[GH-ISSUE #753] Webauthn - Reverse proxy + additionnal #7516

New issue

Closed

opened 2026-03-12 21:26:45 +03:00 by kerem · 5 comments

kerem commented 2026-03-12 21:26:45 +03:00

Owner

Copy link

Originally created by @novakin on GitHub (Nov 23, 2024).
Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/753

Describe the bug
Using reverse proxy cant configure webauthn have following error: Cannot read properties of undefined (reading 'challenge')
Without reverse proxy on direct external IP mentions Passkeys are not supported on browser : tested with latest chrome and chromium: WebAuthn is not supported in this browser

To Reproduce
Steps to reproduce the behavior:

1. Go to Preferences > Auth
2. Click on Add passkey > input name click ok

Expected behavior
Expected to have passkey configuration window

Info (please complete the following information):

• Server OS: Debian 12.8
• Server Arch: x64
• Nginx UI Version: 2.0.0-beta.40 (2)
• Your Browser: Chrome, Chromium

Additional context
With reverse proxy, I guess im missing something on config for 3002 port

Nginx-ui

[server]
Host    = 127.0.0.1
Port    = 9000
RunMode = release

[webauthn]
# This is the display name
RPDisplayName = Nginx UI
# The domain name of Nginx UI
RPID          = XXX.XXX.net
# The list of origin addresses
RPOrigins     = https://XXX.XXX.net:3002

Nginx reverse proxy conf

upstream nginxui-default {
  zone nginxui-default 64k;
  server 127.0.0.1:9000;
  keepalive 2;
}
upstream nginxui-ws {
  zone nginxui-ws 64k;
  server 127.0.0.1:3002;
  keepalive 2;
}

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      "";

#------------------------------------------------------------------------
# REDIRECTION HTTPS
#

server {
        listen 80;
        listen [::]:80;
        server_name XXX.XXX.net;

        location '/.well-known/acme-challenge' {
        allow all;
        try_files $uri /$1;}

        location / {
        return 301 https://$server_name$request_uri;}
        }

#------------------------------------------------------------------------
# BLOCK SERVEUR HTTPS
#
server {
        server_name XXX.XXX.XX;

        listen 443 quic;
        listen [::]:443 quic;
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;

        index index.php index.html index.htm;
        client_max_body_size 10G;

        add_header alt-svc 'h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400';
        include common/ssl-XXX.net.conf;

        add_header Strict-Transport-Security "max-age=15768000";

  location / {
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://nginxui-default;
    }

}

Originally created by @novakin on GitHub (Nov 23, 2024). Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/753 **Describe the bug** Using reverse proxy cant configure webauthn have following error: Cannot read properties of undefined (reading 'challenge') Without reverse proxy on direct external IP mentions Passkeys are not supported on browser : tested with latest chrome and chromium: WebAuthn is not supported in this browser **To Reproduce** Steps to reproduce the behavior: 1. Go to Preferences > Auth 2. Click on Add passkey > input name click ok **Expected behavior** Expected to have passkey configuration window **Info (please complete the following information):** - Server OS: Debian 12.8 - Server Arch: x64 - Nginx UI Version: 2.0.0-beta.40 (2) - Your Browser: Chrome, Chromium **Additional context** With reverse proxy, I guess im missing something on config for 3002 port Nginx-ui ``` [server] Host = 127.0.0.1 Port = 9000 RunMode = release [webauthn] # This is the display name RPDisplayName = Nginx UI # The domain name of Nginx UI RPID = XXX.XXX.net # The list of origin addresses RPOrigins = https://XXX.XXX.net:3002 ``` Nginx reverse proxy conf ``` upstream nginxui-default { zone nginxui-default 64k; server 127.0.0.1:9000; keepalive 2; } upstream nginxui-ws { zone nginxui-ws 64k; server 127.0.0.1:3002; keepalive 2; } map $http_upgrade $connection_upgrade { default upgrade; '' ""; #------------------------------------------------------------------------ # REDIRECTION HTTPS # server { listen 80; listen [::]:80; server_name XXX.XXX.net; location '/.well-known/acme-challenge' { allow all; try_files $uri /$1;} location / { return 301 https://$server_name$request_uri;} } #------------------------------------------------------------------------ # BLOCK SERVEUR HTTPS # server { server_name XXX.XXX.XX; listen 443 quic; listen [::]:443 quic; listen 443 ssl; listen [::]:443 ssl; http2 on; index index.php index.html index.htm; client_max_body_size 10G; add_header alt-svc 'h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400'; include common/ssl-XXX.net.conf; add_header Strict-Transport-Security "max-age=15768000"; location / { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://nginxui-default; } } ```

kerem closed this issue 2026-03-12 21:26:50 +03:00

kerem commented 2026-03-12 21:26:56 +03:00

Author

Owner

Copy link

@0xJacky commented on GitHub (Nov 23, 2024):

If you are using a reverse proxy, the RPOrigins should be the base path of your reverse proxy server, in your case, you should set it to https://admin.xxx.xxx not https://admin.xxx.xxx:3002.

