diff --git a/client/public/version.js b/client/public/version.js index cffa6dc..13d3ed5 100644 --- a/client/public/version.js +++ b/client/public/version.js @@ -1,6 +1,6 @@ // Maintainer-controlled web client version metadata. window.CHGRID_RELEASE_VERSION = "0.1.0"; -window.CHGRID_BUILD_REVISION = "R343"; +window.CHGRID_BUILD_REVISION = "R344"; window.CHGRID_WEB_VERSION = `${window.CHGRID_RELEASE_VERSION} ${window.CHGRID_BUILD_REVISION}`; // Optional display timezone for timestamps. Falls back to America/Detroit if unset/invalid. window.CHGRID_TIME_ZONE = "America/Detroit"; diff --git a/deploy/README.md b/deploy/README.md index 9d33245..4c09e46 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -108,7 +108,7 @@ ProxyPassReverse /listen/8000/ http://127.0.0.1:8000/ `deploy/php/media_proxy.php` is copied into your publish directory by `deploy_client.sh`. -When `server/.env` contains `CHGRID_HOST_ORIGIN`, `deploy_client.sh` also generates `media_proxy.config.php` in the publish directory so the proxy can enforce the same origin and validate authenticated sessions without extra Apache-specific config. The generated file derives the local auth-check URL from `server/config.toml`, so custom signaling ports continue to work. +When `server/.env` contains `CHGRID_HOST_ORIGIN`, `deploy_client.sh` also generates `media_proxy.config.php` in the publish directory so the proxy can enforce the same origin and validate authenticated sessions without extra Apache-specific config. The generated file derives the local auth-check URL from `server/config.toml`, so custom signaling ports continue to work, and the proxy reuses `CHGRID_HOST_ORIGIN` for its internal auth check. If you deploy the PHP proxy some other way, you can still provide `CHGRID_HOST_ORIGIN` directly through your PHP/web-server environment. diff --git a/deploy/php/media_proxy.php b/deploy/php/media_proxy.php index 8580c25..095a619 100644 --- a/deploy/php/media_proxy.php +++ b/deploy/php/media_proxy.php @@ -187,7 +187,7 @@ function load_proxy_session_check_url() return $value; } -function require_valid_proxy_session($sessionCheckUrl) +function require_valid_proxy_session($sessionCheckUrl, $allowedOrigin) { $cookieHeader = isset($_SERVER['HTTP_COOKIE']) ? trim((string) $_SERVER['HTTP_COOKIE']) : ''; if ($cookieHeader === '') { @@ -216,6 +216,7 @@ function require_valid_proxy_session($sessionCheckUrl) array( 'Cookie: ' . $cookieHeader, 'X-Chgrid-Auth-Client: 1', + 'Origin: ' . $allowedOrigin, ) ); @@ -521,7 +522,7 @@ if ($method !== 'GET' && $method !== 'HEAD') { send_text(405, 'method not allowed'); } -require_valid_proxy_session($sessionCheckUrl); +require_valid_proxy_session($sessionCheckUrl, $allowedOrigin); $rawUrl = isset($_GET['url']) ? trim((string) $_GET['url']) : ''; if ($rawUrl === '') { diff --git a/server/config.example.toml b/server/config.example.toml index aeafe06..c82259f 100644 --- a/server/config.example.toml +++ b/server/config.example.toml @@ -15,9 +15,11 @@ allow_insecure_ws = false [tls] # Required when allow_insecure_ws = false. cert_file = "" +# Private key paired with tls.cert_file. key_file = "" [logging] +# Python logging level for the signaling server. level = "INFO" [storage]