Elgato_dark/LocalAI
1
0
Fork 0
mirror of https://github.com/mudler/LocalAI synced 2026-05-24 09:28:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
6422 commits 101 branches 150 tags 134 MiB
Commit graph

2 commits

Author SHA1 Message Date
Adira
c2fe0a6475
fix(http): honor X-Forwarded-Prefix when proxy strips the prefix (#9614)
Some checks are pending
tests-aio / tests-aio (push) Waiting to run
Details
Tests extras backends / detect-changes (push) Waiting to run
Details
Tests extras backends / tests-transformers (push) Blocked by required conditions
Details
Tests extras backends / tests-rerankers (push) Blocked by required conditions
Details
Tests extras backends / tests-moonshine (push) Blocked by required conditions
Details
Tests extras backends / tests-pocket-tts (push) Blocked by required conditions
Details
Tests extras backends / tests-voxcpm (push) Blocked by required conditions
Details
Tests extras backends / tests-liquid-audio (push) Blocked by required conditions
Details
Tests extras backends / tests-llama-cpp-quantization (push) Blocked by required conditions
Details
Tests extras backends / tests-llama-cpp-grpc (push) Blocked by required conditions
Details
Tests extras backends / tests-llama-cpp-grpc-transcription (push) Blocked by required conditions
Details
Tests extras backends / tests-llama-cpp-smoke (push) Waiting to run
Details
Tests extras backends / tests-sherpa-onnx-realtime (push) Blocked by required conditions
Details
Tests extras backends / tests-acestep-cpp (push) Blocked by required conditions
Details
Tests extras backends / tests-qwen3-tts-cpp (push) Blocked by required conditions
Details
Tests extras backends / tests-vibevoice-cpp (push) Blocked by required conditions
Details
Tests extras backends / tests-vibevoice-cpp-grpc-tts (push) Blocked by required conditions
Details
Tests extras backends / tests-vibevoice-cpp-grpc-transcription (push) Blocked by required conditions
Details
Tests extras backends / tests-localvqe-grpc-transform (push) Blocked by required conditions
Details
Tests extras backends / tests-voxtral (push) Blocked by required conditions
Details
Tests extras backends / tests-kokoros (push) Blocked by required conditions
Details
Tests extras backends / tests-qwen-tts (push) Blocked by required conditions
Details
Tests extras backends / tests-qwen-asr (push) Blocked by required conditions
Details
Tests extras backends / tests-nemo (push) Blocked by required conditions
Details
Tests extras backends / tests-insightface-grpc (push) Blocked by required conditions
Details
Tests extras backends / tests-speaker-recognition-grpc (push) Blocked by required conditions
Details
tests / tests-linux (1.26.x) (push) Waiting to run
Details
tests / tests-apple (1.26.x) (push) Waiting to run
Details
UI E2E Tests / tests-ui-e2e (1.26.x) (push) Waiting to run
Details
E2E Backend Tests / tests-e2e-backend (1.25.x) (push) Waiting to run
Details 
* fix(http): honor X-Forwarded-Prefix when proxy strips the prefix

Closes #9145.

Two related issues kept the React UI from loading when a reverse proxy
rewrites a sub-path with prefix-stripping (e.g. Caddy `handle_path`):

1. `BaseURL` only computed a prefix from the path StripPathPrefix had
   removed, so when the proxy strips the prefix before forwarding, the
   request arrives without it and the base URL was returned without a
   prefix. Extract a `BasePathPrefix` helper and add an
   `X-Forwarded-Prefix` header fallback so the prefix is recovered.
2. `<base href>` only changes how relative URLs resolve; the build
   emits path-absolute references like `/assets/...` and
   `/favicon.svg`, which still resolve against the origin and bypass
   the proxy prefix. Rewrite those references in the served
   `index.html` so the browser requests them through the proxy.

Adds unit coverage for `BaseURL` with a pre-stripped path and an
end-to-end test for the proxy-stripped scenario.

Assisted-by: Claude:claude-opus-4-7

* fix(http): gate X-Forwarded-Prefix through SafeForwardedPrefix in BasePathPrefix

BasePathPrefix consumed X-Forwarded-Prefix directly, so a value the
codebase elsewhere rejects (e.g. "//evil.com") slipped through and was
interpolated into the SPA index.html — both into the path-absolute asset
URL rewrite in serveIndex (turning "/assets/..." into "//evil.com/assets/...",
a protocol-relative URL that loads JS from a foreign origin) and into
<base href>. Route the header through the existing SafeForwardedPrefix
validator that StripPathPrefix and prefixRedirect already use, and
HTML-escape the prefix before injecting it into the asset rewrite as
defense in depth against attribute breakout.

Tests cover //evil.com, backslashes, control chars, CR/LF and a missing
leading slash; the integration test asserts an unsafe prefix can't poison
asset URLs.

Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
Assisted-by: claude-code:claude-opus-4-7-1m [Read] [Edit] [Bash]

---------

Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
Co-authored-by: Ettore Di Giacinto <mudler@localai.io>
 2026-05-13 21:59:33 +02:00
Ettore Di Giacinto
1cdcaf0152
feat: migrate to echo and enable cancellation of non-streaming requests (#7270) 
* WIP: migrate to echo

Signed-off-by: Ettore Di Giacinto <mudler@localai.io>

* tests

Signed-off-by: Ettore Di Giacinto <mudler@localai.io>

---------

Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
 2025-11-14 22:57:53 +01:00