<!-- gh-comment-id:2495455390 --> @0xJacky commented on GitHub (Nov 23, 2024): If you are using a reverse proxy, the `RPOrigins` should be the base path of your reverse proxy server, in your case, you should set it to `https://admin.xxx.xxx` not `https://admin.xxx.xxx:3002`.

kerem commented 2026-03-12 21:27:01 +03:00

Author

Owner

Copy link

@novakin commented on GitHub (Nov 23, 2024):

Done, and still have the same issue : "Cannot read properties of undefined (reading 'challenge')"

[webauthn]
# This is the display name
RPDisplayName = Nginx UI
# The domain name of Nginx UI
RPID          = XXX.XXX.net
# The list of origin addresses
RPOrigins     = https://XXX.XXX.net

<!-- gh-comment-id:2495459468 --> @novakin commented on GitHub (Nov 23, 2024): Done, and still have the same issue : "Cannot read properties of undefined (reading 'challenge')" ``` [webauthn] # This is the display name RPDisplayName = Nginx UI # The domain name of Nginx UI RPID = XXX.XXX.net # The list of origin addresses RPOrigins = https://XXX.XXX.net ```

kerem commented 2026-03-12 21:27:06 +03:00

Author

Owner

Copy link

@0xJacky commented on GitHub (Nov 23, 2024):

Did you try to restart nginx-ui after modify the app.ini?

<!-- gh-comment-id:2495460336 --> @0xJacky commented on GitHub (Nov 23, 2024): Did you try to restart nginx-ui after modify the app.ini?

kerem commented 2026-03-12 21:27:11 +03:00

Author

Owner

Copy link

@novakin commented on GitHub (Nov 23, 2024):

Yes, it shows same config in panel

EDIT: In case restarted both nginx-ui and nginx

<!-- gh-comment-id:2495460424 --> @novakin commented on GitHub (Nov 23, 2024): Yes, it shows same config in panel EDIT: In case restarted both nginx-ui and nginx

kerem commented 2026-03-12 21:27:16 +03:00

Author

Owner

Copy link

@0xJacky commented on GitHub (Nov 23, 2024):

Fixed in 6abf682, will be released in beta.41. Thanks for your report.

<!-- gh-comment-id:2495471544 --> @0xJacky commented on GitHub (Nov 23, 2024): Fixed in 6abf682, will be released in beta.41. Thanks for your report.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

