starred/pikvm-pikvm
1
0
Fork 0
mirror of https://github.com/pikvm/pikvm.git synced 2026-03-02 18:16:56 -05:00
Code Issues 133 Projects Packages Wiki Activity

Cannot login behind reverse proxy #945

New issue
Closed
opened 2026-02-20 14:08:50 -05:00 by deekerman · 24 comments
deekerman commented 2026-02-20 14:08:50 -05:00
Owner
Copy link

Originally created by @Andrew17856 on GitHub (Sep 22, 2024).

Originally assigned to: @mdevaev on GitHub.

When attempting to login behind a https based reverse proxy, typing in the correct username and password just takes you back to the login screen.

If you enter wrong credential, it'll show "Invalid credentials". So the password is being sent, but once validated, it appears the redirection to the main screen is not working.

If you manually type in the PiKVM web address, having entered in the correct username/password, with the suffix /kvm then you can get to the main screen.

It therefore appears the login is working, but the redirection once logged in does not.

To Reproduce

  1. Try to connect to PiKVM behind an https reverse proxy (e.g. Synology VPNPlus)
  2. Try to login

Expected behavior
It should login, and redirect to the main screen. But doesn't.

Desktop (please complete the following information):
Windows 10 - does it on Chrome, Firefox and Edge

PiKVM info:
KVMD: 4.8
Streamer: 6.13 (ustreamer)
HAS_PDEATHSIG: Yes
WITH_GPIO: Yes
WITH_PTHREAD_NP: Yes
WITH_SETPROCTITLE: Yes
WITH_SYSTEMD: Yes
Linux kernel:
Machine: armv7l
Release: 6.6.45-4-rpi
Version: #1 SMP Wed Aug 28 12:37:41 UTC 2024

Originally created by @Andrew17856 on GitHub (Sep 22, 2024). Originally assigned to: @mdevaev on GitHub. When attempting to login behind a https based reverse proxy, typing in the correct username and password just takes you back to the login screen. If you enter wrong credential, it'll show "Invalid credentials". So the password is being sent, but once validated, it appears the redirection to the main screen is not working. If you manually type in the PiKVM web address, having entered in the correct username/password, with the suffix /kvm then you can get to the main screen. It therefore appears the login is working, but the redirection once logged in does not. **To Reproduce** 1. Try to connect to PiKVM behind an https reverse proxy (e.g. Synology VPNPlus) 2. Try to login **Expected behavior** It should login, and redirect to the main screen. But doesn't. **Desktop (please complete the following information):** Windows 10 - does it on Chrome, Firefox and Edge **PiKVM info:** KVMD: 4.8 Streamer: 6.13 (ustreamer) HAS_PDEATHSIG: Yes WITH_GPIO: Yes WITH_PTHREAD_NP: Yes WITH_SETPROCTITLE: Yes WITH_SYSTEMD: Yes Linux kernel: Machine: armv7l Release: 6.6.45-4-rpi Version: #1 SMP Wed Aug 28 12:37:41 UTC 2024
deekerman 2026-02-20 14:08:50 -05:00
deekerman commented 2026-02-20 14:08:52 -05:00
Author
Owner
Copy link

@mdevaev commented on GitHub (Sep 22, 2024):

Please share the proxy config.

@mdevaev commented on GitHub (Sep 22, 2024): Please share the proxy config.
deekerman commented 2026-02-20 14:08:52 -05:00
Author
Owner
Copy link

@Andrew17856 commented on GitHub (Sep 23, 2024):

There isn't really much configuration for the proxy.

There is an external domain, let's call it www.mydomain.com

I connect to that via a browser, and authenticate into the reverse proxy and then I'm presented with the various resources behind it, including the PiKVM.

If I click on the PiKVM icon, I'm taken to pikvm.mydomain.com, which then shows the login screen of the PiKVM.

Behind the scenes, you configure in VPNPlus (the reverse proxy) the custom subdomain (i.e. pikvm.mydomain.com), and the private IP address of the resource, say 192.168.1.100

VPNPlus takes care of the rest, and tunnels traffic from one to the other.

The issue is that when I login, the PiKVM doesn't redirect to the main screen, it just loops around to the login screen again.

If I manually type in pikvm.mydomain.com/kvm, then I can successfully get to the main KVM page.

@Andrew17856 commented on GitHub (Sep 23, 2024): There isn't really much configuration for the proxy. There is an external domain, let's call it www.mydomain.com I connect to that via a browser, and authenticate into the reverse proxy and then I'm presented with the various resources behind it, including the PiKVM. If I click on the PiKVM icon, I'm taken to pikvm.mydomain.com, which then shows the login screen of the PiKVM. Behind the scenes, you configure in VPNPlus (the reverse proxy) the custom subdomain (i.e. **pikvm**.mydomain.com), and the private IP address of the resource, say 192.168.1.100 VPNPlus takes care of the rest, and tunnels traffic from one to the other. The issue is that when I login, the PiKVM doesn't redirect to the main screen, it just loops around to the login screen again. If I manually type in pikvm.mydomain.com/kvm, then I can successfully get to the main KVM page.
deekerman commented 2026-02-20 14:08:52 -05:00
Author
Owner
Copy link

@mdevaev commented on GitHub (Sep 23, 2024):

Based on the fact that other reverse proxies do not cause similar problems, I'm inclined to believe that this is a problem on the VPNPlus side.

