Closed c0mputerking closed 4 years ago
hi @c0mputerking , the addition by the application of the hsts header is a feature that we want to remove, as you have noticed is quite hard to configure. It's something that should be done at the proxy level.
I would advise you to go in the database and remove the configuration key.
delete from LA_CONF where CONF_KEY = 'USE_HTTPS'
I just restored from a backup, but thank you for the hint about the database entry ... I still need to get https going, however i did not find any howto or info in the docs about setting up a proxy, is this documented somewhere? or is this just something people with more java experience know how to do :)
@c0mputerking , normally you would setup a reverse proxy (like nginx or haproxy) that handle the https termination.
So you would have something like that:
[internet] <- https -> [reverse proxy] <- http -> [lavagna]
Ok thank you i will give it a go
The best way to setup a reverse proxy with SSL is to use Docker, if you know it you should try that way. This is a sample docker-compse (it uses Let's Encrypt to generate automatically the certificates so it's all free):
nginx-proxy:
privileged: true
restart: always
net: host
image: jwilder/nginx-proxy:alpine
container_name: nginx-proxy
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- /etc/pki/tls/private:/etc/nginx/certs
letsencrypt-nginx-proxy:
privileged: true
restart: always
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: letsencrypt-nginx-proxy
volumes_from: [nginx-proxy]
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/pki/tls/private:/etc/nginx/certs:rw
lavagna:
privileged: true
restart: always
container_name: "lavagna"
image: digitalfondue/lavagna
links:
- "mysql:mysql"
environment:
- "VIRTUAL_HOST=[server url]"
- "VIRTUAL_PORT=8080"
- "LETSENCRYPT_HOST=[server url]"
- "LETSENCRYPT_EMAIL=[your e-mail]"
- "DB_DIALECT=MYSQL"
- "DB_URL=[jdbc connection string]"
- "DB_USER=[user]"
- "DB_PASS=[password]"
- "SPRING_PROFILE=prod"
mem_limit: 260m
@ejouvin posted a snippet for Apache if you prefer it to NGINX: https://github.com/digitalfondue/lavagna/issues/46#issuecomment-368481631
Took me alot of tries to get reverse https going including some reading here on this forum and on the web. Probably mostly because i have never setup a reverse proxy before, and haven't worked much with ngnix either. Also just to add I could not use docker as i am running lxc containers and from past attempts they do not work with docker. Any ways i am going to put my ngnix config up here for myself and other is ever needed as i could not really find just a working ngnix config anywhere here.
Before closing this issue maybe someone can take a look let me know if i messed or missed anything, also i will probably remove or just forward the http stuff, as i only want https access.
########## http ###########
server {
# NGINX server IP that you forwarded in your router
listen 10.22.0.128:80;
# Make site accessible from http://localhost/
server_name list.solar.mydomain.com;
# REAL Host or VM IP
set $upstream 10.22.0.130:8080;
location / {
proxy_pass_header Authorization;
proxy_pass http://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
}
}
############# https ##############
server {
# NGINX server IP that you forwarded in your router
listen 10.22.0.128:443;
# Make site accessible from http://localhost/
server_name list.solar.mydomain.com;
# Internal IP of REAL site
set $upstream 10.22.0.130:8080;
# SSL config
ssl on;
ssl_certificate /mnt/cpool/certificates/le-certs/solar.mydomain.com/fullchain.pem;
ssl_certificate_key /mnt/cpool/certificates/le-certs/solar.mydomain.com/privkey.pem;
# Testing for Lavagna does not seem to be needed?
# underscores_in_headers on;
location / {
proxy_pass_header Authorization;
proxy_pass http://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_ssl_session_reuse off;
# Testing for Lavagna does not seem to be needed
# proxy_set_header Origin '';
# proxy_pass_header X-XSRF-TOKEN;
}
}
Thanks again for Lavagna and the continued help and support found here :)
Setting up a reverse proxy isn't really easy but it's really useful if you're running on a VPS or you want to use HTTPS, it took me more than a few tries to get it working the first time... The file seems to be correct but I don't understand why you commented out the lines:
underscores_in_headers on;
proxy_set_header Origin '';
proxy_pass_header X-XSRF-TOKEN;
Are you sure that everything works fine?
Yes agreed about the usefulness of reverse proxy it was on my bucket list :) have been able to avoid it until now using different port numbers for everything
Anyways i but the three config entries back in ... seemed to work fine without but maybe it works better now :) not sure a bit to soon to tell ... anyway as always thank you greatly for your help and support
If I remember correctly without those settings you should get errors when using Lavagna on two different tabs in the same browser, can you check if it works? Maybe the NGINX's version that you are using has different defaults and everything is already working out of the box...
Closed due to inactivity
Running lavagna-1.1-M7 on Debian 9
I tried checking Enable http strict transport security header in the admin panel, to hopefully enable https and now i can no longer connect to Lavanga even after restarting the application as suggested in the log.
If i try with https i get this error in my browser
If i try with http it lets me login but i then i get this error in my browser
This is what is printed on the console
22:59:17.830 [qtp1642534850-17] WARN io.lavagna.web.security.HSTSFilter - The base application url http://list-3.solar.somedomain.com:8080/ does not begin with https:// . It's a mandatory requirement if you want to enable full https mode.