The context here is I’m investigating configuring the rclone web GUI within Open OnDemand, which is a popular open-source multi-user HPC portal that uses a system-wide apache proxy to connect users with their per-user nginx sessions.
For security reasons, recent versions of OnDemand will strip any basic authentication information out before it reaches the nginx sessions, which creates a problem with the current web GUI options. I see a couple of workarounds but both seemingly would require some upstream code additions -
-
Try use the login_token URL parameter but without basic authentication, but in my testing it appears that the only way to disable basic auth is with the
--rc-no-authoption, which also unfortunately removes the login_token as well. -
Disable basic auth and use the
--rc-user-from-headeroption, which would enable checking the "X-Forwarded-User" header value that OnDemand provides but I don’t see a way to validate the value of the header beyond thevalidUsernameRegexpcheck that happens in the middleware. This would mean any logged in user could access the rclone session started by another user.
With option 2, would it be feasible to add a header value validation check which would ensure the user who started the rclone session is the same user who is accessing it, if not they would get an unauthorized error. Potentially it could check against a string provided by a new option, or a user environment variable, or from the --rc-user option.