Cannot use proxy without SSL

stephanvane commented 3 years ago

Clear description of your problem

All proxies are using SSL by default. Trying to run valet unsecure removes the proxy completely

Expected behavior

minor issue: valet proxy foo http://example.com should leave SSL off by default, as the documentation suggests:

By default, Valet serves sites over plain HTTP.

main issue: valet unsecure foo doesn't remove SSL, but removes the proxy completely.

Current behavior

valet proxy enables SSL by default, and redirects http traffic to https

Steps to Reproduce

valet proxy foo http://example.com
valet proxies # shows 'foo' with SSL enabled
valet unsecure foo # "The [foo.test] site will now serve traffic over HTTP."
valet proxies # 'foo' is now completely gone

Valet unsecure removes the foo.test file that was in ~/.config/valet/Nginx/

Diagnosis

sw_vers

ProductName:   Mac OS X
ProductVersion: 10.15.7
BuildVersion:   19H15

valet --version

Laravel Valet 2.13.15

cat ~/.config/valet/config.json

{
    "tld": "test",
    "paths": [
        "/Users/stephan/.config/valet/Sites"
    ]
}

cat ~/.composer/composer.json

{
    "require": {
        "laravel/valet": "^2.13",
        "squizlabs/php_codesniffer": "^3.5"
    }
}

composer global diagnose

Changed current directory to /Users/stephan/.composer
Checking composer.json: WARNING
No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com rate limit: OK
Checking disk free space: OK
Checking pubkeys: 
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: You are not running the latest stable version, run `composer self-update` to update (2.0.0 => 2.0.8)
Composer version: 2.0.0
PHP version: 7.4.13
PHP binary path: /usr/local/Cellar/php@7.4/7.4.13_1/bin/php
OpenSSL version: OpenSSL 1.1.1h  22 Sep 2020
cURL version: 7.73.0 libz 1.2.11 ssl (SecureTransport) OpenSSL/1.1.1h
zip extension: OK

composer global outdated

Changed current directory to /Users/stephan/.composer
tightenco/collect v8.15.0 ! v8.17.0 Collect - Illuminate Collections as a separate package.

ls -al /etc/sudoers.d/

total 0
drwxr-xr-x   2 root  wheel    64 Aug 25  2019 .
drwxr-xr-x  85 root  wheel  2720 Dec  6 18:06 ..

brew config

HOMEBREW_VERSION: 2.6.0
ORIGIN: https://github.com/Homebrew/brew
HEAD: 1d5e354cc2ff048bd7161d95b3fa7f91dc9dd081
Last commit: 6 days ago
Core tap ORIGIN: https://github.com/Homebrew/homebrew-core
Core tap HEAD: 694814a13af1dbcc3248f775017e44139c27ed08
Core tap last commit: 22 minutes ago
Core tap branch: master
HOMEBREW_PREFIX: /usr/local
HOMEBREW_CASK_OPTS: []
HOMEBREW_MAKE_JOBS: 16
Homebrew Ruby: 2.6.3 => /System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/bin/ruby
CPU: 16-core 64-bit kabylake
Clang: 12.0 build 1200
Git: 2.24.3 => /Applications/Xcode.app/Contents/Developer/usr/bin/git
Curl: 7.64.1 => /usr/bin/curl
Java: 1.8.0_275
macOS: 10.15.7-x86_64
CLT: 11.0.33.12
Xcode: 12.2

brew services list

Name              Status  User    Plist
consul            stopped         
dnsmasq           started root    /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
elasticsearch@5.6 started stephan /Users/stephan/Library/LaunchAgents/homebrew.mxcl.elasticsearch@5.6.plist
gitlab-runner     stopped         
memcached         started stephan /Users/stephan/Library/LaunchAgents/homebrew.mxcl.memcached.plist
minio             stopped         
mongodb-community started stephan /Users/stephan/Library/LaunchAgents/homebrew.mxcl.mongodb-community.plist
mysql@5.7         started stephan /Users/stephan/Library/LaunchAgents/homebrew.mxcl.mysql@5.7.plist
nginx             started root    /Library/LaunchDaemons/homebrew.mxcl.nginx.plist
nomad             stopped         
percona-server    stopped         
php               stopped         
php@7.4           started stephan /Users/stephan/Library/LaunchAgents/homebrew.mxcl.php@7.4.plist
transmission-cli  stopped         
unbound           stopped