You can try the developer's tool in the browser to track the cause of the loop.

Also you should contact our Discord support with such questions, because Github is only for bugs.

@mdevaev commented on GitHub (Sep 23, 2024): Based on the fact that other reverse proxies do not cause similar problems, I'm inclined to believe that this is a problem on the VPNPlus side. You can try the developer's tool in the browser to track the cause of the loop. Also you should contact our Discord support with such questions, because Github is only for bugs.
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@Andrew17856 commented on GitHub (Sep 24, 2024):

Thanks. I've checked, and the issue is what I thought it would be.

The PiKVM doesn't recognise it's behind a reverse proxy - which means I doubt it will work on any other reverse proxy software. Can you give some examples of reverse proxies where it's confirmed working and I can try them if it would help?

When you click login, the redirect is to the PiKVM's local address, not the external proxied address.

So, using my example above, when you click login, the redirect (that you can see in the developer console in the browser) is as below:

https://pikvm.mydomain.com/webportal.cgi?go=http://192.168.1.100/share/site.webmanifest

(note the local address for the redirect) ... whereas to work behind the proxy it needs to be:

https://pikvm.mydomain.com/webportal.cgi?go=https://pikvm.mydomain.com/share/site.webmanifest

@Andrew17856 commented on GitHub (Sep 24, 2024): Thanks. I've checked, and the issue is what I thought it would be. The PiKVM doesn't recognise it's behind a reverse proxy - which means I doubt it will work on any other reverse proxy software. Can you give some examples of reverse proxies where it's confirmed working and I can try them if it would help? When you click login, the redirect is to the PiKVM's _local_ address, not the external proxied address. So, using my example above, when you click login, the redirect (that you can see in the developer console in the browser) is as below: https://pikvm.mydomain.com/webportal.cgi?go=http://192.168.1.100/share/site.webmanifest (note the local address for the redirect) ... whereas to work behind the proxy it needs to be: https://pikvm.mydomain.com/webportal.cgi?go=https://pikvm.mydomain.com/share/site.webmanifest
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@mdevaev commented on GitHub (Sep 24, 2024):

Can you give some examples of reverse proxies where it's confirmed working and I can try them if it would help?

The regular nginx is working fine. Tailscale also working fine too.

https://pikvm.mydomain.com/webportal.cgi

Ah, I see. Your proxy breaks addressing and argument handling. Of course, nothing will work in this case.

@mdevaev commented on GitHub (Sep 24, 2024): > Can you give some examples of reverse proxies where it's confirmed working and I can try them if it would help? The regular nginx is working fine. Tailscale also working fine too. > https://pikvm.mydomain.com/webportal.cgi Ah, I see. Your proxy breaks addressing and argument handling. Of course, nothing will work in this case.
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@Andrew17856 commented on GitHub (Sep 24, 2024):

Thanks. I think we're using terminology differently.

I'm talking here about secure gateways - a web based proxy that you log into first (eg with 2FA), before being presented with a web page with the various resources. You click the one you want, and then the resource (eg the PiKVM) is channeled through the same web portal. Importantly, (i) it's clientless - you just need a browser; (ii) you only need one port eg https no matter how many or what type of resource you're accessing and (iii) you have to authenticate first (it's not just exposing the PiKVM to the Internet.

Cf Tailscale - that's Wireguard based and you need to install a client. It basically creates a VPN tunnel.

Cf nginx, that is a proxy as you say, but it's basically a fancy way of simultaneously exposing multiple resources to the Internet. There are addons (eg auth portal) that get closer but it still doesn't have the gateway type functionality.

Neither dynamically remap the https requests which is what a genuine web based reverse proxy/portal tries to do.

Re the "nothing will work in this case", if you have a look at how other products deal with it, there's an option to specify whether it's behind a portal, where you can specify the externally facing address (see eg ReadyNAS devices) - it's usually called domain masquerading, "masquerade as" or something similar). So in the case of the PiKVM, you'd enter pikvm.mydomain.com as an option in the PiKVM UI, and then on the redirect on login the PiKVM would substitute that address for the local one.

Obviously this is a feature request rather than a bug, so entirely up to you if you want to implement it to bring the PiKVM into line with other remote access solutions that work behind portals (eg Lantronix etc).

In the meantime, the workaround is to enter the redirect manually once logged in.

The PiKVM is a great bit of kit by the way, so thank you for that. It's a much more pleasant experience (eg low latency) than other solutions out there.

