search

frappe / frappe_docker

Docker images for production and development setups of the Frappe framework and ERPNext
MIT License
1.36k stars 1.29k forks source link

Commonly suggested Docker configuration fails to take into account Traefik TLS termination, leads to HTTP URLs being shown to users #1381

Closed gparent closed 1 month ago

gparent commented 4 months ago

Description of the issue

The nginx template sets the X-Forwarded-Proto header to $scheme, which is HTTP when Nginx is used as a HTTP frontend while Traefik does TLS termination.

This renders some URLs (like password resets and OpenID connections redirect URIs) being HTTP instead of HTTPS as intended.

There are probably some workarounds to this, however the core issue seems to be that wrong information is given to the backend in nginx-template.conf.

Context information (for bug reports)

Here's a patch that I have only tested in HTTPS (so it may break HTTP):

diff --git a/resources/nginx-template.conf b/resources/nginx-template.conf
index e6d796a..f982ecb 100644
--- a/resources/nginx-template.conf
+++ b/resources/nginx-template.conf
@@ -25,6 +25,8 @@ server {
        real_ip_header ${UPSTREAM_REAL_IP_HEADER};
        real_ip_recursive ${UPSTREAM_REAL_IP_RECURSIVE};

+        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+
        location /assets {
                try_files $uri =404;
        }
@@ -61,7 +63,6 @@ server {
        location @webserver {
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $remote_addr;
-               proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Frappe-Site-Name ${FRAPPE_SITE_NAME_HEADER};
                proxy_set_header Host $host;
                proxy_set_header X-Use-X-Accel-Redirect True;

Steps to reproduce the issue

  1. Follow https://github.com/frappe/frappe_docker/blob/main/docs/single-server-example.md and make a working instance with TLS
  2. Configure email and request a password reset
  3. Notice the password reset URI is HTTP

Observed result

Some URIs like password resets and OpenID redirects are HTTP

Expected result

Those URIs should be using the same protocol as the frontend, which could (but isn't necessarily!) HTTPS.

revant commented 4 months ago

Send PR if it solves the issue

gparent commented 4 months ago

I've already included a patch, but my understanding is that my fix would break other configurations (Like ones without a frontend proxy). So I'm leaving this here for maintainers to consider it (or not).

sudhegan commented 3 months ago

recently i came accross an bug in frappe builder where the browser blocks some js and css of the webpage build in builder as it uses http instead of https (bug related to these https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content?utm_source=mozilla&utm_medium=firefox-console-errors&utm_campaign=default

https://stackoverflow.com/questions/33507566/mixed-content-blocked-when-running-an-http-ajax-operation-in-an-https-page)

the fix mentioned in this issue fixed it

github-actions[bot] commented 1 month ago

This issue has been automatically marked as stale. You have a week to explain why you believe this is an error.