HOWTO: Use third-party web controls on 8.5+

[Artoria2e5]

I got back to folding after some time spent crunching Mersenne primes, and being the eager tester that I am, I installed the v8.5.3 client. Then I opened my old trusty "Folding@Home In The Dark" client from LAR systems... Oops! No connection!

A quick peek into the browser networks tab & the client log show that the websocket api connections are being bounced for having a wrong Origin, originating in the Server::corsCB() code. Basically the browser sends an "Origin:" header with the websocket api connection made to 127.0.0.1:7396 (the FAH control websocket) explaining on which website's behalf it's making this connection. The FAH client side only lets the connection through when the origin is inside a whitelist.

By default the allowlist is:

Code: Select all

*\\.foldingathome\\.org http://((127.0.0.1)|(localhost))(:\\d+)?

so https://webclient.lar.systems, which isn't on it, is blocked.

To completely disable the check (quite risky! now any webpage can control your local FAH) in v8.5, edit the config.xml to say:

Code: Select all

<config>
  <allowed-origin-exprs v='.*'/>
</config>

To play it safe add it to the allow list, in theory, like this:
well. I actually could not get the below to work! THIS DOES NOT WORK AT ALL! IT BREAKS THE VANILLA CLIENT TOO!

Code: Select all

<config>
  <!-- whatever else you have now -->
  <allowed-origin-exprs v='https://webclient\.lar\.systems .*\\.foldingathome\\.org http://((127.0.0.1)|(localhost))(:\\d+)?'/>
</config>

PS: I have no idea why older versions did not trigger this check. The bulk of current corsCB() originated in 8.3.2 and I think it worked fine back then? Maybe my browser didn't send the header then? There was a slight change of the function in 8.5 in commit https://github.com/FoldingAtHome/fah-cl ... 21ab1a8705 and I think that's what made it serious.

PPS: Please someone tell me how to edit the allow list to something sensible. I do not want to run ".*" either and hell I don't want to tell people to do that. This is a dirty hack.

[Artoria2e5]

Hah! I've fixed it! The following works for playing it safe:

Code: Select all

  <allowed-origin-exprs v='https://webclient\.lar\.systems .*\.foldingathome\.org http://((127.0.0.1)|(localhost))(:\d+)?'/>

Gotta unescape by one level.

[muziqaz]

LAR probably did not enable 8.5 yet on their plugin. They are frequenting LTT forum

[calxalot]

Side note: It is not a pluigin, it is their own web app. I don't know if it is open source.

[muziqaz]

Side note: It is not a pluigin, it is their own web app. I don't know if it is open source.

I know, I know. I'm brainfarting from time to time

[calxalot]

My allow list is

Code: Select all

<allow v='127.0.0.1 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 169.254.0.0/16'/>

This only because I use fahctl and lufah from another machine on local net.

[calxalot]

I know, I know. I'm brainfarting from time to time

You too, huh?

[Artoria2e5]

Just to be clear...

LAR probably did not enable 8.5 yet

the thing is, there's not anything for LAR to enable. the blocking is coming from the FAH client itself.

My allow list is

Code: Select all

<allow v='127.0.0.1 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 169.254.0.0/16'/>

This only because I use fahctl and lufah from another machine on local net.

the old IP-based blocking still exists. the new thing is another layer that you need to configure.

[calxalot]

allowed-origin-exprs is newish.
allowed-origins has been there a while, but seemed maybe ignored for a few versions.
Or maybe it was partly something server-side.

I should probably test and update my local web control howto.

The CORS blocking generally will only affect web browsers, so I've been neglecting it.

[calxalot]

I emailed a link to your solution post to info@folding.lar.systems
I don't know if anyone is monitoring that email.

Edit: also messaged them on LTT forum
https://linustechtips.com/profile/66849 ... b=activity

[muziqaz]

Just to be clear...

LAR probably did not enable 8.5 yet

the thing is, there's not anything for LAR to enable. the blocking is coming from the FAH client itself.

My allow list is

Code: Select all

<allow v='127.0.0.1 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 169.254.0.0/16'/>

This only because I use fahctl and lufah from another machine on local net.

the old IP-based blocking still exists. the new thing is another layer that you need to configure.

They had to tweak something in order for 8.4 to work. Similar thing might be required for 8.5

[calxalot]

I don't think anything really changed with 8.5 api.
The timeseries was added for the top chart.

I think 8.4 started reporting "wu_progress" instead of "progress".

[muziqaz]

https://linustechtips.com/topic/902973- ... t=16840937