@Andrew17856 commented on GitHub (Sep 24, 2024): Thanks. I think we're using terminology differently. I'm talking here about secure gateways - a web based proxy that you log into first (eg with 2FA), before being presented with a web page with the various resources. You click the one you want, and then the resource (eg the PiKVM) is channeled through the same web portal. Importantly, (i) it's clientless - you just need a browser; (ii) you only need one port eg https no matter how many or what type of resource you're accessing and (iii) you have to authenticate first (it's not just exposing the PiKVM to the Internet. Cf Tailscale - that's Wireguard based and you need to install a client. It basically creates a VPN tunnel. Cf nginx, that is a proxy as you say, but it's basically a fancy way of simultaneously exposing multiple resources to the Internet. There are addons (eg auth portal) that get closer but it still doesn't have the gateway type functionality. Neither dynamically remap the https requests which is what a genuine web based reverse proxy/portal tries to do. Re the "nothing will work in this case", if you have a look at how other products deal with it, there's an option to specify whether it's behind a portal, where you can specify the externally facing address (see eg ReadyNAS devices) - it's usually called domain masquerading, "masquerade as" or something similar). So in the case of the PiKVM, you'd enter pikvm.mydomain.com as an option in the PiKVM UI, and then on the redirect on login the PiKVM would substitute that address for the local one. Obviously this is a feature request rather than a bug, so entirely up to you if you want to implement it to bring the PiKVM into line with other remote access solutions that work behind portals (eg Lantronix etc). In the meantime, the workaround is to enter the redirect manually once logged in. The PiKVM is a great bit of kit by the way, so thank you for that. It's a much more pleasant experience (eg low latency) than other solutions out there.
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@mdevaev commented on GitHub (Nov 30, 2024):

Is there any easy way to reproduce your proxy environment locally? I'm ready to look at it if you show me how to do it.

@mdevaev commented on GitHub (Nov 30, 2024): Is there any easy way to reproduce your proxy environment locally? I'm ready to look at it if you show me how to do it.
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@Andrew17856 commented on GitHub (Dec 10, 2024):

Sorry for the delay in replying to this.

It would be quite difficult to reproduce the proxy environment without actually buying the hardware.

Hopefully there's enough information in the above to be able to build the required functionality? It's effectively recognising when the PiKVM is behind a proxy and then remapping the redirect post login so that it uses the pubicly routable domain.

It occurred to me afterwards that you might actually be able to use javascript in the end-user page to get the public facing domain, which can then be used by the PiKVM as the basis of the redirect. That would be best, as it would mean that the PiKVM could detect when it's behind a proxy - bearing in mind that a user could also be accessing it from the LAN (in which case you wouldn't need to remap the redirect).

I'm very happy to test any implementation if that would assist.

Thank you for your help.

@Andrew17856 commented on GitHub (Dec 10, 2024): Sorry for the delay in replying to this. It would be quite difficult to reproduce the proxy environment without actually buying the hardware. Hopefully there's enough information in the above to be able to build the required functionality? It's effectively recognising when the PiKVM is behind a proxy and then remapping the redirect post login so that it uses the pubicly routable domain. It occurred to me afterwards that you might actually be able to use javascript in the end-user page to get the public facing domain, which can then be used by the PiKVM as the basis of the redirect. That would be best, as it would mean that the PiKVM could detect when it's behind a proxy - bearing in mind that a user could also be accessing it from the LAN (in which case you wouldn't need to remap the redirect). I'm very happy to test any implementation if that would assist. Thank you for your help.
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@MichaelWoodc commented on GitHub (Jan 21, 2025):

Hey so on services like Navidrome, I can edit the base url inside their config files for it to return /navidrome, as a base path, for example. And that works great! If PiKVM had a similar way to append a base path / url to the paths / urls it sends out that would solve all of the problems or at least make it much easier. I have not had any luck due to various reasons with this url scheme, so, I just wend ahead and used a subdomain to forward to the pikvm to bypass the inability to change the base url.

Sorry I know this might not be the solution you're looking for. But absent an easy to change setting in pikvm it is not easy to implement with the nginx reverse proxy. Although this got me close:

# PiKVM Proxy Configuration
location /pi_kvm/ {
    # Forward to PiKVM over HTTPS
    proxy_pass https://192.168.1.127/;  # Forward to PiKVM

    # Disable SSL verification for self-signed certificates
    proxy_ssl_verify off;

    # Ensure PiKVM sees requests as originating from NGINX
    proxy_set_header Host $host;  # Pass the original host
    proxy_set_header X-Real-IP $remote_addr;  # Preserve the client IP
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  # Add any proxy IPs
    proxy_set_header X-Forwarded-Proto $scheme;  # Pass the protocol

