Open kertiskz opened 11 months ago
Successfully configured Caddy as a reverse proxy directly inside a Rocket.Chat Docker container and created a certificate. Everything is now functioning as expected.
@jeanfbrito How soon can I expect push notifications to be restored?
@Prizrakoleg please open a ticket with support so then we can prioritize.
@jeanfbrito How i can do this?
Okay, while we wait for a decision, it will take years. Use my instructions for setting up a self-signed ssl certificate 1) Creating a certificate: sudo openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt 2) Next, move the certificate.crt file to the folder /etc/ssl/certs/ file privateKey.key move it to the /etc/ssl/private 3) Create snippet sudo nano /etc/nginx/snippets/self-signed.conf and add the following to it: ssl_certificate /etc/ssl/certs/certificate.crt; ssl_certificate_key /etc/ssl/private/privateKey.key; 5) Creating keys using the command sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096 6) Opening the nginx configuration file for our rocketchat, in my case it is located on the path /etc/nginx/conf.d/{domain or ip_address}.conf and paste the following there (I attach the entire file for an example, maybe someone will not understand): upstream backend { server {domain or ip_address}:3000; } server { listen 443 ssl; listen [::]:443 ssl; include snippets/self-signed.conf; include snippets/ssl-params.conf; server_name {domain or ip_address}; client_max_body_size 800M; error_log /var/log/nginx/{domain or ip_address}.log;
location / {
proxy_pass http://backend/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
} } 7) We check the integrity of the configuration of the sudo nginx -t command (if there are no syntax errors, go to the next step, if there are problems, look at which line the problem is and fix it. 8) Changing the server URL in the rocketchat configuration file. For snap users, there is a simple command: sudo snap set rocketchat-server siteurl=https://(domain or ip_address) 9) Reboot service rocketchat and service nginx sudo systemctl restart snap.rocketchat-server.rocketchat-caddy.service sudo systemctl restart nginx 10) In the client application, delete the server and add it again, write the following in the address field: https://(domain or ip_address)
@Prizrakoleg Thank you for your solution. What do I need to do in case of installing Roketchat from Docker registry? There is no Nginx container there. Do I need to download one? How to connect it to Rocketchat?
@Prizrakoleg thanks for your suggestion setting up SSL, do you also know how to set this up for snap-version of server running on ubuntu in local network without domain controller for internal network only? edit: just saw your hint for snap-users, does snap really use a "shared" version of ssl instead using ssl inside snap-package?
@developers: here is a log from console on my windows client v3.9.14, connected to a local rocket-chat server using snap without ssl eh-chat-1713970921421.log
@herrxyz I have a working snap rocket chat server on Ubuntu, running locally, without the Internet. What I wrote above is working. @MarkWorkosigan check it out, I think it should help https://docs.rocket.chat/~/changes/jU5GhBvduA5D5gdkPYm1/deploy/prepare-for-your-deployment/rapid-deployment-methods/docker-and-docker-compose/docker-containers
@Prizrakoleg great tutorial :-) at debian, I had do add some steps to get it working, maybe you could add them to your solution (somewhere before starting nginx). I hope this could save other people another hour when trying to figure it out
(step 0. distribution upgrade; with debian 10 there was a problem to install nginx, upgraded to debian 12)
ssl_protocols TLSvI.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam. pem;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
#ssl_stapling on;
#ssl_ stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" ;
add_header X-Frame-options DENY ;
add_header X-Content-Type-Options nosniff ;
add_header X-XSS-Protection "1; mode=block" ;
Many thanks to @Prizrakoleg and @herrxyz , now I finally managed to get my RocketChat Snap installation on my virtual Ubuntu 22.04.4 LTS server working with SSL again and now I finally get the notifications in the desktop app again.
A few comments that may be helpful for others:
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
#ssl_stapling on;
#ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" ;
add_header X-Frame-options DENY ;
add_header X-Content-Type-Options nosniff ;
add_header X-XSS-Protection "1; mode=block" ;
upstream backend {
server 127.0.0.1:3000;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
server_name rocketchat.mydomain.local;
client_max_body_size 800M;
error_log /var/log/nginx/rocketchat.mydomain.local.log;
location / {
proxy_pass http://backend/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
}
}
In /etc/nginx/nginx.conf I had to comment out the following line to prevent the default config from loading (not sites-available but sites-enabled), so the commented out line should look like:
# include /etc/nginx/sites-enabled/*;
Btw, the line above that one in nginx.conf is include /etc/nginx/conf.d/*.conf;
and will actually include any .conf file we have created ourselves, e.g. rocketchat.mydomain.local.conf in my case.
Note that sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096
can take a couple of minutes, even on a fast virtual server
The snap command I used to switch to the new HTTPS url:
sudo snap set rocketchat-server siteurl=https://rocketchat.mydomain.local
Ok, lets figure out what's going on right now. https://developer.mozilla.org/en-US/docs/Web/API/Notifications_API says that notifications on browsers will only work from HTTPS domains and from localhost.
I need to understand now, in an UPDATED
server version, I mean last patch, and with the latest Desktop app (v4.0) this is happening yet? If so, I need to understand how the browser gets the notifications and the desktop dont. So I need to understand what is the domain used to access it from the desktop app.
As an HTTPS server works, why cant you use it? I will need this information so I can ask for help with other devs because we dont support unsecure deploys and if there is a secure solution they will tell you just to use it.
After upgrading from 6.3.9 to 6.4.0, notifications disappeared for Windows desktop applications version 3.9.5 and below. The tray icon does not display unread messages, and the "Expand when new messages arrive" function does not work. Since the desktop application version 3.9.5 is the latest possible for Windows 7/8.1, this error is very critical, users cannot see unread messages. Relevant for version 6.4.2
Server Setup Information Version of Rocket.Chat Server: 6.4.2 Operating System: synology Deployment Method: docker Number of Running Instances: 1 DB Replicaset Oplog: Enabled NodeJS Version: 14.21.3 MongoDB Version: 6.0.11