[Bug]: Https isn't enforced

Ujstor commented 7 months ago

Description

Traffic from HTTP isn't automatically redirected to HTTPS. The option in the configuration under Advanced (Force HTTPS) is checked, and yet I can still access my app through HTTP. Is there something I might be misconfiguring? The domain in the general settings starts with https://.

I am also using V3, and I didn't have this issue

Minimal Reproduction (if possible, example repository)

I am providing an example Docker Compose with network configuration:

version: '3' services: probitapi: image: 'ujstor/probitapi:1.0.4' ports:

'5005:5005' environment:
'KEY=${KEY}'
'ID=${ID}'
'SECRET=${SECRET}' networks: t880g0g: null labels:
traefik.enable=true
traefik.http.middlewares.gzip.compress=true
traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
traefik.http.routers.http-0-p4c4k80.entryPoints=http
'traefik.http.routers.http-0-p4c4k80.rule=Host(probit.astipan.com) && PathPrefix(/)'
traefik.http.routers.https-0-p4c4k80.entryPoints=https
traefik.http.routers.https-0-p4c4k80.middlewares=gzip
'traefik.http.routers.https-0-p4c4k80.rule=Host(probit.astipan.com) && PathPrefix(/)'
traefik.http.routers.https-0-p4c4k80.tls.certresolver=letsencrypt
traefik.http.routers.https-0-p4c4k80.tls=true
'caddy_0.encode=zstd gzip'
'caddy_0.handle_path.0_reverse_proxy={{upstreams}}'
'caddy_0.handle_path=/*'
caddy_0.header=-Server
'caddy_0.try_files={path} /index.html /index.php'
'caddy_0=https://probit.astipan.com'
caddy_ingress_network=p4c4k80
coolify.managed=true
coolify.version=4.0.0-beta.239
coolify.applicationId=1
coolify.type=application
coolify.name=probitapi-t880g0g-222457280347
coolify.pullRequestId=0 restart: unless-stopped container_name: probitapi-t880g0g-222457280347 volumes: { } networks: t880g0g: name: t880g0g external: true

Exception or Error

This is not the case with just one app. I deployed four different code examples, and in every case, I experienced the same issue. Was this previously known behavior?

Thanks for the help....project is amazing

Version

v4.0.0-beta.239

andrasbacsai commented 4 months ago

(I've sent you an email, please check that first.)

The assignment of the middleware called redirect-to-https is missing from the labels list.

Can you please click on the Reset Coolify Generated Labels button on the general configuration page?

If it is still missing, please let me know more details about your deployment type (git based or not, which buildpack do you use, etc, basically a screenshot from the general tab wouldbe sufficient)

Ujstor commented 4 months ago

@andrasbacsai In prod, I am still using CL v3, but I did a test to see if the issue still persists and I have interesting results.

I deployed my portfolio website from a public Git source using a simple Docker Compose with an image from DockerHub

The first test was on a domain that I used in other projects, so it had a generated certificate with Let's Encrypt. For the first five minutes, there was a problem with the certificate, but it was resolved automatically afterward.

But still, if I try to access the domain with http://, it won't redirect automatically to https

services:
  web:
    image: 'ujstor/portfolio-web-go:1.2.0'
    ports:
      - '${PORT}:${PORT}'
    environment:
      - 'PORT=${PORT}'
    networks:
      kosg0og: null
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.gzip.compress=true
      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
      - traefik.http.routers.http-0-vg4s800.entryPoints=http
      - 'traefik.http.routers.http-0-vg4s800.rule=Host(`test.ujstor.com`) && PathPrefix(`/`)'
      - traefik.http.routers.https-0-vg4s800.entryPoints=https
      - traefik.http.routers.https-0-vg4s800.middlewares=gzip
      - 'traefik.http.routers.https-0-vg4s800.rule=Host(`test.ujstor.com`) && PathPrefix(`/`)'
      - traefik.http.routers.https-0-vg4s800.tls.certresolver=letsencrypt
      - traefik.http.routers.https-0-vg4s800.tls=true
      - 'caddy_0.encode=zstd gzip'
      - 'caddy_0.handle_path.0_reverse_proxy={{upstreams}}'
      - 'caddy_0.handle_path=/*'
      - caddy_0.header=-Server
      - 'caddy_0.try_files={path} /index.html /index.php'
      - 'caddy_0=https://test.ujstor.com'
      - caddy_ingress_network=kosg0og
      - coolify.managed=true
      - coolify.version=4.0.0-beta.294
      - coolify.applicationId=1
      - coolify.type=application
      - coolify.name=web-kosg0og-212210758740
      - coolify.pullRequestId=0
    restart: unless-stopped
    container_name: web-kosg0og-212210758740
volumes: {  }
networks:
  kosg0og:
    name: kosg0og
    external: true

