search

kuwaai / genai-os

Kuwa GenAI OS: An open, free, secure, and privacy-focused Generative-AI Orchestrating System.
https://kuwaai.tw/os/intro
MIT License
89 stars 21 forks source link

[multi-chat] fix: trust all proxies. #21

Closed Phate334 closed 2 months ago

Phate334 commented 2 months ago

The original setting will cause the front end to only generate http:// links, and requests for these resource files will be blocked by the browser.

圖片

Even if the environment variable has been set, it will be ignored by Laravel.

圖片

After this setting, Kuwa works well under https, but I am not good at PHP. Please re-evaluate whether this modification is appropriate.

ifTNT commented 2 months ago

Hi @Phate334,

I doubt that Laravel will not respect environment variables in docker. Could you try to solve the issue by changing APP_URL in docker/multi-chat/app.env and rebuilding the image? Thanks.

Phate334 commented 2 months ago

Could you try to solve the issue by changing APP_URL in docker/multi-chat/app.env and rebuilding the image?

same problem on app.env 圖片

Do Kuwa or Laravel have any solutions to set up custom certificates for TLS? Laravel cannot generate HTTPS URLs when the reverse proxy forwards to Kuwa on port 80. https://laravel.com/docs/10.x/requests#configuring-trusted-proxies

==== I use mkcert and the Caddy server for debugging.

kuwa.localhost {
  tls /kuwa-cert/kuwa.localhost.pem /kuwa-cert/kuwa.localhost-key.pem

  reverse_proxy host.docker.internal:8080
}
services:
  caddy:
    image: caddy:2.8.4-alpine
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    extra_hosts:
      - "host.docker.internal:host-gateway"
    volumes:
      - ./kuwa-cert:/kuwa-cert
      - ./Caddyfile:/etc/caddy/Caddyfile
ifTNT commented 2 months ago

To configure custom TLS certificates in the Dockerized version of Kuwa, you can modify the Nginx configuration within the "web" container. Here's an example:

diff --git a/docker/web/templates/default.conf.template b/docker/web/templates/default.conf.template
index 56319a66..37076a67 100644
--- a/docker/web/templates/default.conf.template
+++ b/docker/web/templates/default.conf.template
@@ -2,6 +2,22 @@ server {
     listen 80;
     listen [::]:80;
     server_name ${DOMAIN_NAME};
+
+    # Redirect HTTP to HTTPS
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name ${DOMAIN_NAME};
+
+    # SSL Configuration
+    ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; # Replace with your certificate path
+    ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem; # Replace with your private key path
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+
     root /app/public;

     add_header X-Frame-Options "SAMEORIGIN";

While this pull request's trusted proxy configuration is valuable for scenarios using cloud load balancers, we can enhance its adaptability. To ensure broader applicability, I plan to make the trusted proxy configurable via an environment variable after this pull request is merged.

Thank you for your contribution!

Phate334 commented 2 months ago

To ensure broader applicability, I plan to make the trusted proxy configurable via an environment variable after this pull request is merged.

That's great.