    # WebSocket support
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_cache_bypass $http_upgrade;

    # Rewriting paths so PiKVM receives the right URLs and resources
    rewrite ^/pi_kvm(/.*)$ $1 break;

    # Ensure any redirects from PiKVM are handled correctly
    proxy_redirect / /pi_kvm/;

    # Handle the PiKVM static resources like CSS, JS, and images
    sub_filter_once off;  # Allow multiple replacements in a response
    sub_filter '/share/' '/pi_kvm/share/';  # Replace /share/ with /pi_kvm/share/
}
@MichaelWoodc commented on GitHub (Jan 21, 2025): Hey so on services like Navidrome, I can edit the base url inside their config files for it to return /navidrome, as a base path, for example. And that works great! If PiKVM had a similar way to append a base path / url to the paths / urls it sends out that would solve all of the problems or at least make it much easier. I have not had any luck due to various reasons with this url scheme, so, I just wend ahead and used a subdomain to forward to the pikvm to bypass the inability to change the base url. Sorry I know this might not be the solution you're looking for. But absent an easy to change setting in pikvm it is not easy to implement with the nginx reverse proxy. Although this got me close: ``` # PiKVM Proxy Configuration location /pi_kvm/ { # Forward to PiKVM over HTTPS proxy_pass https://192.168.1.127/; # Forward to PiKVM # Disable SSL verification for self-signed certificates proxy_ssl_verify off; # Ensure PiKVM sees requests as originating from NGINX proxy_set_header Host $host; # Pass the original host proxy_set_header X-Real-IP $remote_addr; # Preserve the client IP proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Add any proxy IPs proxy_set_header X-Forwarded-Proto $scheme; # Pass the protocol # WebSocket support proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_cache_bypass $http_upgrade; # Rewriting paths so PiKVM receives the right URLs and resources rewrite ^/pi_kvm(/.*)$ $1 break; # Ensure any redirects from PiKVM are handled correctly proxy_redirect / /pi_kvm/; # Handle the PiKVM static resources like CSS, JS, and images sub_filter_once off; # Allow multiple replacements in a response sub_filter '/share/' '/pi_kvm/share/'; # Replace /share/ with /pi_kvm/share/ } ```
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@mdevaev commented on GitHub (Feb 2, 2025):

@Andrew17856 I made some changes in reverse proxy handling, please try the latest OS version. It should work now. Also check a new reverse proxy guide: https://docs.pikvm.org/reverse_proxy

@mdevaev commented on GitHub (Feb 2, 2025): @Andrew17856 I made some changes in reverse proxy handling, please try the latest OS version. It should work now. Also check a new reverse proxy guide: https://docs.pikvm.org/reverse_proxy
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@Andrew17856 commented on GitHub (Feb 9, 2025):

Many thanks for updating this. Can I check whether this has been pushed to release or still in beta? I updated my pikvm in the usual way (i.e. pikvm-update) but it still exhibits the same behaviour.

I've read the new explanatory section in the link, but I don't think any further proxy configuration is needed at my end. The pikvm is allocated its own subdomain, which is what the proxy uses to route traffic through the reverse proxy. As mentioned above, the issue before was that the pikvm wasn't aware of that, and so doesn't use the right url in the redirect post login.

@Andrew17856 commented on GitHub (Feb 9, 2025): Many thanks for updating this. Can I check whether this has been pushed to release or still in beta? I updated my pikvm in the usual way (i.e. pikvm-update) but it still exhibits the same behaviour. I've read the new explanatory section in the link, but I don't think any further proxy configuration is needed at my end. The pikvm is allocated its own subdomain, which is what the proxy uses to route traffic through the reverse proxy. As mentioned above, the issue before was that the pikvm wasn't aware of that, and so doesn't use the right url in the redirect post login.
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@mdevaev commented on GitHub (Feb 9, 2025):

Can you send me to email (mdevaev@gmail.com) the network log from devtools, when you're logging in? I don't understand where it breaks. Or, alternatively, we can contact Discord and you could set up a Teamviewer (or RustDesk) session for me so that I can debug it in your environment.

@mdevaev commented on GitHub (Feb 9, 2025): Can you send me to email (mdevaev@gmail.com) the network log from devtools, when you're logging in? I don't understand where it breaks. Or, alternatively, we can contact Discord and you could set up a Teamviewer (or RustDesk) session for me so that I can debug it in your environment.
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@Andrew17856 commented on GitHub (Feb 9, 2025):

I'll share the full unedited har file over e-mail, but the issue is the same as before. The http go request that is fired off post login isn't tailored to the external url.

So e.g. (from the HAR file, redacted for privacy)

"request": { "method": "GET", "url": "https://www.[myurl].co.uk/webportal.cgi?go=http://192.168.x.x:80/share/site.webmanifest", "httpVersion": "HTTP/1.1", "headers": [

The bit after the "go" needs to have the external url substituted.

The neatest way to do it would be to use the "window.location" property in JavaScript to read the current url client-side, then do some string manipulation to get the redirect address.

@Andrew17856 commented on GitHub (Feb 9, 2025): I'll share the full unedited har file over e-mail, but the issue is the same as before. The http go request that is fired off post login isn't tailored to the external url. So e.g. (from the HAR file, redacted for privacy) ` "request": { "method": "GET", "url": "https://www.[myurl].co.uk/webportal.cgi?go=http://192.168.x.x:80/share/site.webmanifest", "httpVersion": "HTTP/1.1", "headers": [` The bit after the "go" needs to have the external url substituted. The neatest way to do it would be to use the "window.location" property in JavaScript to read the current url client-side, then do some string manipulation to get the redirect address.
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@mdevaev commented on GitHub (Feb 9, 2025):

Did you remove cookies/auth tokens too? If so, you should have changed the values to fake ones instead of deleting them altogether, because what I see so far hints at a lack of authorization, and I don't understand who is to blame for this.

@mdevaev commented on GitHub (Feb 9, 2025): Did you remove cookies/auth tokens too? If so, you should have changed the values to fake ones instead of deleting them altogether, because what I see so far hints at a lack of authorization, and I don't understand who is to blame for this.
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@Andrew17856 commented on GitHub (Feb 9, 2025):

No I haven't changed anything in the logs in relation to cookies.

I think it is authorising ok, in that if I manually redirect by typing in
pikvm.[myurl].co.uk/kvm after typing in the password, I get straight in.

