search

Hirevo / alexandrie

An alternative crate registry, implemented in Rust.
https://hirevo.github.io/alexandrie/
Apache License 2.0
493 stars 55 forks source link

TLS support #148

Closed hpsjakob closed 1 year ago

hpsjakob commented 1 year ago

Hi,

I just setup alexandrie for our company and am super happy until now.

I could not find a way to configure an SSL certificate. What is the usual approach here. Do you run it behind a reverse proxy or is there a config option I missed?

Regards, Jakob

hpsjakob commented 1 year ago

Since I could not find an integrated TLS option I now added a reverse proxy that handles the encryption. In combination with GitLab OAUTH I now get the issue that the redirect url that is passed to gitlab is localhost instead of my domain. Alexandrie extracts it from the request URL: https://github.com/Hirevo/alexandrie/blob/6d45d3fa44ae6a60e763ad09f0f64c7317caf42a/crates/alexandrie/src/config/frontend/auth/gitlab.rs#L53

So am I on the wrong track or is this somethingyou would accept a MR for?

We could for example also parse the X-Forwarded-Host headder and use that host instead if it is set.

hpsjakob commented 1 year ago

Ok, I just realized that I simply had configured a wrong value for frontend.auth.origin. So the redirect is fixed now.

Hirevo commented 1 year ago

Hello, sorry for my delay.
I'm happy you found a solution to your problem.

As to answer your original question, I don't think it would be worth it to implement TLS certificate management directly into Alexandrie.

There is a lot of things that goes into building a secure TLS server (like correctly handling and verifying certificates, automatically renewing them, accepting or excluding many different cipher suites, supporting both TLS 1.2 and 1.3, ensuring properties like forward secrecy, implementing all sorts of vulnerability mitigations for well-known attacks, etc...).
ssllabs.com can be a good tool to see everything that goes into handling TLS correctly, and the list is quite long.

I know that rustls could be used to make implementing something like this easier but I think that using it correctly to not risk leaving any vulnerability exposed can still be challenging.

So, I think it is for the best to leave this task to battle-tested reverse-proxies like nginx, caddy or traefik.

I'll therefore close this issue for this reason, feel free to tell me if I missed something in your question, or if the problem you were encountering with the redirect URL is persisting.