ProxyPass with https SNI on apache and http transport locally

metasfresh / metasfresh-docker

GNU General Public License v2.0

37 stars 40 forks source link

ProxyPass with https SNI on apache and http transport locally #40

Open Janfred opened 6 years ago

Janfred commented 6 years ago

Is this a bug or feature request?

Kind of both, but first of all a bug

What is the current behavior?

The app does insecure reloads. The served config.js has the following content:

const config = {
        API_URL: 'http://metasfresh.my-domain.example/rest/api',
        WS_URL: 'http://metasfresh.my-domain.example/stomp'
}

Which are the steps to reproduce?

Follow the steps for docker deployment
Change expose ports for webui from 80:80 and 443:443 to 127.0.0.1:8080:80 and 127.0.0.1:8443:443

Setup an apache with TLS

<VirtualHost *:443>
ServerName metasfresh.my-domain.example
/* TLS-Config goes here */
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost On
</VirtualHost>

What is the expected or desired behavior?

in the config.js the URLs should be https URLs

Janfred commented 6 years ago

I've just found in the start_webui.sh file in the docker this lines:

if [[ -f "/etc/apache2/certs/fullchain.pem" ]] && [[ -f "/etc/apache2/certs/privkey.pem" ]]; then
        sed -i 's/\bhttp\b/https/g' /opt/metasfresh-webui-frontend/dist/config.js
        a2ensite metasfresh_webui_ssl.conf
        echo "[METASFRESH] Activated SSL!"
else
        sed -i 's/\https\b/http/g' /opt/metasfresh-webui-frontend/dist/config.js
        a2ensite metasfresh_webui.conf
        a2dissite metasfresh_webui_ssl.conf
        echo "[METASFRESH] Runnning Non-SSL!"
fi

This should definitely be configurable by an environment variable which states that the requests can be proxied before with the encryption end point.

lhermann commented 5 years ago

I ran into the same problem trying to run it with a nginx reverse proxy. Please add a config option to allow for reverse proxy.

metas-jb commented 5 years ago

Hi @Janfred and @lhermann

By default, metasfresh-docker runs non-SSL since it's easier for testing and currently we don't have a function inside the containers to use eg. Let's Encrypt for generating SSL keys/certs.

If you're deploying metasfresh on a direct-accessible system, you can follow these Guidelines: http://docs.metasfresh.org/installation_collection/EN/How_do_I_setup_metasfresh_docker_with_ssl.html

Setting "https://myserver.com" in the appropriate line in your docker-compose.yml file, it will automatically be inserted into the internal config.js. When deploying your SSL keys in the ./webui/sources/certs/ folder, be sure to use the filenames described in the how to.

However running metasfresh on a reverse proxy, you will also have to setup your nginx/apache conf on your reverse-proxy similar to this file: https://github.com/metasfresh/metasfresh-docker/blob/master/webui/sources/configs/metasfresh_webui_ssl.conf ... replacing the server-names (eg.: webapi) with the server you're running the docker-stack on of course and adding a new reverse-proxy entry to point to the webui-location / -port instead of using DocumentRoot

software-driven commented 5 years ago

Hi @metas-jb

I have tried the adaptation of the configuration for my reverse proxy. In the docker compose file I set WEBAPI_URL=https://myurl but the REST API is still addressed via http. What can I do?