Closed vorburger closed 5 years ago
Hi @vorburger,
thank you for your help :-)
First things first: don't use master branch for production applications as it may contain untested and unstable code (we'll merge some PR that will most likely break something).
You can build your own docker image from 1.x-maintenance branch, or you can use one of our pre-built images: https://hub.docker.com/r/alfio/alf.io/
Back to https: Alf.io has been designed with security and privacy in mind. Https cannot be deactivated if you're using production profiles. However, you can decide to terminate SSL connections on the proxy level. To do that, your proxy must set the X-Forwarded-For and X-Forwarded-Proto headers (see https://docs.spring.io/spring-boot/docs/1.5.16.RELEASE/reference/htmlsingle/#howto-use-tomcat-behind-a-proxy-server ).
As far as I know, this is the default behavior when using NGINX Ingress in Kubernetes. Can you configure Openshift to use NGINX Ingress? You can find more info on https://github.com/stephanj/alfio-k8s .
Hope this helps, Celestino
thank you for your help :-)
well Thank You for making Alf.io! :smile_cat:
First things first: don't use master branch for production applications
I like living on the bleeding edge... :smiley: but I hear you - I'll use 1.x-maintenance for a planned prod deploy.
Https cannot be deactivated if you're using production profiles.
but I will run it under HTTPS - just an https provided by OpenShift, instead of Spring Boot... Isn't that what that Spring profile named http
is for? The README under "Available spring profiles:" says "http: enable if behind proxy or the call chain is not full https" ... that seems to be exactly what one would want in this context - except it's not really working? I don't suppose #513 would be an acceptable fix for this? Just asking!
Can you configure Openshift to use NGINX Ingress?
OpenShift uses its own Router. In the hosted OpenShift Online (which I want to use) this is a built-in HAProxy. While I guess it would theoretically be "possible" to deploy an NGINX Ingress like @stephanj has done for an Alf.io deployment on "raw" Kubernetes, this would make less sense on OpenShift (v3, based on and extending Kubernetes).
your proxy must set the X-Forwarded-For and X-Forwarded-Proto headers
I'm not sure if HAProxy in OpenShift does this, but if that's a standard / convention, I bet it does.. is there a particular functionality in Alf.io I could manually check to see if this works?
Without #513, I can only get Alf.io to work in OpenShift if I run with the dev
profile (but I guess that has other side effects and is insecure), or probably also with a Secure Route with TLS Termination Re-encrypt, but that seems very ineffecient and just a silly architecture, no?
Without #513, I can only get Alf.io to work in OpenShift if I run with the dev profile or probably also with a Secure Route with TLS Termination Re-encrypt
It actually does work even if one sets up a Secure Route with Redirect ...
... keeping this open just to conclude #513 one way or another, then will close it.
@cbellone I thought you may enjoy that remembering what I learnt from you here on Sep 24, 2018 just came in handy for me today in https://issues.apache.org/jira/browse/FINERACT-914 - so a very late Thank You for that explanation here again! :smiley:
Thanks for letting me know, @vorburger :-) I'm glad I could help somehow :-)
Describe the bug I'm picking up https://github.com/alfio-event/alf.io/issues/403 and need it to run in production not dev mode, and with http: enable if behind proxy or the call chain is not full https ... because the OpenShift will do HTTPS, so it should just listen on 8080 and surtout not send any HTTP redirect from http://localhost:8080 to https://localhost/ - makes sense?
I'm either just missing a parameter (quite likely), or something is broken. Also this is probably basic Spring Boot stuff, not even really Alf.io specific, but I thought before I go digging I would ask you guys here for help, in exchange to contributing #403 ... :smile:
To Reproduce Steps to reproduce the behavior:
./gradlew clean distribution
./gradlew startEmbeddedPgSQL
./gradlew -Pprofile=dev :bootRun
-- all good, on http://localhost:8080/ I get "Choose your Event"POSTGRES_PORT_5432_TCP_ADDR=localhost POSTGRES_PORT_5432_TCP_PORT=5432 POSTGRES_ENV_POSTGRES_DB=alfio POSTGRES_ENV_POSTGRES_USERNAME=postgres POSTGRES_ENV_POSTGRES_PASSWORD=password java -jar build/libs/alfio-2.0-M0-SNAPSHOT-boot.war
But unfortunately that is NOK... because http://localhost:8080/ redirects to https://localhost:8443/ but there is nothing running there. Oh, did I just forgot to enable that http Spring profile thing? OK, again:
SPRING_PROFILES_ACTIVE=http ALFIO_LOG_STDOUT_ONLY=true POSTGRES_PORT_5432_TCP_ADDR=localhost POSTGRES_PORT_5432_TCP_PORT=5432 POSTGRES_ENV_POSTGRES_DB=alfio POSTGRES_ENV_POSTGRES_USERNAME=postgres POSTGRES_ENV_POSTGRES_PASSWORD=password java -jar build/libs/alfio-2.0-M0-SNAPSHOT-boot.war
and:
but nope, still the same problem! :sob: