2.3.4 - - [11/Jul/2023:20:31:32 +0200] "GET /pwp/en/p/rohjtutm9zlpl8itd_g/passphrase HTTP/1.1" 200 1929 "https://external.de/pwp/en/p/rohjtutm9zlp\
l8itd_g/passphrase" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"

[pglombardo]

I would guess that it's definitely something related to the nginx config although I'm not sure what.

To explain the process:

1. GET /pwp/en/p/rohjtutm9zlpl8itd_g/passphrase requests the passphrase from the user.
2. POST /pwp/en/p/rohjtutm9zlpl8itd_g/access validates if it's correct and if so sets a cookie in the browser with the encrypted passphrase - the passphrase was correct so it HTTP 302 redirected you to step 3
3. GET /pwp/en/p/rohjtutm9zlpl8itd_g then checks for that cookie - this part is failing and instead redirects to back to step one

Have you made any progress on this since you've posted? I was on vacation and am still catching up.

You could check if you have that cookie in your browser cache. If you really wanted to go deep, you could check the encrypted value against the database record (that is also encrypted).

[bodomartin]

very sorry for the late reply. Thank you for the helpful answer, I finally got this to work with nginx by properly setting the forward headers:

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host:443;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-Proto https;

[pglombardo]

That's very helpful to know. Thanks @bodomartin!