If it's doing that without properly authorising then that's a different issue!

Andrew

--- Original message ---
From: Maxim Devaev @.***
Sent: 9 February 2025 14:16:43
To: pikvm/pikvm @.***
CC: Andrew17856 @., Mention @.
Subject: Re: [pikvm/pikvm] Cannot login behind reverse proxy (Issue #1404)

Did you remove cookies/auth tokens too? If so, you should have changed the
values to fake ones instead of deleting them altogether, because what I see
so far hints at a lack of authorization, and I don't understand who is to
blame for this.


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.

--194eb16eea72c08286546db447
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<html> <head>
No I haven't changed anything in the logs in relation to = cookies. 

I think i= t is authorising ok, in that if I manually redirect by typing in pikvm.[myu= rl].co.uk/kvm after typing in the password, I get straight in. 
<= div dir=3D"auto">
If it's doing that without pro= perly authorising then that's a different issue! 

Andrew 

--- Original message ---
From: Maxim Deva= ev ***@***.***
Sent: 9 February= 2025 14:16:43
To: pikvm/pikvm = ***@***.***
CC: Andrew17856 = ***@***.***, Mention ***@***.***
Subject: Re: [pi= kvm/pikvm] Cannot login behind reverse proxy (Issue #1404)

Did you remove cookies/auth tokens too? If so, you should h= ave changed the values to fake ones instead of deleting them altogether, be= cause what I see so far hints at a lack of authorization, and I don't under= stand who is to blame for this.

=E2= =80=94
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were m= entioned.3D""Message ID: <pikvm/pikvm/issues/1404/2646322= 930@github.com>


</html>

--194eb16eea72c08286546db447--

@Andrew17856 commented on GitHub (Feb 9, 2025): No I haven't changed anything in the logs in relation to cookies. I think it is authorising ok, in that if I manually redirect by typing in pikvm.[myurl].co.uk/kvm after typing in the password, I get straight in. If it's doing that without properly authorising then that's a different issue! Andrew --- Original message --- From: Maxim Devaev ***@***.*** Sent: 9 February 2025 14:16:43 To: pikvm/pikvm ***@***.*** CC: Andrew17856 ***@***.***, Mention ***@***.*** Subject: Re: [pikvm/pikvm] Cannot login behind reverse proxy (Issue #1404) > Did you remove cookies/auth tokens too? If so, you should have changed the > values to fake ones instead of deleting them altogether, because what I see > so far hints at a lack of authorization, and I don't understand who is to > blame for this. > > — > Reply to this email directly, view it on GitHub, or unsubscribe. > You are receiving this because you were mentioned. --194eb16eea72c08286546db447 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.= w3.org/TR/html4/loose.dtd"><html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8"></= head> <body style=3D"font-family: Arial, Myriad, 'Liberation Sans', sans-serif;"> <div dir=3D"auto"> <div dir=3D"auto">No I haven't changed anything in the logs in relation to = cookies.&nbsp;</div><div dir=3D"auto"><br></div><div dir=3D"auto">I think i= t is authorising ok, in that if I manually redirect by typing in pikvm.[myu= rl].co.uk/kvm after typing in the password, I get straight in.&nbsp;</div><= div dir=3D"auto"><br></div><div dir=3D"auto">If it's doing that without pro= perly authorising then that's a different issue!&nbsp;</div><div dir=3D"aut= o"><br></div><div dir=3D"auto">Andrew&nbsp;</div><div dir=3D"auto"><br></di= v> <div id=3D"aqm-original" style=3D"color: black; font-family: sans-serif;"> <!-- body start --> <div class=3D"aqm-original-body"> <div style=3D"color: black;"> <table style=3D"color: black; font-size: 10pt; font-family: sans-serif;" bo= rder=3D"0" cellspacing=3D"0" cellpadding=3D"2px"> <tbody><tr><td colspan=3D"2">--- Original message ---</td></tr> <tr><td valign=3D"top"><b>From:&nbsp;</b></td><td valign=3D"top">Maxim Deva= ev ***@***.***</td></tr> <tr><td valign=3D"top"><b>Sent:&nbsp;</b></td><td valign=3D"top">9 February= 2025 14:16:43</td></tr> <tr><td valign=3D"top"><b>To:&nbsp;</b></td><td valign=3D"top">pikvm/pikvm = ***@***.***</td></tr> <tr><td valign=3D"top"><b>CC:&nbsp;</b></td><td valign=3D"top">Andrew17856 = ***@***.***, Mention ***@***.***</td></tr> <tr><td valign=3D"top"><b>Subject:&nbsp;</b></td><td valign=3D"top">Re: [pi= kvm/pikvm] Cannot login behind reverse proxy (Issue #1404)</td></tr> </tbody></table> <br> <blockquote type=3D"cite" class=3D"gmail_quote" style=3D"margin: 0 0 0 0.75= ex; border-left: 1px solid #808080; padding-left: 0.75ex;"> <p></p> <p dir=3D"auto">Did you remove cookies/auth tokens too? If so, you should h= ave changed the values to fake ones instead of deleting them altogether, be= cause what I see so far hints at a lack of authorization, and I don't under= stand who is to blame for this.</p> <p style=3D"font-size:small;-webkit-text-size-adjust:none;color:#666;">=E2= =80=94<br>Reply to this email directly, <a href=3D"https://github.com/pikvm= /pikvm/issues/1404#issuecomment-2646322930">view it on GitHub</a>, or <a hr= ef=3D"https://github.com/notifications/unsubscribe-auth/AA65UEKWKCEQNJZID3M= ACD32O5PMDAVCNFSM6AAAAABOU3HIBGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMN= BWGMZDEOJTGA">unsubscribe</a>.<br>You are receiving this because you were m= entioned.<img src=3D"https://github.com/notifications/beacon/AA65UEKSNI5AAM= J2GTUJEF32O5PMDA5CNFSM6AAAAABOU3HIBGWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFN= Z2KUY3PNVWWK3TUL5UWJTU5XOXPE.gif" height=3D"1" width=3D"1" alt=3D""><span s= tyle=3D"color: transparent; font-size: 0; display: none; visibility: hidden= ; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-heig= ht: 0; mso-hide: all">Message ID: <span>&lt;pikvm/pikvm/issues/1404/2646322= 930</span><span>@</span><span>github</span><span>.</span><span>com&gt;</spa= n></span></p> </blockquote> </div> </div> <!-- body end --> </div><div dir=3D"auto"><br></div> </div></body> </html> --194eb16eea72c08286546db447--
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@mdevaev commented on GitHub (Feb 9, 2025):

