NAS-134090 / 25.10 / Restrict CORS exception to registered TrueConnec…

…t hosts (#15647) * tighten access * https
truenas · Feb 7, 2025 · 26826e3 · 26826e3
1 parent 8fb117e
commit 26826e3
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/src/middlewared/middlewared/etc_files/local/nginx/nginx.conf.mako b/src/middlewared/middlewared/etc_files/local/nginx/nginx.conf.mako
@@ -83,6 +83,8 @@
         disabled_ciphers = ''
     display_device_path = middleware.call_sync('vm.get_vm_display_nginx_route')
     display_devices = middleware.call_sync('vm.device.query', [['dtype', '=', 'DISPLAY']])
+
+    has_tn_connect = middleware.call_sync('tn_connect.config')['certificate'] is not None
 %>
 #
 #    TrueNAS nginx configuration file
@@ -136,7 +138,7 @@ http {
     }
 
     map $http_origin $allow_origin {
-        ~ixsystems.net$ $http_origin;
+        ~^https://truenas.connect.(dev.|staging.)?ixsystems.net$ $http_origin;
         default "";
     }
 
@@ -322,10 +324,12 @@ http {
         }
 
         location /_download {
+% if has_tn_connect:
             # Allow all internal origins.
             add_header Access-Control-Allow-Origin $allow_origin always;
             add_header Access-Control-Allow-Headers "*" always;
 
+% endif
             proxy_pass http://127.0.0.1:6000;
             proxy_http_version 1.1;
             proxy_set_header X-Real-Remote-Addr $remote_addr;