I ran one more test on a different worker and domain inside the same Cooldy cluster. Now cert works fine on the first attempt. In this case, HTTPS is enforced and automatically redirects from http:// on Brave, not a case in Firefox

services:
  web:
    image: 'ujstor/portfolio-web-go:1.2.0'
    ports:
      - '${PORT}:${PORT}'
    environment:
      - 'PORT=${PORT}'
    networks:
      yoccw44: null
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.gzip.compress=true
      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
      - traefik.http.routers.http-0-s8w4w0s.entryPoints=http
      - 'traefik.http.routers.http-0-s8w4w0s.rule=Host(`test2.ujstor.com`) && PathPrefix(`/`)'
      - traefik.http.routers.https-0-s8w4w0s.entryPoints=https
      - traefik.http.routers.https-0-s8w4w0s.middlewares=gzip
      - 'traefik.http.routers.https-0-s8w4w0s.rule=Host(`test2.ujstor.com`) && PathPrefix(`/`)'
      - traefik.http.routers.https-0-s8w4w0s.tls.certresolver=letsencrypt
      - traefik.http.routers.https-0-s8w4w0s.tls=true
      - 'caddy_0.encode=zstd gzip'
      - 'caddy_0.handle_path.0_reverse_proxy={{upstreams}}'
      - 'caddy_0.handle_path=/*'
      - caddy_0.header=-Server
      - 'caddy_0.try_files={path} /index.html /index.php'
      - 'caddy_0=https://test2.ujstor.com'
      - caddy_ingress_network=yoccw44
      - coolify.managed=true
      - coolify.version=4.0.0-beta.294
      - coolify.applicationId=2
      - coolify.type=application
      - coolify.name=web-yoccw44-205954710543
      - coolify.pullRequestId=0
    restart: unless-stopped
    container_name: web-yoccw44-205954710543
volumes: {  }
networks:
  yoccw44:
    name: yoccw44
    external: true

Last time, I ran CL version v4.0.0-beta.239, and now I am testing on v4.0.0-beta.294.

Config that i gave you are default generated, I see that traefik Assigned Middleware to HTTP Router label redirect-to-https is missing

The strange thing is, when I tested different browsers (latest versions) on https://www.browserling.com/, only Brave and Firefox did not redirect to HTTPS, other browsers did

I provision and configure the infrastructure with Terraform and Ansible on Hetzner. https://github.com/Ujstor/self-hosting-infrastructure-cluster

I thought that maybe the way I am provisioning and configuring infrastructure could be a problem, and I spotted an issue in my Ansible logs connected with the SSH hardening configuration. Made tests after fixing it and got the same result.

The HTTPS redirect issue only occurs when I deploy from Docker Compose. Deployment from a Dockerfile works, and it has attached traefik.http.routers.http-0-o844s0c.middlewares=redirect-to-https

I tried Docker Compose prod (with an image on DockerHub) and built image from the code repository, same result. The question is why 'redirect-to-https' isn't attached to the Compose labels?

Hope this helps.

Congrats on the latest Fireship shoutout. You deserve it for your amazing work!

