IHTSDO / snowstorm

Scalable SNOMED CT Terminology Server using Elasticsearch
Other
208 stars 83 forks source link

HTTPS Configuration for Apache Server and Swagger #598

Open leapoli opened 5 months ago

leapoli commented 5 months ago

Hi

I'm facing an issue when using Snowstorm 10.2.1, since it's generating an URL but without considering the protocol, so the browser is blocking request due mixed content (HTTP and HTTPS). The server is hosted at: https://snowstorm.entrerios.gov.ar/ so that the generated URL is:

imagen

I'm not sure if this is an issue or something that I'd configure. I've deployed it with docker and there is a browser redirecting from HTTP to HTTPS, but the thing here is that the browser is avoiding request formed this way.

kaicode commented 5 months ago

Please add configuration for the Snowstorm Nginx location to inform Snowstorm which host and protocol the proxy is running on. For example:

server {
...

  location /snowstorm {
    proxy_pass http://localhost:8080/;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Prefix /snowstorm;
  }

...
}

Then Swagger should display the correct protocol.

leapoli commented 5 months ago

That's not possible in this case since I just built it from docker-compose file and I'm not managing the proxy. I'm just able to run up the machine, not to manage the main proxy (it's a large network). But even more, the proxy is an Apache. So again, is it possible for me to do something to make Swagger aware of which protocol was requested with?

kaicode commented 5 months ago

The only way that I know of to make Swagger aware of the protocol that it's using is to set the X-Forwarded-Proto header. This is a standard HTTP header that is intended for this purpose when using a proxy. See documentation here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto It's possible under Apache, of course: https://serverfault.com/a/453854/85094

leapoli commented 5 months ago

Tried with that header in Apache and still didn't work. May be there is something that you can do in the code?

https://stackoverflow.com/questions/60625494/wrong-generated-server-url-in-springdoc-openapi-ui-swagger-ui-deployed-behin

kaicode commented 5 months ago

Hi @leapoli , I'm sorry you are still having issues. We are using this solution: https://stackoverflow.com/a/72724277/512223

The Spring Boot server.forward-headers-strategy property is set to framework in Snowstorm by default See: https://github.com/IHTSDO/snowstorm/blob/10.2.1/src/main/resources/application.properties#L120

We set the X-Forwarded-Proto header to make Swagger respond using https. This Nginx configuration is copied directly from our production browser deployment (I realise you are using Apache Server but it should work in the same way):

...
  location /snowstorm/snomed-ct {
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Prefix /snowstorm/snomed-ct;
    proxy_set_header X-Forwarded-Proto "https";
    proxy_set_header X-Forwarded-Ssl $secure;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_pass http://localhost:8080/;
...

This causes Swagger to realise that it's hosted on https. This Swagger UI is here: https://browser.ihtsdotools.org/snowstorm/snomed-ct/

The quickest way to test this is that the "servers" section of the generated swagger json has "https". My understanding is that all swagger UI calls use this server URL. https://browser.ihtsdotools.org/snowstorm/snomed-ct/v3/api-docs/snowstorm

If we remove the X-Forwarded-Proto header then the URL in the servers section reverts to "http".

I'm sure this must be possible with Apache server but I am struggling to find an authoritative and up to date guide on how to set it up.

leapoli commented 5 months ago

Thank you @kaicode for reopening this case.

I still cannot figure out what could be happening, taking into cosideration that Apache proxy is forwarding this header to the Snowstorm server (and there isn't in the middle).

I will research also trying to arrive at a solution.