So the problem is an incorrect redirect after login?

Let me clarify. Please confirm or deny the following:

  • If you perform logout, the /kvm page will redirect you to /login.
  • When you get authorization, you will be redirected to /login again instead of / (index page with buttons)
  • After wuthorization, you can manually pass to /kvm and work with the session.
@mdevaev commented on GitHub (Feb 9, 2025): So the problem is an incorrect redirect after login? Let me clarify. Please confirm or deny the following: * If you perform logout, the /kvm page will redirect you to /login. * When you get authorization, you will be redirected to /login again instead of / (index page with buttons) * After wuthorization, you can manually pass to /kvm and work with the session.
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@Andrew17856 commented on GitHub (Feb 9, 2025):

Yes, I think that's the most likely explanation. However, having had a closer look, I think the webportal.cgi is actually coming from the proxy rather than the pikvm. So, for whatever reason, they're not playing nicely together.

Re your bullets (and some other things I've checked too):

  • yes, if I logout and then try to go directly to /kvm it will redirect to login
  • if I try to login with the wrong password it shows "Error - Invalid Credentials"
  • if I try to login with the right password, I don't get an error, but it goes back to the username/pw screen
  • if, once I've entered the correct password, I go to /kvm/# - it lets me in ok (note - I seem to need a # since the new version)
  • ditto if I go to /extras/webterm/ttyd I get the terminal ok. Ditto on the vnc screen if I go to the vnc help screen.

Hope this helps.

@Andrew17856 commented on GitHub (Feb 9, 2025): Yes, I think that's the most likely explanation. However, having had a closer look, I think the webportal.cgi is actually coming from the proxy rather than the pikvm. So, for whatever reason, they're not playing nicely together. Re your bullets (and some other things I've checked too): - yes, if I logout and then try to go directly to /kvm it will redirect to login - if I try to login with the wrong password it shows "Error - Invalid Credentials" - if I try to login with the right password, I don't get an error, but it goes back to the username/pw screen - if, once I've entered the correct password, I go to /kvm/# - it lets me in ok (note - I seem to need a # since the new version) - ditto if I go to /extras/webterm/ttyd I get the terminal ok. Ditto on the vnc screen if I go to the vnc help screen. Hope this helps.
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@mdevaev commented on GitHub (Feb 9, 2025):

The webportal.cgi is not a part of PiKVM code. Probably it's something in your proxy.

I have a strong feeling that your proxy is caching a 302 redirect from / to /login`. Please logout, open devtools and set "Disable cache" checkbox on the network tab. Then try to login again. Will it work?

@mdevaev commented on GitHub (Feb 9, 2025): The `webportal.cgi` is not a part of PiKVM code. Probably it's something in your proxy. I have a strong feeling that your proxy is caching a 302 redirect from `/ to `/login`. Please logout, open devtools and set "Disable cache" checkbox on the network tab. Then try to login again. Will it work?
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@Andrew17856 commented on GitHub (Feb 9, 2025):

Yes, that looks to be it - it works with the cache disabled.

Is the reason that the landing page (i.e. when you navigate to the pikvm initially) is the same page to which the user is redirected post login? So if it's cached, it takes you back to login.

If the menu had a distinct url (e.g. /menu) that would prevent the cache from being confused by the fact that the previous time it saw the url (without any slash) it redirected to login.

So in other words, / redirects to /login, but after signing in with the password, the PiKVM does a redirect to /menu ... which won't previously be cached.