mooxl commented 4 months ago

I'm encountering the same. Despite having the "Force HTTPS" option enabled in the Advanced settings, HTTP traffic is not being redirected to HTTPS because the middleware is missing. We briefly discussed this via email, but since I haven't received a follow-up, I'm commenting here. The repository being deployed is: https://github.com/mediaatrium/gerber. The generated Docker Compose (Build Pack) file:

services:
  cache:
    image: 'varnish:alpine'
    restart: unless-stopped
    volumes:
      - '/data/coolify/applications/lcwsggo/default.vcl:/etc/varnish/default.vcl'
    tmpfs:
      - '/app:exec'
    environment:
      - VARNISH_SIZE=512M
    networks:
      lcwsggo: null
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.gzip.compress=true
      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
      - traefik.http.routers.http-0-ys40ooo.entryPoints=http
      - 'traefik.http.routers.http-0-ys40ooo.rule=Host(`gerber-fachhandel.de`) && PathPrefix(`/`)'
      - traefik.http.routers.https-0-ys40ooo.entryPoints=https
      - traefik.http.routers.https-0-ys40ooo.middlewares=gzip
      - 'traefik.http.routers.https-0-ys40ooo.rule=Host(`gerber-fachhandel.de`) && PathPrefix(`/`)'
      - traefik.http.routers.https-0-ys40ooo.tls.certresolver=letsencrypt
      - traefik.http.routers.https-0-ys40ooo.tls=true
      - 'caddy_0.encode=zstd gzip'
      - 'caddy_0.handle_path.0_reverse_proxy={{upstreams}}'
      - 'caddy_0.handle_path=/*'
      - caddy_0.header=-Server
      - 'caddy_0.try_files={path} /index.html /index.php'
      - 'caddy_0=https://gerber-fachhandel.de'
      - caddy_ingress_network=lcwsggo
      - coolify.managed=true
      - coolify.version=4.0.0-beta.301
      - coolify.applicationId=1362
      - coolify.type=application
      - coolify.name=cache-lcwsggo-180959312430
      - coolify.pullRequestId=0
    container_name: cache-lcwsggo-180959312430
  site:
    build: .
    restart: unless-stopped
    depends_on:
      - cache
    networks:
      lcwsggo: null
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.gzip.compress=true
      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
      - traefik.http.routers.http-0-fckccsw.entryPoints=http
      - traefik.http.routers.http-0-fckccsw.middlewares=gzip
      - 'traefik.http.routers.http-0-fckccsw.rule=Host(`r0k44cs.49.13.197.248.sslip.io`) && PathPrefix(`/`)'
      - 'caddy_0.encode=zstd gzip'
      - 'caddy_0.handle_path.0_reverse_proxy={{upstreams}}'
      - 'caddy_0.handle_path=/*'
      - caddy_0.header=-Server
      - 'caddy_0.try_files={path} /index.html /index.php'
      - 'caddy_0=http://r0k44cs.49.13.197.248.sslip.io'
      - caddy_ingress_network=lcwsggo
      - coolify.managed=true
      - coolify.version=4.0.0-beta.301
      - coolify.applicationId=1362
      - coolify.type=application
      - coolify.name=site-lcwsggo-180959313075
      - coolify.pullRequestId=0
    container_name: site-lcwsggo-180959313075
volumes: {  }
networks:
  lcwsggo:
    name: lcwsggo
    external: true

Your insights or updates on resolving this issue would be greatly appreciated. Thank you!

mooxl commented 4 months ago

We have the domain https://gerber-fachhandel.de, and force https is enabled. Therefore, this line of code should be executed. However, this is not the case. Since I am not familiar with PHP, I am unable to debug this scenario. As mentioned in the email, this issue is preventing us from switching from our own managed server to a Coolify one. @andrasbacsai

mooxl commented 4 months ago

Added the middleware to the labels of the Docker Compose file and deployed it as is. Now it works.

peaklabs-dev commented 4 months ago

@andrasbacsai I have a related issue open for the missing checkbox force HTTPS in services and some other places: https://github.com/coollabsio/coolify/issues/2513

0tii commented 4 months ago

I can confirm this issue is happening to me too and it is actually quite critical, as basic auth doesnt seem to cover http, so even though my website is behind a basic auth, it can still be accessed through http from certain browsers such as iOS Safari, which opens you up to legal liability in some cases such as when you are not DSGVO compliant and expect your website to be hidden behind basic auth.

even with the traefik middleware label for the http-https redirect, some browsers will still be able to connect via http:// and that needs to be fixed asap

