SSL Scheme

[theonlydoo]

Turns out, while using a reverse proxy, assets are loaded through http still, is it possible to set a flag "ssl: true" in the docker-compose file ?

[cedricve]

@theonlydoo hmm this is a Laravel issue, by default http is set. Laravel requires to set the SSL scheme in the webapplication config.

[theonlydoo]

yep but may it be configured through docker environment variables?

[cedricve]

ideally, yeah but that would require some changes in the web repository first.

[cedricve]

@theonlydoo I was thinking if you made some progress on this issue, or you're waiting for a solution?

[theonlydoo]

hey @cedricve : neither :-) I stayed on zoneminder, because I had also some issues adding my http cgi video input to kerberos and had very little time to test it. I opened the issue just to raise a problem, which may concern a lot of people who are using a reverse proxy

[cedricve]

Ok @theonlydoo thanks for the feedback. I'll work on it and update this issue, once I've a resolution. Let's keep in touch.

[codefox42]

I am also very interested in a way to enable detection of SSL at the frontend. Ideally the web application should detect this scenario by checking X-Forwarded-Proto (like described in this answer on SO).

During my research I came accross Laravel Trusted Proxies. It sounds to me (while not having any experience with Laravel) like a way to add support for this topic to the docker image with little overhead.

What do you think?

[cedricve]

Will be fixed in next release.

[cedricve]

fixed in master image, KiOS 2.4.0

[Dids]

This is still an issue in the kerberos/kerberos:latest Docker image.

[holantomas]

@cedricve any progress on this. Have setup over nginx reverse proxy and let encrypt cert. Main problem is that I have *.dev domain which have hardcoded SSL Preload so I cannot use this domain without SSL. Second is Allow-cross-origin Access-Control-Allow-Origin header which kill http AJAX requests. So I cannot go trought first language setup beacaus API request is blocked even I force enable cross-origin assets in browser.

Access to XMLHttpRequest at 'https://example.dev/api/v1/user/language' (redirected from 'http://example.dev/api/v1/user/language') from origin 'https://example.dev' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

VM305:1 POST https://example.dev/api/v1/user/language net::ERR_FAILED

This happend when I try send first form on welcome page. Tried to setup APP_URL with HTTPS scheme in app.php without effect.

[holantomas]

OK, after some research I solved it for now by overwriting .env file in web with SECURE_SSL=true.

docker-compose.yml

services:
    kerberos:
        image: kerberos/kerberos:${VERSION}
        restart: always
        container_name: ${COMPOSE_PROJECT_NAME}
        privileged: true
        network_mode: "bridge"
        ports:
            - "127.0.0.1:8080:80"
            - "127.0.0.1:8889:8889"
        volumes:
            - ${CONFIG_DIR}/config:/etc/opt/kerberosio/config:rw
            - ${CONFIG_DIR}/captured:/etc/opt/kerberosio/capture:rw
            - ${CONFIG_DIR}/logs:/etc/opt/kerberosio/logs:rw
            - ${CONFIG_DIR}/webconfig:/var/www/web/config:rw
            - ${CONFIG_DIR}/.env:/var/www/web/.env

.env

APP_ENV=local
APP_KEY=base64:XL8nQ5mfLNpEytMEcXuanrPB7PB+sEdlbHTm038UDxE=
APP_DEBUG=true
APP_LOG_LEVEL=debug
APP_URL=http://localhost
SECURE_SSL=true

BROADCAST_DRIVER=log
CACHE_DRIVER=file
SESSION_DRIVER=lockfile
SESSION_COOKIE_NAME=kerberosio_session
QUEUE_DRIVER=sync

[cedricve]

hello @holantomas,

Actually there is a much easier approach, however I noticed it was not documented on this issue.

You could pass following environment variable in the container (https://github.com/kerberos-io/web/issues/158).

services:
  kerberos:
    image: kerberos/kerberos:${VERSION}
    restart: always
    container_name: ${COMPOSE_PROJECT_NAME}
    privileged: true
    network_mode: "bridge"
    ports:
      - "127.0.0.1:8080:80"
      - "127.0.0.1:8889:8889"
    volumes:
      - ${CONFIG_DIR}/config:/etc/opt/kerberosio/config:rw
      - ${CONFIG_DIR}/captured:/etc/opt/kerberosio/capture:rw
      - ${CONFIG_DIR}/logs:/etc/opt/kerberosio/logs:rw
      - ${CONFIG_DIR}/webconfig:/var/www/web/config:rw
    environment:
      - KERBEROSIO_SECURE_SSL=true

[holantomas]

That works, thanks I somehow missed that issue.

[cedricve]

No worries we will add it to the documentation. Would you mind sharing why you use docker compose?

[holantomas]

I'm using docker-compose for everything because it's easy to save, push to git repo etc. I know that you have some kind of your's shell script, but I only want to get it works and check if it's what I need. For now I cannot get stream working. I can ping camera from container, but Machinery keep dropping like it was issued multiple times here. Unfortunetly nothing helped for now. After I get it work and if I will want to use kerberos for NVR I going to look more deeper for features which you offer :)