dnsmasq 2.82
mysql@5.7 5.7.32
nginx 1.19.5 1.19.4
openssl@1.1 1.1.1h
php 8.0.0 7.4.12
php@7.4 7.4.13_1

brew outdated

broot
direnv
doctl
fabio
gnupg
imagemagick
libsndfile
php
terraform
unbound
youtube-dl
houseparty
touchswitcher
zoomus

brew tap

codeship/taps
elastic/tap
hashicorp/tap
homebrew/cask
homebrew/cask-drivers
homebrew/cask-versions
homebrew/core
homebrew/services
mongodb/brew
puma/puma

php -v

PHP 7.4.13 (cli) (built: Nov 30 2020 14:46:04) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Xdebug v2.9.8, Copyright (c) 2002-2020, by Derick Rethans
    with Zend OPcache v7.4.13, Copyright (c), by Zend Technologies

which -a php

/usr/local/bin/php
/usr/bin/php

php --ini

Configuration File (php.ini) Path: /usr/local/etc/php/7.4
Loaded Configuration File:         /usr/local/etc/php/7.4/php.ini
Scan for additional .ini files in: /usr/local/etc/php/7.4/conf.d
Additional .ini files parsed:      /usr/local/etc/php/7.4/conf.d/ext-opcache.ini,
/usr/local/etc/php/7.4/conf.d/php-memory-limits.ini

nginx -v

nginx version: nginx/1.19.5

curl --version

curl 7.64.1 (x86_64-apple-darwin19.0) libcurl/7.64.1 (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.39.2
Release-Date: 2019-03-27
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets

php --ri curl

curl

cURL support => enabled
cURL Information => 7.73.0
Age => 7
Features
AsynchDNS => Yes
CharConv => No
Debug => No
GSS-Negotiate => No
IDN => Yes
IPv6 => Yes
krb4 => No
Largefile => Yes
libz => Yes
NTLM => Yes
NTLMWB => Yes
SPNEGO => Yes
SSL => Yes
SSPI => No
TLS-SRP => Yes
HTTP2 => Yes
GSSAPI => Yes
KERBEROS5 => Yes
UNIX_SOCKETS => Yes
PSL => No
HTTPS_PROXY => Yes
MULTI_SSL => Yes
BROTLI => Yes
Protocols => dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, ldaps, mqtt, pop3, pop3s, rtmp, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp
Host => x86_64-apple-darwin19.6.0
SSL Version => (SecureTransport) OpenSSL/1.1.1h
ZLib Version => 1.2.11
libSSH Version => libssh2/1.9.0

Directive => Local Value => Master Value
curl.cainfo => no value => no value

~/.composer/vendor/laravel/valet/bin/ngrok version

ngrok version 2.3.35

ls -al ~/.ngrok2

ls: /Users/stephan/.ngrok2: No such file or directory

brew info nginx

nginx: stable 1.19.5 (bottled), HEAD
HTTP(S) server and reverse proxy, and IMAP/POP3 proxy server
https://nginx.org/
/usr/local/Cellar/nginx/1.19.4 (22 files, 2.2MB)
  Built from source
/usr/local/Cellar/nginx/1.19.5 (25 files, 2.2MB) *
  Poured from bottle on 2020-12-07 at 10:38:46
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/nginx.rb
License: BSD-2-Clause
==> Dependencies
Required: openssl@1.1, pcre
==> Options
--HEAD
    Install HEAD version
==> Caveats
Docroot is: /usr/local/var/www

The default port has been set in /usr/local/etc/nginx/nginx.conf to 8080 so that
nginx can run without sudo.

nginx will load all files in /usr/local/etc/nginx/servers/.