@Andrew17856 commented on GitHub (Feb 9, 2025): Yes, that looks to be it - it works with the cache disabled. Is the reason that the landing page (i.e. when you navigate to the pikvm initially) is the same page to which the user is redirected post login? So if it's cached, it takes you back to login. If the menu had a distinct url (e.g. /menu) that would prevent the cache from being confused by the fact that the previous time it saw the url (without any slash) it redirected to login. So in other words, / redirects to /login, but after signing in with the password, the PiKVM does a redirect to /menu ... which won't previously be cached.
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@mdevaev commented on GitHub (Feb 9, 2025):

Let's try to hotfix it. Find file /etc/kvmd/nginx/kvmd.ctx-server.conf and edit it (it is read-only, so you will need to make it writable first).

Find this section:

location /login {
    root /usr/share/kvmd/web;
    auth_request off;
}

And make it like this:

location /login {
    root /usr/share/kvmd/web;
    include /etc/kvmd/nginx/loc-nocache.conf;
    auth_request off;
}

After that run systemctl restart kvmd-nginx. Please note that you should NEVER edit read-only configs in usual cases. It's only for debugging. Check if everything is working with devtools and without after that. If so, revert changes and restore permissions to avoid update problems.

@mdevaev commented on GitHub (Feb 9, 2025): Let's try to hotfix it. Find file `/etc/kvmd/nginx/kvmd.ctx-server.conf` and edit it (it is read-only, so you will need to make it writable first). Find this section: ```nginx location /login { root /usr/share/kvmd/web; auth_request off; } ``` And make it like this: ```nginx location /login { root /usr/share/kvmd/web; include /etc/kvmd/nginx/loc-nocache.conf; auth_request off; } ``` After that run `systemctl restart kvmd-nginx`. Please note that you should NEVER edit read-only configs in usual cases. It's only for debugging. Check if everything is working with devtools and without after that. If so, revert changes and restore permissions to avoid update problems.
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@mdevaev commented on GitHub (Feb 10, 2025):

@Andrew17856 I've released the fix above so you can take it from pikvm-update. Please let me know if something is not working.

@mdevaev commented on GitHub (Feb 10, 2025): @Andrew17856 I've released the fix above so you can take it from `pikvm-update`. Please let me know if something is not working.
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@Andrew17856 commented on GitHub (Feb 11, 2025):

Many thanks - this works now. Thank you for taking the time to resolve this.

--- Original message ---
From: Maxim Devaev @.***
Sent: 10 February 2025 19:57:07
To: pikvm/pikvm @.***
CC: Andrew17856 @., Mention @.
Subject: Re: [pikvm/pikvm] Cannot login behind reverse proxy (Issue #1404)

@Andrew17856 I've released the fix above so you can take it from
pikvm-update. Please let me know if something is not working.


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.

--194f3e16e684b652865eb65b79
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<html> <head>
Many thanks - this works now. Thank you for taking the ti= me to resolve this. 

--- Original message ---
From: Maxim Deva= ev ***@***.***
Sent: 10 Februar= y 2025 19:57:07
To: pikvm/pikvm = ***@***.***
CC: Andrew17856 = ***@***.***, Mention ***@***.***
Subject: Re: [pi= kvm/pikvm] Cannot login behind reverse proxy (Issue #1404)

I've released the fix abo= ve so you can take it from pikvm-update.= Please let me know if something is not working.

=E2= =80=94
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were m= entioned.3D""Message ID: <pikvm/pikvm/issues/1404/2649097= 722@github.com>


