stephdl
commented
5 months ago QA
we need to test to create a custom route (a reverse proxy) to another webserver using a self signed certificate
for example you have inside you local network a web server running a wordpress with a self signed certificate on 192.168.1.100, you will create a custom route to forward web requests from a FQDN (foo.domain.com) or a Path (/foo) to https://192.168.1.100
Previously you needed to have a valid certificate (LE or paid certificate) with this works we could say to Traefik do not verify the certificate
target version
- ghcr.io/nethserver/traefik:2.0.2-dev.2
- ghcr.io/nethserver/core:2.2.8-dev.1
case 1 upgrade
- install a NS8 server and initiate the domain
- install some module that needs a route and configure them (mattermost, mariadb...)
- install the two updates (either
by the CLIorenable testing and use the UI) - create a route (settings > http route panel) to a web server resource with a self signed certificate (do the two cases with
hostname(foo.domain.com) andpath(test withns8.domain.com/foo)
what to test:
- with the new toggle enabled (skip certificate verification) you
canuse the web application resource with a self signed certificate - with the new toggle disabled (skip certificate verification) you
cannotuse the web application resource with a self signed certificate - The route previously created to the modules you have installed must be workable (test if you can still use the
FQDNorPathset) - Install a new module to create a new route and test if the installation and the configuration is without issue (test the web application is reachable)
case 2 direct install
- install a NS8 server and initiate the domain
curl https://raw.githubusercontent.com/NethServer/ns8-core/main/core/install.sh > install.sh bash +x install.sh ghcr.io/nethserver/core:2.2.8-dev.1 ghcr.io/nethserver/traefik:2.0.2-dev.2 - install some module that needs a route and configure them (mattermost, mariadb...)
- create a route (settings > http route panel) to a web server resource with a self signed certificate (do the two cases with
hostname(foo.domain.com) andpath(test withns8.domain.com/foo)
what to test:
- with the new toggle enabled (skip certificate verification) you
canuse the web application resource with a self signed certificate - with the new toggle disabled (skip certificate verification) you
cannotuse the web application resource with a self signed certificate - The route previously created to the modules you have installed must be workable (test if you can still use the
FQDNorPathset) - Install a new module to create a new route and test if the installation and the configuration is without issue (test the web application is reachable)
nrauso
DavidePrincipi
When we have some web servers in the local network, we could open only one time the tcp/80 and tcp/443 inside the firewall of the LAN. The common scenario is to use a reverse proxy (what Traefik is) and forward the request to an IP or FQDN . The concern is that if you use a web application with a self signed certificate then Traefik refuses to forward the request
Proposed solution
I propose to add a toggle to let the user decide if he can trust the self signed certificate or refuse to forward if the certificate is not validated by Traefik
Alternative solutions
no simple solutions for now, the alternative solution is actually disable the verification globally.
thank @DavidePrincipi for the idea of the feature