When the official docker image is fronted by another reverse proxy that
terminates TLS, the container's inner nginx overwrote X-Forwarded-Proto
with its own $scheme (= http, because it listens on plain 80), breaking
CheckWebSocketOrigin's same-origin check on https deployments behind
e.g. Cloudflare or a host nginx.
Trust the inbound X-Forwarded-Proto/Host when present; fall back to
$scheme/$http_host only on direct connections.
The packageManager field in docs/package.json took precedence over the
corepack prepare step, causing pnpm v11 to be used in the documents
workflow despite the pin.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Fixed fatal error 'concurrent map iteration and map write' that caused
nginx-ui nodes to crash and become unresponsive.
The issue occurred when the sitecheck CollectSites() method iterated over
site.IndexedSites while the cache scanner's scanForSite() was concurrently
modifying the same map. This race condition caused sporadic crashes.
Solution:
- Added GetAllIndexedSites() function in internal/site/index.go that safely
returns a snapshot copy of the IndexedSites map while holding the read lock
- Modified CollectSites() in internal/sitecheck/checker.go to use this
thread-safe function instead of directly accessing the global map
Fixes#1673
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* feat(cert): Optimize certificate application operations. #1602
* chore(lang): Add language context for new DNS application
* chore(lang): Add language context for new DNS application
Locks in the v2.3.5 origin-validation fix for CVE-2026-34403 / GHSA-78mf-482w-62qj
with named regression cases for every bypass class documented in the advisory:
subdomain confusion, suffix confusion, scheme downgrade, port mismatch, default-
port normalization, ws/wss scheme equivalence, case-insensitive host, IPv6 literal,
RFC 7239 Forwarded parsing, multi-valued X-Forwarded-Host, scheme-only / malformed
origin rejection, node_secret query fallback, empty-secret regression, trailing-
slash tolerance on configured trusted origins.
17 table-driven subtests in a new file; zero production code changes; no new
dependencies.
Co-authored-by: Panguard AI <support@panguard.ai>
Hintay