search

itmicus / cmdbuild_docker

CMDBuild 3.4 with READY2USE 2.3 and openMAINT 2.3 in Docker
85 stars 56 forks source link

itmicus / cmdbuild_docker behind a Proxy #17

Open PinkTurnsBlue opened 4 years ago

PinkTurnsBlue commented 4 years ago

Is there a way, to get itmicus / cmdbuild_docker work behind a proxy (e.g. traefik, Sophos UTM, ...) ?

There ist no way to log in: The Web-Browser detects "Mixed Contend" and rejects a connection.

mburger81 commented 3 years ago

We have the same problem, we use a nginx proxy which is handling ssl.

For the static content is anyhting fine, but the REST API request are always called over HTTP instead of using the actual scheme which is https, so browser is blocking for "Mixed Contend"

We googled and read documentation but we didn't figured out anything.

@PinkTurnsBlue did you resolved this in meanwhile?

@afcarvalho1991 can you perhaps help?

afcarvalho1991 commented 3 years ago

How are you handling the HTTPS via nginx?

OpenMaint and CMDBuild use tomcat to handle the web server and HTTP layer, to access it you need to "unlock it" as by default Tomcat Docker images do not allow such access, for security reasons.

For more details check https://hub.docker.com/_/tomcat?tab=reviews, where anasdev states and I quote:

Those who are facing issue to run url http://localhost:8080, actually webapps folder does not have any webapp as mentioned in documentation. This is to reduce the vulnerabilities. If anybody want to see default tomcat applications running, just ssh into the container

docker exec -it /bin/bash Once you are inside container cp webapps.dist/* webapps/

Now the url http://localhost:8080 should work.

Since most developers are in the habit of ping this url through browser just after having tomcat running. But this image does not provide any default webapps in webapps folder, because of security vulnerabilities. Please see https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Default_web_applications. Instead the image provide the default tomcat webapps inside webapps.dist folder just in case if we want to see that those default webapps are up and running and tomcat is loading them successfully.

Hope it helps. The DEFAULT credentials (do not use them in production environments) can be found in:

https://github.com/itmicus/cmdbuild_docker/blob/master/openmaint-2.0-3.2.1/files/tomcat-users.xml

so you need to select the appropriate file for your build and perform the changes accordingly the path should be: ***YOUR VERSION****/files/tomcat-users.xml. Afterwards, you can add your SSL certificates and activate HTTPS. Note that you will need to access the following endpoint http://*HOST_IP*:8080

Hope it helps!

Best regards, André.

mburger81 commented 3 years ago

the nginx proxy we have in front is doing all the ssl stuff, like certificate http-https redirection and so on.

So on the cmdbuild all this should be transparent, normally when you have a proxy in front all the stuff behind the proxy could be http and transparent without modification needed

Normally an app when it is doing a http request it is doing with relative path, so it is not depending on schema or host. so not sure why in this case the app is doing a http instead of an https REST call

mburger81 commented 3 years ago

@afcarvalho1991

Today I found the response in the cmdbuild forum https://forum.cmdbuild.org/t/cmdbuild-behind-load-balancer-ssloffload/3711 ./cmdbuild.sh restws setconfig org.cmdbuild.ui.uiServiceBaseUrl https://cmdb-prod.xxx.xxx/cmdbuild

So overwrite our docker-entrypoint.sh file and add this lines before echo echo "Set ServiceBaseUrl"

{ # try
    $CATALINA_HOME/webapps/cmdbuild/cmdbuild.sh restws setconfig orm.cmdbuild.ui.uiServiceBaseUrl https://om.abc.com/cmdbuild
} || {
    echo "Unable to set SetviceBaseUrl"
}

What do you think about it? It would be nice if we can set this from the docker environment variables.

fishfree commented 3 years ago

@mburger81 In your nginx config, add these and then have a try:

                proxy_set_header X-Forwarded-Port $server_port;
                proxy_set_header X-Forwarded-Proto $scheme;
mahmoud1468 commented 1 year ago

@afcarvalho1991

Today I found the response in the cmdbuild forum https://forum.cmdbuild.org/t/cmdbuild-behind-load-balancer-ssloffload/3711 ./cmdbuild.sh restws setconfig org.cmdbuild.ui.uiServiceBaseUrl https://cmdb-prod.xxx.xxx/cmdbuild

So overwrite our docker-entrypoint.sh file and add this lines before echo echo "Set ServiceBaseUrl"

{ # try
    $CATALINA_HOME/webapps/cmdbuild/cmdbuild.sh restws setconfig orm.cmdbuild.ui.uiServiceBaseUrl https://om.abc.com/cmdbuild
} || {
    echo "Unable to set SetviceBaseUrl"
}

What do you think about it? It would be nice if we can set this from the docker environment variables.

Thanks for your solution. But an important typo: org not orm.: $CATALINA_HOME/webapps/cmdbuild/cmdbuild.sh restws setconfig org.cmdbuild.ui.uiServiceBaseUrl https://om.abc.com/cmdbuild