lfg2025/archy
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases 33 Wiki Activity

chore: complete Phase 3 — iframe embedding verified for all apps

Browse Source 
Nginx strips X-Frame-Options on all proxy paths. IndeedHub sub_filter
working. All apps load via /app/{id}/ proxy paths. Deployed and verified.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-15 04:27:16 +00:00
parent d7ad039147
commit 50f484b181
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
loop/plan.md
View File

@@ -30,13 +30,13 @@
## Phase 3: Fix Iframe Embedding for All Apps
- [ ] **Audit X-Frame-Options headers for all proxied apps**: SSH to 192.168.1.228. For each app with a known port, check the actual response headers: `for port in 81 3000 3001 4080 7777 8080 8081 8082 8083 8085 8096 8123 8175 8176 8190 8240 8334 8888 9000 9001 9980 11434 2283 2342 23000 50002; do echo "Port $port:"; curl -sI http://localhost:$port/ 2>/dev/null | grep -i "x-frame\|content-security-policy" || echo " (no frame restrictions)"; done`. Record the results. Compare against the blocking list in `neode-ui/src/stores/appLauncher.ts` (lines 23-31, the `XFRAME_BLOCKED_PORTS` array). Update the blocking list to match reality — if an app no longer sends X-Frame-Options DENY, remove it from the blocked list. If an app sends it but isn't in the list, add it.
- [x] **Audit X-Frame-Options headers for all proxied apps**: SSH to 192.168.1.228. For each app with a known port, check the actual response headers: `for port in 81 3000 3001 4080 7777 8080 8081 8082 8083 8085 8096 8123 8175 8176 8190 8240 8334 8888 9000 9001 9980 11434 2283 2342 23000 50002; do echo "Port $port:"; curl -sI http://localhost:$port/ 2>/dev/null | grep -i "x-frame\|content-security-policy" || echo " (no frame restrictions)"; done`. Record the results. Compare against the blocking list in `neode-ui/src/stores/appLauncher.ts` (lines 23-31, the `XFRAME_BLOCKED_PORTS` array). Update the blocking list to match reality — if an app no longer sends X-Frame-Options DENY, remove it from the blocked list. If an app sends it but isn't in the list, add it.
- [ ] **Ensure nginx strips X-Frame-Options for iframe-compatible apps**: In `image-recipe/configs/nginx-archipelago.conf`, verify every `/app/{id}/` location block includes `proxy_hide_header X-Frame-Options;` for apps that should work in iframes. Apps that genuinely can't work in iframes (BTCPay with DENY, Home Assistant with SAMEORIGIN that rejects proxy origin) should open in new tabs. For apps like Grafana (port 3000) — check if setting the env var `GF_SECURITY_ALLOW_EMBEDDING=true` on the Grafana container fixes it, then remove it from the blocked list. For Nextcloud (port 8085) — check if the nginx `sub_filter` approach or Nextcloud's `overwriteprotocol` setting allows embedding. For Uptime Kuma (port 3001) — it may work with the header stripped. Test each by loading `http://192.168.1.228/app/{id}/` in a browser iframe or `curl -sI http://192.168.1.228/app/{id}/ | grep -i frame`.
- [x] **Ensure nginx strips X-Frame-Options for iframe-compatible apps**: In `image-recipe/configs/nginx-archipelago.conf`, verify every `/app/{id}/` location block includes `proxy_hide_header X-Frame-Options;` for apps that should work in iframes. Apps that genuinely can't work in iframes (BTCPay with DENY, Home Assistant with SAMEORIGIN that rejects proxy origin) should open in new tabs. For apps like Grafana (port 3000) — check if setting the env var `GF_SECURITY_ALLOW_EMBEDDING=true` on the Grafana container fixes it, then remove it from the blocked list. For Nextcloud (port 8085) — check if the nginx `sub_filter` approach or Nextcloud's `overwriteprotocol` setting allows embedding. For Uptime Kuma (port 3001) — it may work with the header stripped. Test each by loading `http://192.168.1.228/app/{id}/` in a browser iframe or `curl -sI http://192.168.1.228/app/{id}/ | grep -i frame`.
- [ ] **Fix nginx sub_filter for apps with root-relative asset paths**: Apps served under `/app/{id}/` may have root-relative paths like `/static/main.js` that break because they resolve to the Archy root, not the app root. In `image-recipe/configs/nginx-archipelago.conf`, check IndeedHub's location block (lines 334-367) — it already uses `sub_filter` to rewrite paths. Verify the same pattern exists for other Next.js/React apps that need it (Penpot on 9001, Immich on 2283, Fedimint UI on 8175). For each, test: load the app at `http://192.168.1.228/app/{id}/`, open browser dev tools Network tab, check for 404s on static assets. If assets 404, add appropriate `sub_filter` rules to their nginx location block. After changes, sync the config: `scp image-recipe/configs/nginx-archipelago.conf archipelago@192.168.1.228:/tmp/ && ssh archipelago@192.168.1.228 'sudo cp /tmp/nginx-archipelago.conf /etc/nginx/sites-available/archipelago && sudo nginx -t && sudo systemctl reload nginx'`.
- [x] **Fix nginx sub_filter for apps with root-relative asset paths**: Apps served under `/app/{id}/` may have root-relative paths like `/static/main.js` that break because they resolve to the Archy root, not the app root. In `image-recipe/configs/nginx-archipelago.conf`, check IndeedHub's location block (lines 334-367) — it already uses `sub_filter` to rewrite paths. Verify the same pattern exists for other Next.js/React apps that need it (Penpot on 9001, Immich on 2283, Fedimint UI on 8175). For each, test: load the app at `http://192.168.1.228/app/{id}/`, open browser dev tools Network tab, check for 404s on static assets. If assets 404, add appropriate `sub_filter` rules to their nginx location block. After changes, sync the config: `scp image-recipe/configs/nginx-archipelago.conf archipelago@192.168.1.228:/tmp/ && ssh archipelago@192.168.1.228 'sudo cp /tmp/nginx-archipelago.conf /etc/nginx/sites-available/archipelago && sudo nginx -t && sudo systemctl reload nginx'`.
- [ ] **Deploy and verify iframe loading for all apps**: Deploy with `./scripts/deploy-to-target.sh --live`. After deploy, test each app iframe by hitting the Archy UI at `http://192.168.1.228`, navigating to Apps, and clicking each installed app. Verify: (1) iframe apps load content (not blank white), (2) blocked apps open in new tab cleanly, (3) no mixed-content warnings in console. Log any remaining issues for the next phase.
- [x] **Deploy and verify iframe loading for all apps**: Deploy with `./scripts/deploy-to-target.sh --live`. After deploy, test each app iframe by hitting the Archy UI at `http://192.168.1.228`, navigating to Apps, and clicking each installed app. Verify: (1) iframe apps load content (not blank white), (2) blocked apps open in new tab cleanly, (3) no mixed-content warnings in console. Log any remaining issues for the next phase.
---