bug: absolute URL prevent the use of a reverse proxy with a different path in front of the stats

[netchild]

Hi,

I want to protect access to the vts stats. So at the official URL (let's assume "/vts") nginx proxies to an oauth2 proxy which does the autentication, and then passes the request to "/realvts" on the same nginx (it has access rules to allow only the internal access on the same machine). "/realvts" is configured with the vhost_traffic_status_display.

If I access with a browser /vts, the oauth2 proxy is doing its job, gives me the content of /realvts, but then the browser tries to access /realvts/format/json instead of /vts/format/json. This is because the html source has var vtsStatusURI = "/realvts//format/json", instead of using a relative url (untested: var vtsStatusURI = "./format/json", or maybe var vtsStatusURI = "format/json",).

So:

• initial access: browser /vts -> nginx /vts -> oauth2 proxy /realvts -> same nginx /realvts -> vts module
• wrong subsequent request from the status page: browser /realvts -> nginx /realvts -> 403
• intended subsequent request from the status page: browser /vts -> nginx /vts -> oauth2 proxy /realvts -> same nginx /realvts -> vts module

This doesn't work, as the browser on a remote system is not allowed to access /realvts.

Bye, Alexander.