search

mriedmann / humhub-docker

Alpine-based PHP-FPM and NGINX HumHub docker-container
MIT License
95 stars 77 forks source link

SSL Woes #331

Closed vorletzter closed 7 months ago

vorletzter commented 8 months ago

Instance: https://hub.einerunde.de Version: Stable (1.13.2)

I am not quite sure i the Issue lies with the Container, the HumHub App or HumHub.

I was playing around with HumHub and just wanted to try the new App.

I added my Traefik Lables to the docker-compose and remove the ports entry

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.humhub.rule=Host(`hub.einerunde.de`)"
      - "traefik.http.routers.humhub.entrypoints=websecure"
      - "traefik.http.middlewares.humhub-https.redirectscheme.scheme=https"
      - "traefik.http.routers.humhub.tls=true"
      - "traefik.http.routers.humhub.tls.certresolver=leresolver"
      - "traefik.http.routers.humhub.tls.options=myTLSOptions@file"
      - "traefik.http.middlewares.humhub-https.redirectregex.permanent=true"

Humhub works fine via ssl. But the App complains about http://hub.einerunde.de - net::ERR_CLEARTEXT_NOT_PERMITTED

I entered https://hub.einerunde.de in the Instance Screen. In HumHub Settings the Base Instance is set to https://hub.einerunde.de as well.

Analysing the Traffic in Firefox i stumbled across some non-SSL? Traefik? But i have no clue what is happening here as well.

image

Maybe sombody can shed some light or point me in the right direction :) ?

docker-compose.yml.txt

jvies commented 8 months ago

Hello, I felt into the same issue 2 weeks ago. I was helped by the app team here: https://github.com/humhub/app/issues/127

You probably don't have your humhub correctly configured for https beyond a reverse proxy as traefik. cf https://docs.humhub.org/docs/admin/reverse-proxy/#httpsssl-detection

Regards

vorletzter commented 8 months ago

Thanks a lot. Helpful!

Can i configure my container to help HumHub with the SSL Detection or do i need to edit the file as suggested?

jvies commented 8 months ago

It seems the reverse proxy must set the header X-Forwarded-Proto (cf https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto), and that the website must handle it. According to the doc of humhub, it is not the case.

On my side, I just followed the doc.

vorletzter commented 8 months ago

how did you do that? Did you clone the whole repository to make the changes permanent to avoid the ephemeral nature of docker?

jvies commented 8 months ago

nope, I use docker volumes :

    volumes:
      - "./config:/var/www/localhost/htdocs/protected/config"
mriedmann commented 8 months ago

Just my 2 cents: Humhub's architecture is not perfectly aligned with modern "container-centric" applications (see https://12factor.net/). We are doing our best to mitigate this fact, but some features are a bit "weird" because of this fact.

Here is also another hint about the X-Forwarded-Proto header: https://github.com/humhub/humhub/issues/1859

github-actions[bot] commented 7 months ago

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] commented 7 months ago

This issue was closed because it has been inactive for 14 days since being marked as stale.