search

digitalfondue / lavagna

Lavagna: issue tracker/project management tool
http://lavagna.io
GNU General Public License v3.0
636 stars 110 forks source link

Enable https not working #97

Closed c0mputerking closed 4 years ago

c0mputerking commented 6 years ago

Running lavagna-1.1-M7 on Debian 9

I tried checking Enable http strict transport security header in the admin panel, to hopefully enable https and now i can no longer connect to Lavanga even after restarting the application as suggested in the log.

If i try with https i get this error in my browser

Secure Connection Failed

An error occurred during a connection to list-3.solar.computerking.ca:8080. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

If i try with http it lets me login but i then i get this error in my browser

HTTP ERROR 403

Problem accessing /login/password/. Reason:

token is not equal to expected

Powered by Jetty://

This is what is printed on the console

22:59:17.830 [qtp1642534850-17] WARN io.lavagna.web.security.HSTSFilter - The base application url http://list-3.solar.somedomain.com:8080/ does not begin with https:// . It's a mandatory requirement if you want to enable full https mode.

syjer commented 6 years ago

hi @c0mputerking , the addition by the application of the hsts header is a feature that we want to remove, as you have noticed is quite hard to configure. It's something that should be done at the proxy level.

I would advise you to go in the database and remove the configuration key.

delete from LA_CONF  where CONF_KEY = 'USE_HTTPS'
c0mputerking commented 6 years ago

I just restored from a backup, but thank you for the hint about the database entry ... I still need to get https going, however i did not find any howto or info in the docs about setting up a proxy, is this documented somewhere? or is this just something people with more java experience know how to do :)

syjer commented 6 years ago

@c0mputerking , normally you would setup a reverse proxy (like nginx or haproxy) that handle the https termination.

So you would have something like that: 

[internet] <- https -> [reverse proxy] <- http -> [lavagna]
c0mputerking commented 6 years ago

Ok thank you i will give it a go

SitoCH commented 6 years ago

The best way to setup a reverse proxy with SSL is to use Docker, if you know it you should try that way. This is a sample docker-compse (it uses Let's Encrypt to generate automatically the certificates so it's all free):

nginx-proxy:
    privileged: true
    restart: always
    net: host
    image: jwilder/nginx-proxy:alpine
    container_name: nginx-proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - /etc/pki/tls/private:/etc/nginx/certs

letsencrypt-nginx-proxy:
    privileged: true
    restart: always
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: letsencrypt-nginx-proxy
    volumes_from: [nginx-proxy]
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro 
      - /etc/pki/tls/private:/etc/nginx/certs:rw 

lavagna:
    privileged: true
    restart: always
    container_name: "lavagna"
    image: digitalfondue/lavagna
    links:
        - "mysql:mysql"
    environment:
        - "VIRTUAL_HOST=[server url]"  
        - "VIRTUAL_PORT=8080" 
        - "LETSENCRYPT_HOST=[server url]"
        - "LETSENCRYPT_EMAIL=[your e-mail]"
        - "DB_DIALECT=MYSQL"
        - "DB_URL=[jdbc connection string]"
        - "DB_USER=[user]"
        - "DB_PASS=[password]"
        - "SPRING_PROFILE=prod"
    mem_limit: 260m
SitoCH commented 6 years ago

@ejouvin posted a snippet for Apache if you prefer it to NGINX: https://github.com/digitalfondue/lavagna/issues/46#issuecomment-368481631

c0mputerking commented 6 years ago

Took me alot of tries to get reverse https going including some reading here on this forum and on the web. Probably mostly because i have never setup a reverse proxy before, and haven't worked much with ngnix either. Also just to add I could not use docker as i am running lxc containers and from past attempts they do not work with docker. Any ways i am going to put my ngnix config up here for myself and other is ever needed as i could not really find just a working ngnix config anywhere here.

Before closing this issue maybe someone can take a look let me know if i messed or missed anything, also i will probably remove or just forward the http stuff, as i only want https access.

########## http ###########
server {
# NGINX server IP that you forwarded in your router
  listen 10.22.0.128:80;
# Make site accessible from http://localhost/
 server_name list.solar.mydomain.com;
# REAL Host or VM IP 
 set $upstream 10.22.0.130:8080;

  location / {

   proxy_pass_header Authorization;
   proxy_pass http://$upstream;
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_http_version 1.1;
   proxy_set_header Connection "";
   proxy_buffering off;
   client_max_body_size 0;
   proxy_read_timeout 36000s;
   proxy_redirect off;

 }
}
############# https ##############
server {
# NGINX server IP that you forwarded in your router
 listen 10.22.0.128:443;
# Make site accessible from http://localhost/
 server_name list.solar.mydomain.com;
# Internal IP of REAL site
 set $upstream 10.22.0.130:8080;

# SSL config
 ssl on;
 ssl_certificate /mnt/cpool/certificates/le-certs/solar.mydomain.com/fullchain.pem;
 ssl_certificate_key /mnt/cpool/certificates/le-certs/solar.mydomain.com/privkey.pem;

# Testing for Lavagna does not seem to be needed?
# underscores_in_headers on;

location / {

   proxy_pass_header Authorization;
   proxy_pass http://$upstream;
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_http_version 1.1;
   proxy_set_header Connection "";
   proxy_buffering off;
   client_max_body_size 0;
   proxy_read_timeout 36000s;
   proxy_redirect off;
   proxy_ssl_session_reuse off;

# Testing for Lavagna does not seem to be needed
#   proxy_set_header Origin '';
#   proxy_pass_header X-XSRF-TOKEN;

 }
}

Thanks again for Lavagna and the continued help and support found here :)

SitoCH commented 6 years ago

Setting up a reverse proxy isn't really easy but it's really useful if you're running on a VPS or you want to use HTTPS, it took me more than a few tries to get it working the first time... The file seems to be correct but I don't understand why you commented out the lines:

underscores_in_headers on;
proxy_set_header Origin '';
proxy_pass_header X-XSRF-TOKEN;

Are you sure that everything works fine?

c0mputerking commented 6 years ago

Yes agreed about the usefulness of reverse proxy it was on my bucket list :) have been able to avoid it until now using different port numbers for everything

Anyways i but the three config entries back in ... seemed to work fine without but maybe it works better now :) not sure a bit to soon to tell ... anyway as always thank you greatly for your help and support

SitoCH commented 6 years ago

If I remember correctly without those settings you should get errors when using Lavagna on two different tabs in the same browser, can you check if it works? Maybe the NGINX's version that you are using has different defaults and everything is already working out of the box...

SitoCH commented 4 years ago

Closed due to inactivity