weblate

main

renovate/uuid-14.x

renovate/typescript-6.x

renovate/all-minor-patch

cursor/interface-conversion-error-36ec

cursor/docker-api-stat-path-27ca

cursor/nginx-ui-disk-i-o-3d99

cursor/cloudflare-dns-comments-299c

cursor/access-log-dark-mode-font-dfdc

copilot/fix-ai-chat-title-error

cursor/propfind-method-logging-33b5

cursor/docker-client-version-update-d1b4

copilot/fix-nginx-ui-api-errors

cursor/update-x-forwarded-proto-header-handling-1223

cursor/fix-nginx-ui-issue-1455-gpt-5.1-codex-high-079c

cursor/update-nginx-ui-to-vue-3-gpt-5.1-codex-high-3100

cursor/investigate-nginx-ui-issue-1446-gpt-5.1-codex-high-2be0

v1

v2.3.8

v2.3.7

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.1

v2.2.0-patch.1

v2.2.0

v2.1.17

v2.1.16

v2.1.15

v2.1.14

v2.1.13

v2.1.12

v2.1.11

v2.1.10

v2.1.9

v2.1.8

v2.1.7

v2.1.6

v2.1.5

v2.1.4-patch.1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0-patch.1

v2.1.0

v2.1.0-rc.3

v2.1.0-rc.2

v2.1.0-rc.1

v2.1.0-beta.1

v2.0.2

v2.0.1

v2.0.0

v2.0.0-rc.8-patch.1

v2.0.0-rc.8

v2.0.0-rc.7-patch.6

v2.0.0-rc.7-patch.7

v2.0.0-rc.7-patch.8

v2.0.0-rc.7-patch.5

v2.0.0-rc.7-patch.4

v2.0.0-rc.7-patch.3

v2.0.0-rc.7-patch.2

v2.0.0-rc.7-patch.1

v2.0.0-rc.7

v2.0.0-rc.6-patch.5

v2.0.0-rc.6-patch.4

v2.0.0-rc.6-patch.3

v2.0.0-rc.6-patch.2

v2.0.0-rc.6-patch.1

v2.0.0-rc.6

v2.0.0-rc.5

v2.0.0-rc.4-patch.3

v2.0.0-rc.4-patch.2

v2.0.0-rc.4-patch.1

v2.0.0-rc.4

v2.0.0-rc.3-patch.1

v2.0.0-rc.3

v2.0.0-rc.2

v2.0.0-rc.1-patch.2

v2.0.0-rc.1-patch.1

v2.0.0-rc.1

v2.0.0-beta.42

v2.0.0-beta.41

v2.0.0-beta.40

v2.0.0-beta.39-risefront.6

v2.0.0-beta.39-risefront.5

v2.0.0-beta.39-risefront.4

v2.0.0-beta.39-risefront.3

v2.0.0-beta.39-risefront.2

v2.0.0-beta.39-risefront

v2.0.0-beta.39

v2.0.0-beta.38

v2.0.0-beta.37-patch.5

v2.0.0-beta.37-patch.3

v2.0.0-beta.37-patch.4

v2.0.0-beta.37-patch.2

v2.0.0-beta.37-patch.1

v2.0.0-beta.37

v2.0.0-beta.36

v2.0.0-beta.35

v2.0.0-beta.34

v2.0.0-beta.33

v2.0.0-beta.32-patch.1

v2.0.0-beta.32

v2.0.0-beta.31

v2.0.0-beta.30

v2.0.0-beta.29

v2.0.0-beta.28

v2.0.0-beta.27

v2.0.0-beta.26

v2.0.0-beta.25-patch.2

v2.0.0-beta.25-patch.1

v2.0.0-beta.25

v2.0.0-beta.24

v2.0.0-beta.23-patch.2

v2.0.0-beta.23-patch.1

v2.0.0-beta.23

v2.0.0-beta.22

v2.0.0-beta.21

v2.0.0-beta.20

v2.0.0-beta.19

v2.0.0-beta.18-patch.2

v2.0.0-beta.18-patch.1

v2.0.0-beta.18

v2.0.0-beta.17

v2.0.0-beta.16

v2.0.0-beta.15

v2.0.0-beta.14

v2.0.0-beta.13-patch

v2.0.0-beta.13

v2.0.0-beta.12

v2.0.0-beta.11

v2.0.0-beta.10-patch

v2.0.0-beta.10

v2.0.0-beta.9

v2.0.0-beta.8-patch

v2.0.0-beta.8

v2.0.0-beta.7

v2.0.0-beta.6-patch.2

v2.0.0-beta.6-patch

v2.0.0-beta.6

v2.0.0-beta.5-patch

v2.0.0-beta.5

v2.0.0-beta.4-patch

v2.0.0-beta.4

v2.0.0-beta.3

v2.0.0-beta.2

v2.0.0-beta.1

v1.9.9-4

v1.9.9-3

v1.9.9-2

v1.9.9

v1.9.9-1

v1.8.4-patch

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.9

v1.7.8

v1.7.7

v1.7.6

v1.7.5

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0-patch

v1.7.0

v1.6.8

v1.6.7

v1.6.6

v1.6.5

v1.6.3

v1.6.2

v1.6.1

v1.6.0-fix

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.5.0-beta9

v1.5.0-beta8

v1.5.0-beta7

v1.5.0-beta6

v1.5.0-beta5

v1.5.0-beta4-fix

v1.5.0-beta4

v1.5.0-beta3

v1.5.0-beta2

v1.5.0-beta1

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc1

v1.3.3-rc1

v1.3.2

v1.3.1-fix

v1.3.1

v1.3.0

v1.3.0-rc1

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc.3

v1.2.0-rc.2

v1.2.0-rc.1

v1.2.0-alpha.4

v1.2.0-alpha.3

v1.2.0-alpha.2

v1.1.0

Labels

Clear labels   

Q/A

  

bug

  

casdoor

  

dependencies

  

docker

  

documentation

  

duplicate

  

enhancement

  

help wanted

  

invalid

  

lego

  

platform:openwrt

  

platform:windows

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

wontfix

No labels

Q/A

bug

casdoor

dependencies

docker

documentation

duplicate

enhancement

help wanted

invalid

lego

platform:openwrt

platform:windows

pull-request

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-ui#7516

No description provided.