Browsers I found to be able to connect via http:// although the proper labels are set:

iOS Safari
Brave

Here, for reference, my docker-compose

services:
  *************:
    container_name: *************
    build:
      context: .
      dockerfile: ./docker/Dockerfile
      target: prod
    environment:
      NODE_ENV: production
      NEXT_PUBLIC_BACKEND_URL: '${NEXT_PUBLIC_BACKEND_URL}'
      NEXT_PUBLIC_HCAPTCHA_SITE_KEY: '${NEXT_PUBLIC_HCAPTCHA_SITE_KEY}'
    ports:
      - '3100:3100'
    labels:
      - 'traefik.http.middlewares.cplusbasicauth.basicauth.users=****:*********'
      - traefik.enable=true
      - traefik.http.middlewares.gzip.compress=true
      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
      - traefik.http.routers.http-0-v4k4oko.entryPoints=http
      - 'traefik.http.routers.http-0-v4k4oko.rule=Host(`***********`) && PathPrefix(`/`)'
      - traefik.http.routers.https-0-v4k4oko.entryPoints=https
      - 'traefik.http.routers.https-0-v4k4oko.middlewares=gzip,cplusbasicauth'
      - 'traefik.http.routers.https-0-v4k4oko.rule=Host(`***********`) && PathPrefix(`/`)'
      - traefik.http.routers.https-0-v4k4oko.tls.certresolver=letsencrypt
      - traefik.http.routers.https-0-v4k4oko.tls=true
      - 'caddy_0.encode=zstd gzip'
      - 'caddy_0.handle_path.0_reverse_proxy={{upstreams}}'
      - 'caddy_0.handle_path=/*'
      - caddy_0.header=-Server
      - 'caddy_0.try_files={path} /index.html /index.php'
      - 'caddy_0=***********'
      - caddy_ingress_network=i4wwoc8
      - coolify.managed=true
      - coolify.version=4.0.0-beta.306
      - coolify.applicationId=3
      - coolify.type=application
      - coolify.name=frontend-i4wwoc8-112043614991
      - coolify.pullRequestId=0
    networks:
      i4wwoc8: null
    restart: unless-stopped
volumes: {  }
networks:
  i4wwoc8:
    name: i4wwoc8
    external: true

ladderschool commented 4 months ago

services: : container_name: build: context: . dockerfile: ./docker/Dockerfile target: prod environment: NODE_ENV: production NEXT_PUBLIC_BACKEND_URL: '${NEXT_PUBLIC_BACKEND_URL}' NEXT_PUBLIC_HCAPTCHA_SITE_KEY: '${NEXT_PUBLIC_HCAPTCHA_SITE_KEY}' ports:
'3100:3100' labels:

'traefik.http.middlewares.cplusbasicauth.basicauth.users=**:***'

traefik.enable=true

traefik.http.middlewares.gzip.compress=true

traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https

traefik.http.routers.http-0-v4k4oko.entryPoints=http

'traefik.http.routers.http-0-v4k4oko.rule=Host(***********) && PathPrefix(/)'

traefik.http.routers.https-0-v4k4oko.entryPoints=https

'traefik.http.routers.https-0-v4k4oko.middlewares=gzip,cplusbasicauth'

'traefik.http.routers.https-0-v4k4oko.rule=Host(***********) && PathPrefix(/)'

traefik.http.routers.https-0-v4k4oko.tls.certresolver=letsencrypt

traefik.http.routers.https-0-v4k4oko.tls=true

'caddy_0.encode=zstd gzip'

'caddy_0.handle_path.0_reverse_proxy={{upstreams}}'

'caddy_0.handle_path=/*'

caddy_0.header=-Server

'caddy_0.try_files={path} /index.html /index.php'

'caddy_0=https://cannplus.de'

caddy_ingress_network=i4wwoc8

coolify.managed=true

coolify.version=4.0.0-beta.306

coolify.applicationId=3

coolify.type=application

coolify.name=frontend-i4wwoc8-112043614991
coolify.pullRequestId=0 networks: i4wwoc8: null restart: unless-stopped volumes: { } networks: i4wwoc8: name: i4wwoc8 external: true

I have the same "force https" set under advanced and I can see

traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https

Is set in my compose file, however I can access http:// of my website and I'm not redirected to https.

devjume commented 4 months ago

I am encoutering same bug. I hope this gets fixed soon as it prevents me from deploying new resources that use docker-compose as "Build pack". @mooxl temporary fix in PR https://github.com/coollabsio/coolify/pull/2693 seemed fine after quick look.

