search

alfio-event / alf.io

alf.io - The open source ticket reservation system for conferences, trade shows, workshops, meetups
https://alf.io
GNU General Public License v3.0
1.39k stars 346 forks source link

How to launch in production/non-dev mode with only 8080 and no HTTPs ? #511

Closed vorburger closed 5 years ago

vorburger commented 6 years ago

Describe the bug I'm picking up https://github.com/alfio-event/alf.io/issues/403 and need it to run in production not dev mode, and with http: enable if behind proxy or the call chain is not full https ... because the OpenShift will do HTTPS, so it should just listen on 8080 and surtout not send any HTTP redirect from http://localhost:8080 to https://localhost/ - makes sense?

I'm either just missing a parameter (quite likely), or something is broken. Also this is probably basic Spring Boot stuff, not even really Alf.io specific, but I thought before I go digging I would ask you guys here for help, in exchange to contributing #403 ... :smile:

To Reproduce Steps to reproduce the behavior:

  1. ./gradlew clean distribution
  2. ./gradlew startEmbeddedPgSQL
  3. ./gradlew -Pprofile=dev :bootRun -- all good, on http://localhost:8080/ I get "Choose your Event"
  4. Now stop that dev / :bootRun, and instead launch it as if production like I want to in #403:

POSTGRES_PORT_5432_TCP_ADDR=localhost POSTGRES_PORT_5432_TCP_PORT=5432 POSTGRES_ENV_POSTGRES_DB=alfio POSTGRES_ENV_POSTGRES_USERNAME=postgres POSTGRES_ENV_POSTGRES_PASSWORD=password java -jar build/libs/alfio-2.0-M0-SNAPSHOT-boot.war

But unfortunately that is NOK... because http://localhost:8080/ redirects to https://localhost:8443/ but there is nothing running there. Oh, did I just forgot to enable that http Spring profile thing? OK, again:

SPRING_PROFILES_ACTIVE=http ALFIO_LOG_STDOUT_ONLY=true POSTGRES_PORT_5432_TCP_ADDR=localhost POSTGRES_PORT_5432_TCP_PORT=5432 POSTGRES_ENV_POSTGRES_DB=alfio POSTGRES_ENV_POSTGRES_USERNAME=postgres POSTGRES_ENV_POSTGRES_PASSWORD=password java -jar build/libs/alfio-2.0-M0-SNAPSHOT-boot.war

and:

22:55:24.824 [main] INFO  alfio.config.SpringBootLauncher - profiles: requested , active spring-boot, stdout, http

but nope, still the same problem! :sob:

cbellone commented 6 years ago

Hi @vorburger,

thank you for your help :-)

First things first: don't use master branch for production applications as it may contain untested and unstable code (we'll merge some PR that will most likely break something).

You can build your own docker image from 1.x-maintenance branch, or you can use one of our pre-built images: https://hub.docker.com/r/alfio/alf.io/

Back to https: Alf.io has been designed with security and privacy in mind. Https cannot be deactivated if you're using production profiles. However, you can decide to terminate SSL connections on the proxy level. To do that, your proxy must set the X-Forwarded-For and X-Forwarded-Proto headers (see https://docs.spring.io/spring-boot/docs/1.5.16.RELEASE/reference/htmlsingle/#howto-use-tomcat-behind-a-proxy-server ).

As far as I know, this is the default behavior when using NGINX Ingress in Kubernetes. Can you configure Openshift to use NGINX Ingress? You can find more info on https://github.com/stephanj/alfio-k8s .

Hope this helps, Celestino

vorburger commented 5 years ago

thank you for your help :-)

well Thank You for making Alf.io! :smile_cat:

First things first: don't use master branch for production applications

I like living on the bleeding edge... :smiley: but I hear you - I'll use 1.x-maintenance for a planned prod deploy.

Https cannot be deactivated if you're using production profiles.

but I will run it under HTTPS - just an https provided by OpenShift, instead of Spring Boot... Isn't that what that Spring profile named http is for? The README under "Available spring profiles:" says "http: enable if behind proxy or the call chain is not full https" ... that seems to be exactly what one would want in this context - except it's not really working? I don't suppose #513 would be an acceptable fix for this? Just asking!

Can you configure Openshift to use NGINX Ingress?

OpenShift uses its own Router. In the hosted OpenShift Online (which I want to use) this is a built-in HAProxy. While I guess it would theoretically be "possible" to deploy an NGINX Ingress like @stephanj has done for an Alf.io deployment on "raw" Kubernetes, this would make less sense on OpenShift (v3, based on and extending Kubernetes).

your proxy must set the X-Forwarded-For and X-Forwarded-Proto headers

I'm not sure if HAProxy in OpenShift does this, but if that's a standard / convention, I bet it does.. is there a particular functionality in Alf.io I could manually check to see if this works?

Without #513, I can only get Alf.io to work in OpenShift if I run with the dev profile (but I guess that has other side effects and is insecure), or probably also with a Secure Route with TLS Termination Re-encrypt, but that seems very ineffecient and just a silly architecture, no?

vorburger commented 5 years ago

Without #513, I can only get Alf.io to work in OpenShift if I run with the dev profile or probably also with a Secure Route with TLS Termination Re-encrypt

It actually does work even if one sets up a Secure Route with Redirect ...

... keeping this open just to conclude #513 one way or another, then will close it.

vorburger commented 4 years ago

@cbellone I thought you may enjoy that remembering what I learnt from you here on Sep 24, 2018 just came in handy for me today in https://issues.apache.org/jira/browse/FINERACT-914 - so a very late Thank You for that explanation here again! :smiley:

cbellone commented 4 years ago

Thanks for letting me know, @vorburger :-) I'm glad I could help somehow :-)