To have launchd start nginx now and restart at login:
  brew services start nginx
Or, if you don't want/need a background service you can just run:
  nginx
==> Analytics
install: 45,007 (30 days), 125,534 (90 days), 448,115 (365 days)
install-on-request: 44,409 (30 days), 123,614 (90 days), 436,308 (365 days)
build-error: 0 (30 days)

brew info php

php: stable 8.0.0 (bottled), HEAD
General-purpose scripting language
https://www.php.net/
/usr/local/Cellar/php/7.4.12 (495 files, 72.3MB)
  Built from source
/usr/local/Cellar/php/8.0.0 (499 files, 77.8MB)
  Poured from bottle on 2020-11-30 at 10:57:16
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/php.rb
License: PHP-3.01
==> Dependencies
Build: httpd, pkg-config
Required: apr, apr-util, argon2, aspell, autoconf, curl, freetds, gd, gettext, glib, gmp, icu4c, krb5, libffi, libpq, libsodium, libzip, oniguruma, openldap, openssl@1.1, pcre2, sqlite, tidy-html5, unixodbc
==> Options
--HEAD
    Install HEAD version
==> Caveats
To enable PHP in Apache add the following to httpd.conf and restart Apache:
    LoadModule php_module /usr/local/opt/php/lib/httpd/modules/libphp.so

    
        SetHandler application/x-httpd-php
    

Finally, check DirectoryIndex includes index.php
    DirectoryIndex index.php index.html

The php.ini and php-fpm.ini file can be found in:
    /usr/local/etc/php/8.0/

To have launchd start php now and restart at login:
  brew services start php
Or, if you don't want/need a background service you can just run:
  php-fpm
==> Analytics
install: 64,047 (30 days), 170,576 (90 days), 596,321 (365 days)
install-on-request: 62,712 (30 days), 167,183 (90 days), 570,119 (365 days)
build-error: 0 (30 days)

brew info openssl

openssl@1.1: stable 1.1.1h (bottled) [keg-only]
Cryptography and SSL/TLS Toolkit
https://openssl.org/
/usr/local/Cellar/openssl@1.1/1.1.1h (8,067 files, 18.5MB)
  Poured from bottle on 2020-10-12 at 11:44:15
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/openssl@1.1.rb
License: OpenSSL
==> Caveats
A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
  /usr/local/etc/openssl@1.1/certs

and run
  /usr/local/opt/openssl@1.1/bin/c_rehash

openssl@1.1 is keg-only, which means it was not symlinked into /usr/local,
because macOS provides LibreSSL.

If you need to have openssl@1.1 first in your PATH run:
  echo 'export PATH="/usr/local/opt/openssl@1.1/bin:$PATH"' >> ~/.zshrc

For compilers to find openssl@1.1 you may need to set:
  export LDFLAGS="-L/usr/local/opt/openssl@1.1/lib"
  export CPPFLAGS="-I/usr/local/opt/openssl@1.1/include"

For pkg-config to find openssl@1.1 you may need to set:
  export PKG_CONFIG_PATH="/usr/local/opt/openssl@1.1/lib/pkgconfig"

==> Analytics
install: 683,648 (30 days), 2,030,197 (90 days), 7,443,351 (365 days)
install-on-request: 103,458 (30 days), 305,676 (90 days), 1,058,685 (365 days)
build-error: 0 (30 days)

openssl version -a

LibreSSL 2.8.3
built on: date not available
platform: information not available
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: information not available
OPENSSLDIR: "/private/etc/ssl"

openssl ciphers

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:GOST2012256-GOST89-GOST89:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA256-SHA:GOST2001-GOST89-GOST89:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA256:CAMELLIA128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA

sudo nginx -t

nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful

which -a php-fpm

/usr/sbin/php-fpm

/usr/local/opt/php/sbin/php-fpm -v

PHP 8.0.0 (fpm-fcgi) (built: Nov 26 2020 17:53:14)
Copyright (c) The PHP Group
Zend Engine v4.0.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.0.0, Copyright (c), by Zend Technologies

sudo /usr/local/opt/php/sbin/php-fpm -y /usr/local/etc/php/7.4/php-fpm.conf --test

