Workaround for Safari + Websockets + basic auth

https://bugs.webkit.org/show_bug.cgi?id=80362

kvmd/configs/nginx/nginx.conf.example

@@ -1,3 +1,5 @@
+load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
+
 user http;
 worker_processes 4;
 
@@ -5,7 +7,7 @@ worker_processes 4;
 error_log /dev/null crit;
 
 events {
-	worker_connections 64;
+	worker_connections 1024;
 	use epoll;
 }
 
@@ -25,12 +27,6 @@ http {
 	scgi_temp_path			/tmp/nginx.scgi_temp;
 	uwsgi_temp_path			/tmp/nginx.uwsgi_temp;
 
-#PROD	server {
-#PROD		listen 80;
-#PROD		server_name localhost;
-#PROD		return 301 https://$host$request_uri;
-#PROD	}
-
 	upstream kvmd {
 		server localhost:8081 fail_timeout=0s max_fails=0;
 	}
@@ -39,6 +35,17 @@ http {
 		server localhost:8082 fail_timeout=0s max_fails=0;
 	}
 
+#PROD	server {
+#PROD		listen 80;
+#PROD		server_name localhost;
+#PROD		return 301 https://$host$request_uri;
+#PROD	}
+
+#PROD	lua_shared_dict WS_TOKENS 10m;
+#PROD	init_by_lua_block {
+#PROD		WS_TOKEN_EXPIRES = 10;
+#PROD	}
+
 	server {
 #PROD		listen 443 ssl http2;
 		server_name localhost;
@@ -58,7 +65,27 @@ http {
 			index index.html;
 		}
 
+		location /wsauth {
+			# Workaround for Safari: https://bugs.webkit.org/show_bug.cgi?id=80362
+#PROD			access_by_lua_block {
+#PROD				local token = ngx.encode_base64(ngx.sha1_bin(ngx.var.http_Authorization));
+#PROD				ngx.shared.WS_TOKENS:set(token, token, WS_TOKEN_EXPIRES);
+#PROD				ngx.header["Set-Cookie"] = "WS_ACCESS_TOKEN=" .. token .. "; Path=/; Expires=" .. ngx.cookie_time(ngx.time() + WS_TOKEN_EXPIRES);
+#PROD			}
+			content_by_lua_block {
+				ngx.say("ok");
+			}
+		}
+
 		location /kvmd/ws {
+#PROD			auth_basic off;
+#PROD			access_by_lua_block {
+#PROD				local token = ngx.var.cookie_WS_ACCESS_TOKEN;
+#PROD				local value, _ = ngx.shared.WS_TOKENS:get(token);
+#PROD				if value == nil then
+#PROD					ngx.exec("/wsauth");
+#PROD				end
+#PROD			}
 			rewrite /kvmd/ws /ws break;
 			proxy_pass http://kvmd;
 			proxy_set_header Upgrade $http_upgrade;

kvmd/testenv/Dockerfile

@@ -31,7 +31,8 @@ RUN pacman -Syy \
 	&& user-packer -S --noconfirm \
 		python \
 		python-pip \
-		nginx \
+		nginx-mainline \
+		nginx-mainline-mod-lua \
 		mjpg-streamer-pikvm \
 		socat \
 	&& pacman -Sc --noconfirm

kvmd/web/js/session.js

@@ -20,11 +20,19 @@ var session = new function() {
 	};
 
 	this.startPoller = function() {
-		__ws = new WebSocket((location.protocol == "https:" ? "wss" : "ws") + "://" + location.host + "/kvmd/ws");
+		var http = tools.makeRequest("GET", "/wsauth", function() {
-		__ws.onopen = __wsOpenHandler;
+			if (http.readyState === 4) {
-		__ws.onmessage = __wsMessageHandler;
+				if (http.status === 200) {
-		__ws.onerror = __wsErrorHandler;
+					__ws = new WebSocket((location.protocol == "https:" ? "wss" : "ws") + "://" + location.host + "/kvmd/ws");
-		__ws.onclose = __wsCloseHandler;
+					__ws.onopen = __wsOpenHandler;
+					__ws.onmessage = __wsMessageHandler;
+					__ws.onerror = __wsErrorHandler;
+					__ws.onclose = __wsCloseHandler;
+				} else {
+					__wsCloseHandler(null);
+				}
+			}
+		});
 	};
 
 	var __wsOpenHandler = function(event) {

os/platforms/v1/Dockerfile.part

@@ -1,5 +1,6 @@
 RUN pkg-install \
-	nginx \
+	nginx-mainline \
+	nginx-mainline-mod-lua \
 	apache-tools \
 	mjpg-streamer-pikvm \
 	python \