search

ckulka / baikal-docker

Provides a ready-to-go Baikal server, incl. docker-compose.yml & Systemd service file
https://hub.docker.com/r/ckulka/baikal
MIT License
352 stars 46 forks source link

Mixed (insecure) content behind an Apache reverse proxy #216

Closed masscream closed 3 months ago

masscream commented 3 months ago

Hello,

I'm trying to run a docker with baikal behind apache reverse proxy, which is in another container. Event though, there is connectivity between the containers, baikal does not seem to work this way at all. The main webpage always complain about insecure / mixed content and can't be loaded, whatever settings I try. Please, has anybody get it working in a similar kind of setup? It does not matter if I choose the dav.domain.com or domain.com/dav URL model, the same issue comes with both. Thank you.

Container setup

docker run \
  -d \
  --net bridge \
  --ip 10.0.0.21 \
  -p 9005:80 \
  --name baikal \
  --restart always \
  -e BAIKAL_SERVERNAME=dav.domain.com \
  -v /home/apps/.local/share/docker/volumes/baikal_volume/_data/config:/var/www/baikal/config \
  -v /home/apps/.local/share/docker/volumes/baikal_volume/_data/Specific:/var/www/baikal/Specific \
ckulka/baikal:latest

Apache reverse proxy

<VirtualHost *:3443>
  ServerName dav.domain.com
  DocumentRoot /usr/local/apache2/htdocs/www.domain.com/root

  SSLEngine on
  SSLCertificateFile    /usr/local/apache2/certs/domain.com/fullchain.pem
  SSLCertificateKeyFile /usr/local/apache2/certs/domain.com/privkey.pem

  CustomLog /usr/local/apache2/logs/access_dav.domain.com.log combined
  ErrorLog /usr/local/apache2/logs/error_dav.domain.com.log
  LogLevel warn

#Baikal
  ProxyPass / http://10.0.0.21
  ProxyPassReverse / http://10.0.0.21

</VirtualHost>

I tried adding these settings, one after another and they seem to do half a job done, cause the browser tries to access the elements securely, however the connection times out on them.

RequestHeader set X-Forwarded-Proto "https"
Header always set Content-Security-Policy "upgrade-insecure-requests"

Browser console

Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'attribution-reporting'.
Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'run-ad-auction'.
Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'join-ad-interest-group'.
:3443/:1 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure element 'http://10.0.0.21/res/core/BaikalAdmin/Templates/Page/baikal-text-20.png'. This request was not upgraded to HTTPS because its URL's host is an IP address.
:3443/:1 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure element 'http://10.0.0.21/res/core/Baikal/Images/logo-baikal.png'. This request was not upgraded to HTTPS because its URL's host is an IP address.
5Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.
dav.domain.com/:58 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure element 'http://10.0.0.21/res/core/BaikalAdmin/Templates/Page/baikal-text-20.png'. This request was not upgraded to HTTPS because its URL's host is an IP address.
dav.domain.com/:58 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure image 'http://10.0.0.21/res/core/BaikalAdmin/Templates/Page/baikal-text-20.png'. This request has been blocked; the content must be served over HTTPS.
dav.domain.com/:58 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure element 'http://10.0.0.21/res/core/Baikal/Images/logo-baikal.png'. This request was not upgraded to HTTPS because its URL's host is an IP address.
dav.domain.com/:58 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure image 'http://10.0.0.21/res/core/Baikal/Images/logo-baikal.png'. This request has been blocked; the content must be served over HTTPS.
dav.domain.com/:1 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure script 'http://10.0.0.21/res/core/TwitterBootstrap/js/jquery-3.1.0.min.js'. This request has been blocked; the content must be served over HTTPS.
dav.domain.com/:1 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure script 'http://10.0.0.21/res/core/TwitterBootstrap/js/jquery.color-2.2.0.min.js'. This request has been blocked; the content must be served over HTTPS.
dav.domain.com/:1 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure script 'http://10.0.0.21/res/core/TwitterBootstrap/js/bootstrap.min.js'. This request has been blocked; the content must be served over HTTPS.
dav.domain.com/:1 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure script 'http://10.0.0.21/res/core/BaikalAdmin/main.js'. This request has been blocked; the content must be served over HTTPS.
favicon.ico:1 
GET https://dav.domain.com:3443/favicon.ico 502 (Proxy Error)
masscream commented 3 months ago

Fixed

  ProxyPass / http://10.0.0.21/
  ProxyPassReverse / http://10.0.0.21/
  ProxyPreserveHost On
  RequestHeader set X-Forwarded-Proto "https"

Working also for domain.com/dav but you have to edit the config (baikal.yaml) and add the base_uri parameter.

ioogithub commented 2 months ago

Hi I am also trying to get baikal working from behind a apache reverse proxy with no success. I have been struggling with this for several hours.

You mention that you have to edit baikal.yaml, exactly what did you put in this field to get it working?

If I do this base_uri 'dav' or any combination such as '/dav' 'dav/' '/dav/' etc. then load the http://localhost/dav in the browser, the admin page is broken. If I can get this working then I could do what you suggested in apache:

ProxyPass /dav http://10.0.0.21/dav
  ProxyPassReverse /dav http://10.0.0.21/dav
  ProxyPreserveHost On
  RequestHeader set X-Forwarded-Proto "https"

but the localhost needs to work first and after I change the base_uri parameter I always get a 404 error on the new page: http://localhost/dav and a broken page on the original root page: http://localhost. I would love to know how you go this working.

Are you sure you got localhost/dav working or did you get d.localhost working? Could you post your entire solution including the yaml file and the apache.conf?

masscream commented 2 months ago

Yes, well, the problem I had was with loading mixed content and had to do probably something with the apache config. I fixed it with the configuration above on the apache side. Also, I had to configure the apache suffix folder in the baikal.yaml settings: base_uri: 'dav/', or base_uri: '/dav/' also worked. This issue got resolved, until I found another problem. As you say, the admin redirect is not working properly. It was an issue with the app itself as mentioned here , but it got fixed and the problem remained probably for the docker users, etc...

I got tired after several hours trying to get this to work - the solutions in the thread are temporary and not always stated as 100%, what I needed, so I switched to the dav.domain.com setup. This got me a good functional version of the Baikal container behind a proxy.