search

cogentapps / chat-with-gpt

An open-source ChatGPT app with a voice
https://www.chatwithgpt.ai
MIT License
2.3k stars 489 forks source link

SSL #142

Open jodeleit opened 1 year ago

jodeleit commented 1 year ago

Deployed this with docker, but I get an SSL protocol error. A Let's Encrypt Cert is installed. Forwarding port 443 to 3000 does not seem to solve the problem. Any hints? Sorry for this newbie question.

bsu3338 commented 1 year ago

This may not be what you are looking for, but I run haproxy to do my SSL termination. It runs on ports 80 and 443 and proxies for port 3000. People also seem to like https://nginxproxymanager.com/

Using a proxy gives the ability to add extra security to the SSL communication like ACLs for particular paths and cipher lists.

Sample HAProxy config below from https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.1k&guideline=5.6

# generated 2023-05-02, Mozilla Guideline v5.6, HAProxy 2.1, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.1k&guideline=5.6
global
    # intermediate configuration
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
    ssl-dh-param-file /path/to/dhparam

frontend chat
    mode    http
    bind    :443 ssl crt /path/to/<cert+privkey+intermediate> alpn h2,http/1.1
    bind    :80
    redirect scheme https code 301 if !{ ssl_fc }

    # HSTS (63072000 seconds)
    http-response set-header Strict-Transport-Security max-age=63072000

    default_backend webservers

backend webservers
  option forwardfor
  http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response add-header X-XSS-Protection "1; mode=block"
  http-response add-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy no-referrer-when-downgrade
  server chat chat:3000 check