search

elsa-workflows / elsa-core

A .NET workflows library
https://v3.elsaworkflows.io/
MIT License
6.18k stars 1.13k forks source link

[BUG] Mixed Content block after deployed to kubernetes #5599

Open hkng opened 2 months ago

hkng commented 2 months ago

Description

Deploy elsa workflow docker into kubernetes, some content will redirect from https to http for example: it contains http://xxx.xxx.com/package/version content (not https)

Steps to Reproduce

Docker version: elsaworkflows/elsa-server-and-studio-v3 Use Kubernetes ingress setting as below:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dwss-workflow-ingress
  namespace: dwss-dev
  annotations:   
    nginx.ingress.kubernetes.io/rewrite-target: /  
spec:
   # Use ssl
  tls:
  - hosts:
    - xxx.xxx.com
    secretName: hiphing-com-hk-cert
  rules:
  - host: xxx.xxx.com
    http:
      paths:
      - pathType: Prefix   
        path: "/"
        backend:
          service:
            name: elsa-workflow
            port:
              number: 8080

deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: dwss-workflow
  namespace: dwss-dev
  labels:
    app: dwss-workflow
spec:
  replicas: 1
  selector:
    matchLabels:
      app: dwss-workflow
  template:
    metadata:
      labels:
        app: dwss-workflow
    spec:   
      containers:
      - name: elsa-workflow
        image: elsaworkflows/elsa-server-and-studio-v3:latest
        imagePullPolicy: Always      
        env:        
          - name: ASPNETCORE_ENVIRONMENT
            value: Development
          - name: HTTP_PORTS
            value: "8080"     
          - name: ELSASERVER__URL
            value: https://localhost:7043/elsa/api
          # Base URL for the server
          - name: HTTP__BASEURL
            value: https://dwss-wf-dev.hiphing.com.hk
          - name: ELSA__SERVER__BASEURL
            value: "https://dwss-wf-dev.hiphing.com.hk/"         
          - name: ASPNETCORE_URLS
            value: http://+:8080       
        ports:
           - containerPort: 8080
             protocol: TCP

HTTP call to http://xxx.xxx.com/package/version and "Mixed Block" by browser

Refer to attachment below: elsa-bug

Expected Behavior

No mixed content. only https

Actual Behavior

Mixed content. some https and some http

glime-ai[bot] commented 2 months ago

To address the issue of mixed content where some resources are being loaded over HTTP instead of HTTPS in your Kubernetes deployment of Elsa Workflow, you need to ensure that all internal links and resources are using HTTPS. This is particularly important when the ingress is configured to use TLS, as browsers will block or warn about mixed content for security reasons.

Here are some steps you can take to resolve the issue:

  1. Check the HTTP__BASEURL and ELSA__SERVER__BASEURL Environment Variables: Ensure that the environment variables HTTP__BASEURL and ELSA__SERVER__BASEURL are set to use https in your deployment configuration. This will ensure that the application generates URLs with the HTTPS scheme.

  2. Configure Ingress Correctly: Verify that your ingress is correctly configured to handle HTTPS traffic and that it is properly rewriting URLs to use HTTPS.

  3. Inspect Application Code: If the application is generating URLs internally, ensure that it uses the correct base URL with the HTTPS scheme. This might require inspecting the code or configuration files of the application.

  4. Use X-Forwarded Headers: Ensure that your Kubernetes ingress controller is configured to use X-Forwarded-Proto headers to let the application know that the original request was made over HTTPS. This is important for applications behind a reverse proxy to generate the correct scheme in URLs.

  5. Update Application Configuration: If the application has any hardcoded URLs or configurations that specify HTTP, update them to use HTTPS.

  6. Review Network Policies: Ensure that your Kubernetes network policies allow HTTPS traffic as expected.

  7. Check for External Resources: If your application is loading external resources (such as scripts, stylesheets, or images), make sure that these resources are also served over HTTPS.

  8. Review Docker Image: Ensure that the Docker image you are using (elsaworkflows/elsa-server-and-studio-v3:latest) is up to date and configured to handle HTTPS correctly. If necessary, review the Docker image documentation for any HTTPS-specific configuration.

  9. Check Browser Console: Use the browser's developer tools to check the console for mixed content warnings and identify the specific resources that are causing the issue.

  10. Test with Curl or Postman: Use tools like Curl or Postman to make requests to your application and inspect the response headers to ensure that the Location header in redirects (if any) uses HTTPS.

By following these steps, you should be able to resolve the mixed content issue and ensure that all content is served over HTTPS.

This comment was generated by Glime.

hkng commented 2 months ago

It seems that the code had hard coded to http instead of https. Anyone know how to fix it