diff --git a/data-docs/config.ini b/data-docs/config.ini index baa026730..53fd67737 100644 --- a/data-docs/config.ini +++ b/data-docs/config.ini @@ -30,13 +30,6 @@ trustedReverseProxy=false [Session] -# Use this setting to set a custom value for the "Path" Attribute value of the session cookie. -# This can be useful, when you have several instances running on the same domain, under different paths (e.g. by using a reverse proxy). -# It prevents your instances from overwriting each others' cookies, allowing you to stay logged in multiple instances simultanteously. -# E.g. if you have instances running under https://your-domain.com/triliumNext/instanceA and https://your-domain.com/triliumNext/instanceB -# you would want to set the cookiePath value to "/triliumNext/instanceA" for your first and "/triliumNext/instanceB" for your second instance -cookiePath=/ - # Use this setting to set a custom value for the "Max-Age" Attribute of the session cookie. # This controls how long your session will be valid, before it expires and you need to log in again, when you use the "Remember Me" option. # Value needs to be entered in Seconds. diff --git a/docs/User Guide/User Guide/Installation & Setup/Server Installation/2. Reverse proxy/Nginx.md b/docs/User Guide/User Guide/Installation & Setup/Server Installation/2. Reverse proxy/Nginx.md index 53c34c9cc..df8c1ab10 100644 --- a/docs/User Guide/User Guide/Installation & Setup/Server Installation/2. Reverse proxy/Nginx.md +++ b/docs/User Guide/User Guide/Installation & Setup/Server Installation/2. Reverse proxy/Nginx.md @@ -27,7 +27,7 @@ Configure Nginx proxy and HTTPS. The operating system here is Ubuntu 18.04. ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; access_log /var/log/nginx/access.log; #check the path of access.log, if it doesn't fit your file, change it - + location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -40,10 +40,31 @@ Configure Nginx proxy and HTTPS. The operating system here is Ubuntu 18.04. proxy_redirect http://127.0.0.1:8080 https://trilium.example.net; # change them based on your IP, port and domain } } + # This part is for HTTPS forced server { - listen 80; - server_name trilium.example.net; # change to your domain - return 301 https://$server_name$request_uri; + listen 80; + server_name trilium.example.net; # change to your domain + return 301 https://$server_name$request_uri; } + ``` +4. Alternatively if you want to serve the instance under a different path (useful e.g. if you want to serve multiple instances), update the location block like so: + + * update the location with your desired path (make sure to not leave a trailing slash "/", if your `proxy_pass` does not end on a slash as well) + * add the `proxy_cookie_path` directive with the same path: this allows you to stay logged in at multiple instances at the same time. + + ``` + location /trilium/instance-one { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://127.0.0.1:8080; # change it to a different port if non-default is used + proxy_cookie_path / /trilium/instance-one + proxy_read_timeout 90; + proxy_redirect http://127.0.0.1:8080 https://trilium.example.net; # change them based on your IP, port and domain + } + ``` \ No newline at end of file diff --git a/src/public/app/doc_notes/en/User Guide/User Guide/Installation & Setup/Server Installation/2. Reverse proxy/Nginx.html b/src/public/app/doc_notes/en/User Guide/User Guide/Installation & Setup/Server Installation/2. Reverse proxy/Nginx.html index 3ff97eb6a..46ac6f4fb 100644 --- a/src/public/app/doc_notes/en/User Guide/User Guide/Installation & Setup/Server Installation/2. Reverse proxy/Nginx.html +++ b/src/public/app/doc_notes/en/User Guide/User Guide/Installation & Setup/Server Installation/2. Reverse proxy/Nginx.html @@ -21,7 +21,7 @@ server { ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; access_log /var/log/nginx/access.log; #check the path of access.log, if it doesn't fit your file, change it - + location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -34,11 +34,35 @@ server { proxy_redirect http://127.0.0.1:8080 https://trilium.example.net; # change them based on your IP, port and domain } } + # This part is for HTTPS forced server { - listen 80; - server_name trilium.example.net; # change to your domain - return 301 https://$server_name$request_uri; + listen 80; + server_name trilium.example.net; # change to your domain + return 301 https://$server_name$request_uri; } +
  • +

    Alternatively if you want to serve the instance under a different path + (useful e.g. if you want to serve multiple instances), update the location + block like so:

    + 
        location /trilium/instance-one {
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_pass http://127.0.0.1:8080; # change it to a different port if non-default is used
+        proxy_cookie_path / /trilium/instance-one
+        proxy_read_timeout 90;
+        proxy_redirect http://127.0.0.1:8080 https://trilium.example.net; # change them based on your IP, port and domain
+    }
+
    +
    • \ No newline at end of file diff --git a/src/routes/csrf_protection.ts b/src/routes/csrf_protection.ts index 0ee03d467..391be0aaa 100644 --- a/src/routes/csrf_protection.ts +++ b/src/routes/csrf_protection.ts @@ -1,12 +1,11 @@ import { doubleCsrf } from "csrf-csrf"; import sessionSecret from "../services/session_secret.js"; import { isElectron } from "../services/utils.js"; -import config from "../services/config.js"; const doubleCsrfUtilities = doubleCsrf({ getSecret: () => sessionSecret, cookieOptions: { - path: config.Session.cookiePath, + path: "/", secure: false, sameSite: "strict", httpOnly: !isElectron // set to false for Electron, see https://github.com/TriliumNext/Notes/pull/966 diff --git a/src/routes/session_parser.ts b/src/routes/session_parser.ts index cc69cc6a2..c674a4890 100644 --- a/src/routes/session_parser.ts +++ b/src/routes/session_parser.ts @@ -11,7 +11,7 @@ const sessionParser = session({ resave: false, // true forces the session to be saved back to the session store, even if the session was never modified during the request. saveUninitialized: false, // true forces a session that is "uninitialized" to be saved to the store. A session is uninitialized when it is new but not modified. cookie: { - path: config.Session.cookiePath, + path: "/", httpOnly: true, maxAge: config.Session.cookieMaxAge * 1000 // needs value in milliseconds }, diff --git a/src/services/config.ts b/src/services/config.ts index 99704e0cf..eda656a79 100644 --- a/src/services/config.ts +++ b/src/services/config.ts @@ -31,7 +31,6 @@ export interface TriliumConfig { trustedReverseProxy: boolean | string; }; Session: { - cookiePath: string; cookieMaxAge: number; }; Sync: { @@ -84,9 +83,6 @@ const config: TriliumConfig = { }, Session: { - cookiePath: - process.env.TRILIUM_SESSION_COOKIEPATH || iniConfig?.Session?.cookiePath || "/", - cookieMaxAge: parseInt(String(process.env.TRILIUM_SESSION_COOKIEMAXAGE)) || parseInt(iniConfig?.Session?.cookieMaxAge) || 21 * 24 * 60 * 60 // 21 Days in Seconds },