Another solution could be to allow users to apply custom labels to docker-compose.yml but that is not possible as the router names get changed on every deployment.

Example: Current router name in docker-compose.yaml shown in Coolify ui: http-0-eoo0wk4is. Now I update my docker-compose file to apply new middleware for that router.

// docker-compose.yaml in my git repo
labels:
  - traefik.http.routers.http-0-eoo0wk4.middlewares=redirect-to-https

After pushing new docker-compose file to Github and it gets deployed, the router gets new name traefik.http.routers.http-0-rk8o4g8. So my previous fix is not working.

Allowing dynamic labeling in docker-compose.yaml would be nice feature and in sense fix this issue. But that shouldn't be final solution as there are deeper issue is with "Force Https" button that is not working with docker-compose. Example of what dynamic label in docker-compose.yaml could look like:
- traefik.http.routers.{$http_label}.middlewares=redirect-to-https

mmirca commented 3 months ago

Encountered the same bug, looking forward to @mooxl PR approval!

In the meantime I found a workaround that did the trick for me, maybe it's useful for you too.

All my docker-compose configs are serving traffic using Nginx. I added this condition:

server {
  # ...

  if ($http_x_forwarded_proto != 'https') {
    return 301 "https://example.com$request_uri";
  }

  # ...
}

As mentioned in Traefik community proxied requests seem to be adding the HTTP_X_FORWARDED_PROTO header. This header should be usable in your server code as well.

Also sharing what I read on serverfault, looks like it's not ideal to redirect to "https://$host$request_uri" as this can be abused to send traffic elsewhere trough your server.

carbogninalberto commented 3 months ago

In my case I solved this issue by:

disabling force https in coolify
enforce the HTTPS in cloudflare

andrasbacsai commented 3 months ago

This will be fixed in the upcoming version (#2805). You will need to regenerate the labels afterwards.

carbogninalberto commented 3 months ago

Hi @andrasbacsai I am fairly new to coolify how do I regenerate the labels?

andrasbacsai commented 3 months ago

Hi @andrasbacsai I am fairly new to coolify how do I regenerate the labels?

If you are using a compose based app, you need to click on the reload compose file button.

For other apps:

itskush commented 3 months ago

In my case I solved this issue by:

disabling force https in coolify

enforce the HTTPS in cloudflare

Where is the settings to disable force https in coolify?

a-w-1806 commented 2 months ago

In my case I solved this issue by:

disabling force https in coolify

enforce the HTTPS in cloudflare

Where is the settings to disable force https in coolify?

@andrasbacsai I am wondering this too. I remember there was once an Enforce HTTPS option but somehow I can't find it anymore. Not sure if I missed anything

indraAsLesmana commented 2 months ago

In my case I solved this issue by:

disabling force https in coolify

enforce the HTTPS in cloudflare

still experience redirection issue using v4.0.0-beta.323. on Safari. only working on chrome. fix by disabling force https in coolify. use cloudflare redirection instead.

a-w-1806 commented 2 months ago

In my case I solved this issue by:

disabling force https in coolify

enforce the HTTPS in cloudflare

still experience redirection issue using v4.0.0-beta.323. on Safari. only working on chrome. fix by disabling force https in coolify. use cloudflare redirection instead.

Do you happen to know how to disable force HTTPS for docker-compose or one-click deployments? I don't find that option in those

indraAsLesmana commented 2 months ago

In my case I solved this issue by:

disabling force https in coolify

enforce the HTTPS in cloudflare

still experience redirection issue using v4.0.0-beta.323. on Safari. only working on chrome. fix by disabling force https in coolify. use cloudflare redirection instead.

Do you happen to know how to disable force HTTPS for docker-compose or one-click deployments? I don't find that option in those

here is the menu located.

a-w-1806 commented 2 months ago

In my case I solved this issue by:

disabling force https in coolify

enforce the HTTPS in cloudflare

still experience redirection issue using v4.0.0-beta.323. on Safari. only working on chrome. fix by disabling force https in coolify. use cloudflare redirection instead.

Do you happen to know how to disable force HTTPS for docker-compose or one-click deployments? I don't find that option in those

here is the menu located.

This is a single docker container, right? For docker compose or one click deployments, there are no Advanced tab at all:

coollabsio / coolify