i'm working through a head-scratcher about https certificates, zerotier tunnels, nginx reverse proxies, iframes, cryptpad, and yunohost, if anyone feels nerd-sniped by these topics. I suspect I'm missing a detail about how https and reverse proxies actually work
@notplants why is there an iframe? Where is it defined
I think the problem is caused by the iframe, not the tunnel or the TLS.
These apps are just configured to refuse to run inside iframes, it looks like. So getting rid of the iframe should fix it
@forestjohnson the iframe seems to just be how the cryptpad software was written -- I didn't add anything to it.
you can see it by inspecting https://crypt.commoninternet.net
there is an iframe with the src of https://sandbox-crypt.commoninternet.net
if you go directly to https://sandbox-crypt.commoninternet.net then it says this sandbox app was not meant to be used directly
-
I'm not sure why cryptpad uses this iframe design, but maybe there is a reason?
the case with the onlyoffice iframe within nextcloud is also just part of how the integration is written
@notplants oh wtf. Interesting. Sorry, can't check out the sites rn, I'll take look later. Maybe browser origin issues then? Are they on different domains inside vs outside the tunnel ?
<3 @forestjohnson for both of my tests i've been using the same domain names on both sides of the tunnel
@notplants ugh wtf is this software doing. U really nerd sniped me here, I thought it would be simple but obviously its not
@forestjohnson im still head-scratching over here too
@notplants i think this header is the problem. maybe the tunnel is adding that ?
You can check by viewing the HTTP traffic at various different points. Its easy to do if its plain http with no tls. my favorite tool to do it: https://git.sequentialread.com/forest/httpflow
watch the response headers coming out of the http server and also watch the response headers on the VPS server.
httpflow should work on the app server.
If the tunnel connects to the app server via HTTPS, you might not be able to use httpflow there.
then in the browser you just use the network tab instead of httpflow.
@notplants another option would be to record a `pcap` file using `tcpdump` and then open it in WireShark. But WireShark is way overkill for this and honestly kinda stinks for looking at HTTP traffic.
This probably wont happen on your server but just a fair warning that httpflows live output wont work if the server is overloaded (cpu starved, etc, or if there is a lot of traffic). In that case you capture a pcap and then convert it to text files using httpflow later. https://www.wireshark.org/docs/wsug_html_chunked/AppToolstcpdump.html
