Auth server need custom CA certs when working behind company proxies

[xmlking]

Problem

Auth server cannot communicate to oauth providers when running on laptop behind corp proxy environment with nhost up cli command.

Context

In many corporate environments all network traffic from laptops has to go through proxies (running on-device/central) which act as man-in-the-middle for https traffic. Due to TLS handshake failure between auth server and oauth providers like azure, we are getting error. Same code works when running outside corp proxy environment.

Workaround

We need to add proxy's CA Cert to container's system trusted certifications to make tls handshake work between auth server and azure .

workaround is, create compose.override.yml file with following overlay options in repo root, then copy .nhost/docker-compose.yaml file generated by nhost up to root, then run docker compose up to use both files.

services:
  ###########################################################################
  # hasura auth
  ###########################################################################
  auth:
    volumes:
      - ./cacerts/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt
  ###########################################################################
  # hasura storage
  ###########################################################################
  storage:
    volumes:
      - ./cacerts/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt

Even though this works, it hiders the developer productivity of NOT using nhsot cli

Ask

Please provide a way to extend generated docker compose file to include extra volume mounting option so we can use custom CA certs with auth and storage services. Options:

1. Auto detect user supplied compose.override.yml overlay file in root and use both files.
2. Provide options to mount custom volume for auth and storage containers in nhost.toml

[dbarrosop]

This is awful... xD

Why does the Storage service also needs this? It shouldn't be making calls to the Internet.

I am a bit concerned about this feature request (mounting overlays if detected) as from a privacy and security perspective it can be very problematic and enable all kind of attacks but a compromise might be to add a --ca-certificates flag to mount the given path in the containers.

[xmlking]

This is awful... xD

Why does the Storage service also needs this? It shouldn't be making calls to the Internet.

I am a bit concerned about this feature request (mounting overlays if detected) as from a privacy and security perspective it can be very problematic and enable all kind of attacks but a compromise might be to add a --ca-certificates flag to mount the given path in the containers.

I thought storage service also need to connect privately hosted S3 service as it also use http protocol. I really didn’t tested need for adding certs for storage, so we can ignore it for this case.

If overlay is not safe idea , hope cli could use command line args or environment variables to mount custom CA certs only during development. It could be opt-in only feature

[dbarrosop]

Can you test #905?

To do it:

1. Download relevant binary for your platform from here: https://github.com/nhost/cli/actions/runs/10591634454
2. Run (in your project's folder):

   export NHOST_CONFIGSERVER_IMAGE=nhost/cli:1.23.0
   export NHOST_CA_CERTIFICATES=./cacerts/ca-certificates.crt
   /path/to/downloaded/binary/cli up 

If you are on MacOS you may also need to run the command below before running the up command:

xattr -r -d com.apple.quarantine /path/to/downloaded/binary/cli

If overlay is not safe idea

Well, the unsafe part is detecting it and mounting it automatically as an attacker could then tamper with the hosts entries or even mount a malicious binary hoping that a developer enters real credentials while testing.

[xmlking]

This worked in my proxied environment. I have use "v" in tag. export NHOST_CONFIGSERVER_IMAGE=nhost/cli:v1.23.0

Thanks a lot for adding new feature so quickly.