prevent direct access to draw.io

[Luticus]

I asked a similar question on the nextcloud app form, but I haven't really gotten a response. Not sure if this is a different group here or not, but I thought I'd ask here too just in case.

Basically how does one prevent a user from going directly to the draw.io url via the proxy? Basically if I want to integrate draw.io in my nextcloud instance, I don't want my draw.io docker instance directly exposed so just any user can use it if they figure out the hostname/url for it. Please let me know any thoughts anyone may have on the subject. I feel like this would probably help with the security of a lot of apps that rely on an apache proxy to expose a backend.

The goal is to ensure only Nextcloud authenticated users can use my draw.io instance.

[davidjgraph]

This isn't a drawio specific question, it's network setup question.

[Luticus]

@davidjgraph I realize that, I just figured because you guys configure draw.io such that it relies on a proxy back end, and you don't seem to have a good way to prevent unauthenticated users form using the docker draw.io instance directly, that hopefully you'd have some advice on preventing the security nightmare. Maybe you guys should think about adding some authentication to that app if you're not prepared to think about the security implications of having a wide open app running on a docker instance that needs to be exposed to the internet via proxy to function correctly.

For now I've obfuscated the URL (which the Nextcloud plugin does NOT make easy), but this isn't really an acceptable setup from a security standpoint, so I'm hopeful that you guys might have some ideas on how to better secure your application. I like the app and would love to use it, but I have to consider security and resource utilization. I can't have the whole internet trying to use my draw instance, it'll DDOS my server.

[davidjgraph]

What about adding a CSP restricting XHR calls to be same domain?

[gavine99]

For anybody who lands here looking for a way to prevent direct access to self-hosted draw.io whilst permitting access via nextcloud, I was able to solve it in an imperfect, but usable, way without code changes in nextcloud or draw.io;

In nextcloud Draw.io config use a Draw.io URL with a 'secret key' parameter;
https://your.drawio.host.com?ss=ZHa9N76xUhD5sC3yYfdtBA

In apache (virtual) host reverse proxy config for drawio host use the following rewrite rules;
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/$
RewriteCond %{QUERY_STRING} !ss=ZHa9N76xUhD5sC3yYfdtBA
RewriteRule ^.*$ https://somewhere.else.example.com [R=302,L]

Explanation of rewrite rules;
RewriteCond %{REQUEST_URI} ^/$: match for root '/' uri only
RewriteCond %{QUERY_STRING} !ss=ZHa9N76xUhD5sC3yYfdtBA: match if query string does NOT contain secret key
RewriteRule ^.*$ https://somewhere.else.example.com [R=302,L]: 302 redirect to somewhere else

[urfin73]

In apache (virtual) host reverse proxy

Hello! Can you tell me how to configure this in Nginx?

[urfin73]

Ok, I'll answer it myself. The following njix config worked for me in the server section:

set $UD "";
#if ($request_uri = "/") {
if ($uri = "/") {
   set $UD T;
}
if ($arg_ss != "sdl456rrtt01hwymf345je560xms") {
  set $UD "${UD}G";
}
if ($UD = TG) {
  return 403;
}