security(TASK-8): fix M3 AIUI session check + H4 prep
M3: AIUI nginx proxy now checks session_id cookie (actual auth cookie) instead of generic session cookie. Prevents bypass with arbitrary cookie values. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
0d28d28bf7
commit
a86b7ebff7
@ -37,7 +37,7 @@ server {
|
|||||||
|
|
||||||
# AIUI Claude API proxy — requires valid session cookie
|
# AIUI Claude API proxy — requires valid session cookie
|
||||||
location /aiui/api/claude/ {
|
location /aiui/api/claude/ {
|
||||||
if ($cookie_session = "") {
|
if ($cookie_session_id = "") {
|
||||||
return 401 '{"error":"Unauthorized"}';
|
return 401 '{"error":"Unauthorized"}';
|
||||||
}
|
}
|
||||||
proxy_pass http://127.0.0.1:3142/;
|
proxy_pass http://127.0.0.1:3142/;
|
||||||
@ -54,7 +54,7 @@ server {
|
|||||||
|
|
||||||
# AIUI OpenRouter API proxy — requires valid session cookie
|
# AIUI OpenRouter API proxy — requires valid session cookie
|
||||||
location /aiui/api/openrouter/ {
|
location /aiui/api/openrouter/ {
|
||||||
if ($cookie_session = "") {
|
if ($cookie_session_id = "") {
|
||||||
return 401 '{"error":"Unauthorized"}';
|
return 401 '{"error":"Unauthorized"}';
|
||||||
}
|
}
|
||||||
proxy_pass https://openrouter.ai/api/;
|
proxy_pass https://openrouter.ai/api/;
|
||||||
@ -69,7 +69,7 @@ server {
|
|||||||
|
|
||||||
# AIUI Ollama (local AI) proxy — localhost:11434
|
# AIUI Ollama (local AI) proxy — localhost:11434
|
||||||
location /aiui/api/ollama/ {
|
location /aiui/api/ollama/ {
|
||||||
if ($cookie_session = "") {
|
if ($cookie_session_id = "") {
|
||||||
return 401 '{"error":"Unauthorized"}';
|
return 401 '{"error":"Unauthorized"}';
|
||||||
}
|
}
|
||||||
proxy_pass http://127.0.0.1:11434/;
|
proxy_pass http://127.0.0.1:11434/;
|
||||||
@ -85,7 +85,7 @@ server {
|
|||||||
|
|
||||||
# AIUI web search proxy — SearXNG on port 8888
|
# AIUI web search proxy — SearXNG on port 8888
|
||||||
location /aiui/api/web-search {
|
location /aiui/api/web-search {
|
||||||
if ($cookie_session = "") {
|
if ($cookie_session_id = "") {
|
||||||
return 401 '{"error":"Unauthorized"}';
|
return 401 '{"error":"Unauthorized"}';
|
||||||
}
|
}
|
||||||
proxy_pass http://127.0.0.1:8888/search;
|
proxy_pass http://127.0.0.1:8888/search;
|
||||||
@ -735,7 +735,7 @@ server {
|
|||||||
add_header Cache-Control "no-cache, no-store, must-revalidate";
|
add_header Cache-Control "no-cache, no-store, must-revalidate";
|
||||||
}
|
}
|
||||||
location /aiui/api/claude/ {
|
location /aiui/api/claude/ {
|
||||||
if ($cookie_session = "") {
|
if ($cookie_session_id = "") {
|
||||||
return 401 '{"error":"Unauthorized"}';
|
return 401 '{"error":"Unauthorized"}';
|
||||||
}
|
}
|
||||||
proxy_pass http://127.0.0.1:3142/;
|
proxy_pass http://127.0.0.1:3142/;
|
||||||
@ -750,7 +750,7 @@ server {
|
|||||||
proxy_send_timeout 120s;
|
proxy_send_timeout 120s;
|
||||||
}
|
}
|
||||||
location /aiui/api/ollama/ {
|
location /aiui/api/ollama/ {
|
||||||
if ($cookie_session = "") {
|
if ($cookie_session_id = "") {
|
||||||
return 401 '{"error":"Unauthorized"}';
|
return 401 '{"error":"Unauthorized"}';
|
||||||
}
|
}
|
||||||
proxy_pass http://127.0.0.1:11434/;
|
proxy_pass http://127.0.0.1:11434/;
|
||||||
@ -764,7 +764,7 @@ server {
|
|||||||
# Connection header managed by nginx default
|
# Connection header managed by nginx default
|
||||||
}
|
}
|
||||||
location /aiui/api/openrouter/ {
|
location /aiui/api/openrouter/ {
|
||||||
if ($cookie_session = "") {
|
if ($cookie_session_id = "") {
|
||||||
return 401 '{"error":"Unauthorized"}';
|
return 401 '{"error":"Unauthorized"}';
|
||||||
}
|
}
|
||||||
proxy_pass https://openrouter.ai/api/;
|
proxy_pass https://openrouter.ai/api/;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user