Basic Auth

[PLAN8VR]

Is it possible to add basic auth to the html output?

So that the visitor has to enter username and password?

Thanks!

[allinurl]

You could do this via htpasswd. However, it would not perform auth on the WebScoket server. That's something I do plan to add, though. Do you have a thought on this? it would be nice to add native support for basic auth to goaccess. i.e., external support to a DB, etc...

[PLAN8VR]

That would be great.

Please note, I am a very basic user, I am no expert whatsoever, which is why I am loving your platform, even an idiot like me can use it!

But yes, if you could add a password access to the front end, that would be fantastic.

Thanks again.

[allinurl]

Got it. For now, please take a look at the htpasswd.

[PLAN8VR]

Great - thank you!

[allinurl]

More info on htpasswd.

[AGI-chandler]

I'm not too familiar with how websockets work, but would also like to restrict access to a public instance of GoAccess.  I already have that running on https with --real-time-html option and htpasswd implemented for the webpage, and wss is used for the socket connection.  How could I restrict access to the socket right now?  and could you briefly explain how I could, for example, as an un-authenticated user, connect to the socket and observe what info is leaked from it (via web browser and/or command line Linux tool)?  Thanks

[allinurl]

Nope, it basically means that only a specific, trusted domain can make WebSocket connections. This stops sketchy websites from trying to connect to places they shouldn't. The endpoint only lets connections happen from sites it trusts, and that's determined by checking where they're coming from. So, in simple terms, if they're accessing via your domain, they're good to open a connection.

[AGI-chandler]

So you're saying if I run
/usr/bin/goaccess -o /var/www/html/goaccess/index.html --real-time-html --origin=https://example.com
and then use htpasswd to put a basic auth on https://example.com/goaccess: It means wss://example.com:7890 can't be accessed without first login to https://example.com/goaccess?  but it looked to me like my browser running at home on residential internet (not on example.com) was making connections to wss://example.com:7890 itself...  Sorry am a big ignorant about this 🤪

[allinurl]

Accessing https://example.com/goaccess works when the origin is set to https://example.com. However, a connection to the websocket at wss://example.com:7890 cannot be established from https://myownsite.com due to origin restrictions.

On sites like https://www.piesocket.com/websocket-tester, attempts to open wss://example.com:7890 will fail due to origin restrictions, as the origin does not match the target websocket domain.

Let me know if that helps

[AGI-chandler]

Yes that makes more sense, thanks.  but... the origin header can just be spoofed.  Was successful by installing add-on https://github.com/didierfred/SimpleModifyHeaders then adding a rule at the bottom:

When URL contains: wss://example.com:7890
Action: Modify
Header Field Name: origin
Header Field Value: https://example.com
Comment:
Apply on: Request

Then click Start button in upper right.  Over on https://www.piesocket.com/websocket-tester I put in wss://example.com:7890 and click Connect button:

- Connection log will appear here
- Connecting to: wss://example.com:7890
- Connection Established
▼ {"general": {"start_date": "05/Nov/2023","end_date": "02/Dec/2023"...

So completely exposed to anyone with a few simple pieces of info!

but!  My idea of using GoAccess's origin setting as a password also works!
ℰ.ℊ. use --origin=https://iZBTbhV4:78901 and can observe on https://www.piesocket.com/websocket-tester while trying to connect to WebSocket wss://example.com:7890:

1. origin header: default: Connection failed
2. origin header: spoofed to https://example.com: Connection failed
3. origin header: spoofed to https://iZBTbhV4:78901: "Connection Established
▼ {"general": {"start_date": "05/Nov/2023","end_date": "02/Dec/2023"...

[allinurl]

Thanks for sharing those tips!

[allinurl]

Added WebSocket authentication options --ws-auth and --ws-auth-expire.
This commit introduces two new command-line options to enhance WebSocket
security in GoAccess:

--ws-auth=<jwt[:secret]>: Enables JWT-based authentication for WebSocket
connections. Supports an optional secret (as a string or file path) for token
verification. Without a secret, it falls back to the GOACCESS_WSAUTH_SECRET
environment variable or generates an HS256-compatible secret. When enabled, the
HTML report delays bootstrapping initial data until authentication succeeds.

--ws-auth-expire=: Sets the JWT expiration time, defaulting to 3600
seconds (1 hour). Supports flexible formats like "24h", "10m", or "10d" for
user convenience.

These options strengthen real-time HTML output security by ensuring only
authenticated clients access the WebSocket feed.

Give it a shot, you can build from github. You can expect this feature in the upcoming release. Thanks!

[allinurl]

For the record, added more flexibility to this:

Added dynamic JWT fetching and refreshing for WebSocket authentication.
This update enhances GoAccess WebSocket security with dynamic JWT
authentication. Two new options allow integration with external authentication
systems:

1. --ws-auth-url=<url>: Fetches initial JWTs from your authentication endpoint
2. --ws-auth-refresh-url=<url>: Obtains new tokens before expiration

The expanded --ws-auth option now supports both local JWTs and external
verification through the jwt:verify:secret format. When using external
endpoints, you must provide a secret key (as a file path, environment variable,
or direct string) for proper validation.

The system maintains secure connections by:

• Using the user's existing session credentials for token requests
• Proactively refreshing tokens 60 seconds before expiration
• Sending refresh messages without disconnecting ({"action": "refresh_token", "token": "new-jwt"})
• Validating tokens against the WebSocket server for continuous security

This implementation ensures seamless real-time reporting while maintaining
robust authentication. b6190cf