Fix to expire abandoned linked websocket routes

ⓘ Use the existing scheduled websocket cleanup path for linked-server ws-link routes and expire unopened temporary routes after five minutes. This limits how long credential-bearing proxy routes can remain in `miniserv.conf` while leaving active and normal websocket cleanup behavior unchanged.
2026-06-24 21:10:29 +01:00 · 2026-06-23 02:24:17 +02:00
parent 14c8d9b61e
commit 7878ef466f
3 changed files with 14 additions and 5 deletions
--- a/servers/link.cgi
+++ b/servers/link.cgi
@@ -329,18 +329,19 @@ return $rv;

 # cleanup_link_websockets()
 # Removes abandoned websocket proxy routes created for linked Webmin servers.
-# Active routes are removed by miniserv when their websocket tunnel closes.
+# Routes opened by the browser are removed by miniserv when consumed.
 sub cleanup_link_websockets
 {
 my %miniserv;
 my $now = time();
+my $link_ttl = 5*60;
 my $changed = 0;
 &lock_file(&get_miniserv_config_file());
 &get_miniserv_config(\%miniserv);
 foreach my $k (keys %miniserv) {
 	next if ($k !~ /^websockets_\/\Q$module_name\E\/ws-link-/);
 	my ($time) = $miniserv{$k} =~ /\btime=(\d+)/;
-	if (!$time || $now - $time > 24*60*60) {
+	if (!$time || $now - $time > $link_ttl) {
 		delete($miniserv{$k});
 		$changed++;
 		}
--- a/servers/module.info
+++ b/servers/module.info
@@ -4,3 +4,4 @@ desc=Webmin Servers Index
 longdesc=Displays an index of other Webmin servers for easy linking.
 readonly=1
 depends=mailboxes cron
+websockets=1
--- a/web-lib-funcs.pl
+++ b/web-lib-funcs.pl
@@ -14429,19 +14429,26 @@ sub cleanup_miniserv_websockets
 my ($skip, $module) = @_;
 $skip ||= [ ];
 $module ||= $module_name;
+my $link_ttl = 5*60;
 &lock_file(&get_miniserv_config_file());
 my %miniserv;
 &get_miniserv_config(\%miniserv);
 my $now = time();
 my @clean;
 foreach my $k (keys %miniserv) {
-    $k =~ /^websockets_\/$module\/ws-(\d+)$/ || next;
-    my $port = $1;
-    next if (&indexof($port, @$skip) >= 0);
    my $when = 0;
    if ($miniserv{$k} =~ /time=(\d+)/) {
        $when = $1;
        }
+    if ($k =~ /^websockets_\/\Q$module\E\/ws-link-/) {
+        # Linked-server websocket routes carry a backend credential and are
+        # single-use. If the browser never opens them, expire them by age.
+        push(@clean, $k) if (!$when || $now - $when > $link_ttl);
+        next;
+        }
+    $k =~ /^websockets_\/\Q$module\E\/ws-(\d+)$/ || next;
+    my $port = $1;
+    next if (&indexof($port, @$skip) >= 0);
    if ($now - $when > 60) {
        # Has been open for a while, check if the port is still in use?
        my $err;