Closed hpsjakob closed 1 year ago
Since I could not find an integrated TLS option I now added a reverse proxy that handles the encryption. In combination with GitLab OAUTH I now get the issue that the redirect url that is passed to gitlab is localhost instead of my domain. Alexandrie extracts it from the request URL: https://github.com/Hirevo/alexandrie/blob/6d45d3fa44ae6a60e763ad09f0f64c7317caf42a/crates/alexandrie/src/config/frontend/auth/gitlab.rs#L53
So am I on the wrong track or is this somethingyou would accept a MR for?
We could for example also parse the X-Forwarded-Host headder and use that host instead if it is set.
Ok, I just realized that I simply had configured a wrong value for frontend.auth.origin
. So the redirect is fixed now.
Hello, sorry for my delay.
I'm happy you found a solution to your problem.
As to answer your original question, I don't think it would be worth it to implement TLS certificate management directly into Alexandrie.
There is a lot of things that goes into building a secure TLS server (like correctly handling and verifying certificates, automatically renewing them, accepting or excluding many different cipher suites, supporting both TLS 1.2 and 1.3, ensuring properties like forward secrecy, implementing all sorts of vulnerability mitigations for well-known attacks, etc...).
ssllabs.com can be a good tool to see everything that goes into handling TLS correctly, and the list is quite long.
I know that rustls
could be used to make implementing something like this easier but I think that using it correctly to not risk leaving any vulnerability exposed can still be challenging.
So, I think it is for the best to leave this task to battle-tested reverse-proxies like nginx, caddy or traefik.
I'll therefore close this issue for this reason, feel free to tell me if I missed something in your question, or if the problem you were encountering with the redirect URL is persisting.
Hi,
I just setup alexandrie for our company and am super happy until now.
I could not find a way to configure an SSL certificate. What is the usual approach here. Do you run it behind a reverse proxy or is there a config option I missed?
Regards, Jakob