[07-Dec-2020 10:53:33] NOTICE: configuration file /usr/local/etc/php/7.4/php-fpm.conf test is successful

ls -al ~/Library/LaunchAgents | grep homebrew

-rw-r--r--   1 stephan  staff   779 Sep  3 10:40 homebrew.mxcl.elasticsearch@5.6.plist
-rw-r--r--   1 stephan  staff   542 Mar 30  2020 homebrew.mxcl.memcached.plist
-rw-r--r--   1 stephan  staff   971 Aug  6 14:12 homebrew.mxcl.mongodb-community.plist
-rw-r--r--   1 stephan  staff   551 Nov  8 19:13 homebrew.mxcl.mysql@5.7.plist
-rw-r--r--   1 stephan  staff   636 Nov 30 15:09 homebrew.mxcl.php@7.4.plist

ls -al /Library/LaunchAgents | grep homebrew

ls -al /Library/LaunchDaemons | grep homebrew

-rw-r--r--   1 root  admin   657 Nov 11 12:24 homebrew.mxcl.dnsmasq.plist
-rw-r--r--   1 root  admin   571 Dec  7 10:52 homebrew.mxcl.nginx.plist

ls -aln /etc/resolv.conf

lrwxr-xr-x  1 0  0  22 Oct 13  2019 /etc/resolv.conf -> ../var/run/resolv.conf

cat /etc/resolv.conf

#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
#   scutil --dns
#
# SEE ALSO
#   dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
nameserver 8.8.4.4

drbyte commented 3 years ago

@stephanvane I'm sure you have your reasons, and they're related to your workflow, but for future design consideration it would be helpful to understand those reasons more clearly. So ...

Question: Why do you want unsecure proxies? And is there a technical reason for wanting to bypass using SSL?

stephanvane commented 3 years ago

Hi @drbyte, thanks for your answer

I think that in general it would be for the same reason anyone wants to bypass SSL on parked / linked apps. There must be a reason why valet includes the valet secure/unsecure commands at all :-)

In my specific case, I wanted to have a valet-proxied-app communicate with a http-only-local-api that was running. Unfortunately the browser blocked http resources requested from an https website.

If we decide to not to allow bypassing SSL for proxies, I think it should be reflected in the documentation, and return message.

The current message of The [foo.test] site will now serve traffic over HTTP. while in reality the proxy is removed completely is confusing at least.

drbyte commented 3 years ago

Do the changes proposed in #1005 accommodate the requirements you mention?

stephanvane commented 3 years ago

For my case, this would technically solve the problem, thank you!

From a usability's perspective I would propose using a more standard way of configuring it. having two different methods (valet unsecure foo and valet proxy --unsecure) and two differents defaults (secure for proxy / unsecure for park/link) might be confusing.

Using the same methods for both park/link and proxy would be more straightforward in my opinion.

Link

valet link foo valet secure foo / valet unsecure foo valet unlink

Proxy

valet proxy foo http://example.com valet secure foo / valet unsecure foo valet unproxy foo

euoia commented 3 years ago

Is this still an issue? There seems to be a change between Valet 2.14.0 and 2.15.0 that valet proxy no longer creates an nginx configuration that listens on port 443, and instead now requires the --secure flag to listen on port 443.

drbyte commented 3 years ago

Correct. This issue can be closed due to the changes in 2.15.0

/cc @mattstauffer

laravel / valet