[docker] Improve HTTPS configuration for Gravitee AM docker-compose stack

[alchy58]

Hello,

I'm trying to setup HTTPS while using the Gravitee AM docker-compose stack from https://docs.gravitee.io/am/current/am_installguide_docker_compose.html

I modified the config/nginx.conf to add the Certbot certificate configuration. I can access the webui correctly over HTTPS but no requests to /am/management are working.

Nginx log says

2021/01/12 16:40:15 [error] 8#8: *17 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: A.B.C.D, server: , request: "GET /am/management/user HTTP/1.1", upstream: "http://172.20.0.6:8093/management/user", host: "gravitee.example.com", referrer: "https://gravitee.example.com/am/ui/"

The doc references two HTTPS configurations but I do not master Java keystore / trutstore so I need help on it :

The keystores were created with

keytool -genkey \
  -alias test \
  -keyalg RSA \
  -keystore keystore.jks \
  -keysize 2048 \
  -validity 360 \
  -dname CN=gravitee.example.com \
  -keypass secret \
  -storepass secret

• for the management API https://docs.gravitee.io/am/current/am_installguide_management_api_configuration.html#enable_https

My management gravitee.yml

jetty:
#  IP/hostname to bind to. Default is 0.0.0.0
  host: 0.0.0.0
  port: 8093
  idleTimeout: 30000
  acceptors: -1
  selectors: -1
  pool:
    minThreads: 10
    maxThreads: 200
    idleTimeout: 60000
    queueSize: 6000
  jmx: false
  statistics: false
  accesslog:
    enabled: true
    path: ${gravitee.home}/logs/gravitee_accesslog_yyyy_mm_dd.log
  secured: true
  ssl:
    keystore:
      type: jks # Supports jks, pkcs12
      path: ${gravitee.home}/security/keystore.jks
      password: secret
#    truststore:
#      type: jks # Supports jks, pkcs12
#      path: ${gravitee.home}/security/truststore.jks
#      password: secret

[...]

• for the gateway https://docs.gravitee.io/am/current/am_installguide_gateway_configuration.html#enable_https

The gateway gravitee.yml

http:
  port: 8092
  host: 0.0.0.0
  idleTimeout: 0
  tcpKeepAlive: true
  compressionSupported: false
  instances: 0
  secured: true
  alpn: true
  ssl:
    clientAuth: request # Supports none, request, required
    keystore:
      type: jks # Supports jks, pem, pkcs12
      path: ${gravitee.home}/security/keystore.jks
      password: secret
#   truststore:
#      type: jks # Supports jks, pem, pkcs12
#      path: ${gravitee.home}/security/truststore.jks
#      password: secret
#  cookie:
#    secure: false # Default is false for demonstration purpose but we highly recommend you to enable cookie secure.
#    session:
#      name: session-name
#      timeout: 1800000 # (in milliseconds)
#  csrf:
#    secret: s3cR3t4grAv1t3310AMS1g1ingDftK3y

[...]

Thank you very much for your help, Cheers

[brasseld]

Hi @alchy58

2021/01/12 16:40:15 [error] 8#8: *17 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: A.B.C.D, server: , request: "GET /am/management/user HTTP/1.1", upstream: "http://172.20.0.6:8093/management/user", host: "gravitee.example.com", referrer: "https://gravitee.example.com/am/ui/"

So: upstream: "http://172.20.0.6:8093/management/user"

It should be https and not http here

[alchy58]

It seems to work now, at least for retrieving https://gravitee.example.com/am/management/user but Firefox console tells : Cookie “XSRF-Graviteeio-AM-API-TOKEN” has been rejected because it is already expired

Also, the request https://gravitee.example.com/am/management/organizations/DEFAULT/environments/DEFAULT/domains/ leads to a HTTP 403 Forbidden

[alchy58]

Hello,

After digging a bit, the cookies are not expired. The console message may be related to the fact that requests to management API send to set-cookie response headers, one in the past to invalidate previous cookie and one two set the new JWT.

I also had this message : Cookie “XSRF-Graviteeio-AM-API-TOKEN” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

To get ride of this, secure cookies have to be enabled

For management : jwt.cookie-secure: true

For gateway : http.cookie.secure: true

By the way, I continue having a 403 error on https://gravitee.example.com/am/management/organizations/DEFAULT/environments/DEFAULT/domains/ and I don't have any clue for this one. What can be the reason ?