</html>

--194f3e16e684b652865eb65b79--

@Andrew17856 commented on GitHub (Feb 11, 2025): Many thanks - this works now. Thank you for taking the time to resolve this. --- Original message --- From: Maxim Devaev ***@***.*** Sent: 10 February 2025 19:57:07 To: pikvm/pikvm ***@***.*** CC: Andrew17856 ***@***.***, Mention ***@***.*** Subject: Re: [pikvm/pikvm] Cannot login behind reverse proxy (Issue #1404) > @Andrew17856 I've released the fix above so you can take it from > pikvm-update. Please let me know if something is not working. > > — > Reply to this email directly, view it on GitHub, or unsubscribe. > You are receiving this because you were mentioned. --194f3e16e684b652865eb65b79 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.= w3.org/TR/html4/loose.dtd"><html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8"></= head> <body style=3D"font-family: Arial, Myriad, 'Liberation Sans', sans-serif;"> <div dir=3D"auto"> <div dir=3D"auto">Many thanks - this works now. Thank you for taking the ti= me to resolve this.&nbsp;</div><div dir=3D"auto"><br></div> <div id=3D"aqm-original" style=3D"color: black; font-family: sans-serif;"> <!-- body start --> <div class=3D"aqm-original-body"> <div style=3D"color: black;"> <table style=3D"color: black; font-size: 10pt; font-family: sans-serif;" bo= rder=3D"0" cellspacing=3D"0" cellpadding=3D"2px"> <tbody><tr><td colspan=3D"2">--- Original message ---</td></tr> <tr><td valign=3D"top"><b>From:&nbsp;</b></td><td valign=3D"top">Maxim Deva= ev ***@***.***</td></tr> <tr><td valign=3D"top"><b>Sent:&nbsp;</b></td><td valign=3D"top">10 Februar= y 2025 19:57:07</td></tr> <tr><td valign=3D"top"><b>To:&nbsp;</b></td><td valign=3D"top">pikvm/pikvm = ***@***.***</td></tr> <tr><td valign=3D"top"><b>CC:&nbsp;</b></td><td valign=3D"top">Andrew17856 = ***@***.***, Mention ***@***.***</td></tr> <tr><td valign=3D"top"><b>Subject:&nbsp;</b></td><td valign=3D"top">Re: [pi= kvm/pikvm] Cannot login behind reverse proxy (Issue #1404)</td></tr> </tbody></table> <br> <blockquote type=3D"cite" class=3D"gmail_quote" style=3D"margin: 0 0 0 0.75= ex; border-left: 1px solid #808080; padding-left: 0.75ex;"> <p></p> <p dir=3D"auto"><a class=3D"user-mention notranslate" data-hovercard-type= =3D"user" data-hovercard-url=3D"/users/Andrew17856/hovercard" data-octo-cli= ck=3D"hovercard-link-click" data-octo-dimensions=3D"link_type:self" href=3D= ***@***.***</a> I've released the fix abo= ve so you can take it from <code class=3D"notranslate">pikvm-update</code>.= Please let me know if something is not working.</p> <p style=3D"font-size:small;-webkit-text-size-adjust:none;color:#666;">=E2= =80=94<br>Reply to this email directly, <a href=3D"https://github.com/pikvm= /pikvm/issues/1404#issuecomment-2649097722">view it on GitHub</a>, or <a hr= ef=3D"https://github.com/notifications/unsubscribe-auth/AA65UEJLC5EFOZEP7ZJ= O5ET2PEAAVAVCNFSM6AAAAABOU3HIBGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMN= BZGA4TONZSGI">unsubscribe</a>.<br>You are receiving this because you were m= entioned.<img src=3D"https://github.com/notifications/beacon/AA65UEPTJB7FX7= 7GGXGJDO32PEAAVA5CNFSM6AAAAABOU3HIBGWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFN= Z2KUY3PNVWWK3TUL5UWJTU54YC7U.gif" height=3D"1" width=3D"1" alt=3D""><span s= tyle=3D"color: transparent; font-size: 0; display: none; visibility: hidden= ; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-heig= ht: 0; mso-hide: all">Message ID: <span>&lt;pikvm/pikvm/issues/1404/2649097= 722</span><span>@</span><span>github</span><span>.</span><span>com&gt;</spa= n></span></p> </blockquote> </div> </div> <!-- body end --> </div><div dir=3D"auto"><br></div> </div></body> </html> --194f3e16e684b652865eb65b79--
deekerman commented 2026-02-20 14:08:53 -05:00
Author
Owner
Copy link

@stappersg commented on GitHub (Feb 11, 2025):

On Mon, Feb 10, 2025 at 11:21:06PM -0800, Andrew17856 wrote:

From: Maxim Devaev @.***
Sent: 10 February 2025 19:57:07
To: pikvm/pikvm @.***
CC: Andrew17856 @., Mention @.
Subject: Re: [pikvm/pikvm] Cannot login behind reverse proxy (Issue #1404)

@Andrew17856 I've released the fix above so you can take it from
pikvm-update. Please let me know if something is not working.

Many thanks - this works now. Thank you for taking the time to resolve this.

Elsewhere in this project, "pikvm", I did read something like

} } I clicked on donate button to express my gratitude,
} } I hope it buys you a beer.
}
} Thank you!
}

Where is that button?

@stappersg commented on GitHub (Feb 11, 2025): On Mon, Feb 10, 2025 at 11:21:06PM -0800, Andrew17856 wrote: > From: Maxim Devaev ***@***.*** > Sent: 10 February 2025 19:57:07 > To: pikvm/pikvm ***@***.*** > CC: Andrew17856 ***@***.***, Mention ***@***.*** > Subject: Re: [pikvm/pikvm] Cannot login behind reverse proxy (Issue #1404) > > > @Andrew17856 I've released the fix above so you can take it from > > pikvm-update. Please let me know if something is not working. > > > > Many thanks - this works now. Thank you for taking the time to resolve this. > Elsewhere in this project, "pikvm", I did read something like } } I clicked on donate button to express my gratitude, } } I hope it buys you a beer. } } Thank you! } Where is that button?
deekerman commented 2026-02-20 14:08:54 -05:00
Author
Owner
Copy link

@mdevaev commented on GitHub (Feb 11, 2025):

Awesome!

You can donate me with two ways (it's on the main page https://github.com/pikvm/pikvm):

Thank you!

@mdevaev commented on GitHub (Feb 11, 2025): Awesome! You can donate me with two ways (it's on the main page https://github.com/pikvm/pikvm): * [patreon.com/pikvm](https://patreon.com/pikvm) * https://paypal.me/pikvm Thank you!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
gh-pages
No results found.
Labels
Clear labels   
component:documentation

   
help wanted

   
resolution:delayed

   
resolution:duplicate

   
resolution:fixed

   
resolution:invalid

   
resolution:rejected

   
resolution:wontfix

   
success story

   
type:bug

   
type:bug

   
type:feature

   
type:question

   
type:question
No labels
component:documentation
help wanted
resolution:delayed
resolution:duplicate
resolution:fixed
resolution:invalid
resolution:rejected
resolution:wontfix
success story
type:bug
type:bug
type:feature
type:question
type:question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/pikvm-pikvm#945
No description provided.