Open satoshinotdead opened 1 month ago
Same thing here, can't get it to work through https
I just setup Planka behind an nginx (reverse) proxy with TLS-termination at the proxy-level. Both planka and nginx are containers inside the same docker network. I use letsencrypt certificates created by certbot in another container.
Here are the relevant snippets that I changed. Btw, I setup Planka to be available behind a specific
nginx.conf
server {
listen 443 ssl;
server_name <domain>;
ssl_certificate /etc/letsencrypt/live/<domain>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location /<path>/ {
proxy_pass http://<planka-container>:1337;
rewrite ^/<path>/(.*)$ /$1 break;
}
docker-compose.yml
services:
planka-app:
container_name: <planka-container>
...
environment:
- BASE_URL=https://<domain>/<path>
I'm still getting a wrong certificate
error with that configuration. I'm using a subdomain and have tried both localhost
and the container IP
.
I suspect the issue is that docs assumes everyone is using a Docker container for Nginx, which isn't true for all of us. I prefer to host Nginx on the host machine to reduce attack vectors.
I run Planka on my local network behind Nginx on a different host. I could not find good documentation on it and I was running into the cross-site blocking errors, I had also run into the SSL cert error previously but it was due to using rewrite
.
Below is my configuration for the proxy serving Planka, it does not give me a cert error and does not give me grief with cross-site origin. You will also need to do the following:
docker-compose.yml
to https://<proxy_domain>
not to the <upstream_host>:<port>
In the end the BASE_URL was what was giving me grief for the cross-site issue, so some of the header directives could be unnecessary, I just haven't got around to removing them one by one to see if it breaks.
To note: I run bind on my network for resolving my LAN domains, you will run into issues if your cert is signed against a certain domain and you try to use it with an IP address as your <proxy_domain>
.
upstream <upstream_host> {
server <upstream_host>:<port>;
keepalive 32;
}
server {
listen 443 ssl; # managed by Certbot
server_name <proxy_domain>;
ssl_certificate /etc/letsencrypt/live/<proxy_domain>/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/<proxy_domain>/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
access_log /var/log/nginx/<proxy_domain>_access.log;
error_log /var/log/nginx/<proxy_domain>_error.log error;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_set_header X-Scheme $scheme;
proxy_http_version 1.1;
proxy_pass http://<upstream defined above>;
proxy_pass_header Server;
proxy_pass_request_headers on;
}
location /socket.io/ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Scheme $scheme;
proxy_http_version 1.1;
proxy_pass http://<upstream defined above>;
proxy_pass_header Server;
}
}
I hope this helps you and anyone else struggling with running Planka behind an external Nginx server.
Hey, thanks for your following up.
I tried your configuration (removing a few headers and adding new ones) and still not working. I renewed the certificates and restarted everything as well.
Please, can you reformulate this?
To note: I run bind on my network for resolving my LAN domains, you will run into issues if your cert is signed against a certain domain and you try to use it with an IP address as your
.
I suspect the issue is related to this and not on the Nginx configuration, which appears to be a commonly used template.
Please, can you reformulate this?
To note: I run bind on my network for resolving my LAN domains, you will run into issues if your cert is signed against a certain domain and you try to use it with an IP address as your
. I suspect the issue is related to this and not on the Nginx configuration, which appears to be a commonly used template.
When you request a certificate from a signing authority it will either be a wildcard certificate, which can be used for any sub-domain and the primary domain, or for a specific (sub-)domain. If you have self-signed the certificate it needs to be, again, a wildcard or for a specific IP address/(sub-domain). You will also need the full chain (your cert -> intermediates -> root) as well as the private key.
So in other words, the certificate you are using needs to be signed in a way that it is valid for the value of <proxy_domain>
used in server_name <proxy_domain>
.
I run Planka on my local network behind Nginx on a different host. I could not find good documentation on it and I was running into the cross-site blocking errors, I had also run into the SSL cert error previously but it was due to using
rewrite
.Below is my configuration for the proxy serving Planka, it does not give me a cert error and does not give me grief with cross-site origin. You will also need to do the following:
- Set BASE_URL in
docker-compose.yml
tohttps://<proxy_domain>
not to the<upstream_host>:<port>
- Adjust any paths in the configuration to fit your deployment
In the end the BASE_URL was what was giving me grief for the cross-site issue, so some of the header directives could be unnecessary, I just haven't got around to removing them one by one to see if it breaks.
To note: I run bind on my network for resolving my LAN domains, you will run into issues if your cert is signed against a certain domain and you try to use it with an IP address as your
<proxy_domain>
.upstream <upstream_host> { server <upstream_host>:<port>; keepalive 32; } server { listen 443 ssl; # managed by Certbot server_name <proxy_domain>; ssl_certificate /etc/letsencrypt/live/<proxy_domain>/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/<proxy_domain>/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot access_log /var/log/nginx/<proxy_domain>_access.log; error_log /var/log/nginx/<proxy_domain>_error.log error; location / { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header X-Scheme $scheme; proxy_http_version 1.1; proxy_pass http://<upstream defined above>; proxy_pass_header Server; proxy_pass_request_headers on; } location /socket.io/ { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Scheme $scheme; proxy_http_version 1.1; proxy_pass http://<upstream defined above>; proxy_pass_header Server; } }
I hope this helps you and anyone else struggling with running Planka behind an external Nginx server.
Thanks! This solved my mix-content
issue like a charm.
Please, can you reformulate this?
To note: I run bind on my network for resolving my LAN domains, you will run into issues if your cert is signed against a certain domain and you try to use it with an IP address as your
. I suspect the issue is related to this and not on the Nginx configuration, which appears to be a commonly used template.
When you request a certificate from a signing authority it will either be a wildcard certificate, which can be used for any sub-domain and the primary domain, or for a specific (sub-)domain. If you have self-signed the certificate it needs to be, again, a wildcard or for a specific IP address/(sub-domain). You will also need the full chain (your cert -> intermediates -> root) as well as the private key.
So in other words, the certificate you are using needs to be signed in a way that it is valid for the value of
<proxy_domain>
used inserver_name <proxy_domain>
.
Thanks, I'm using Let's Encrypt and signing certificates for each subdomain. I'm hosting ~30 services and that's the only facing this SSL issue.
I'm sadly moving to another service because I tried a lot of modifications without success.
@satoshinotdead
I would suggest you follow the following links one after the other.
https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-20-04
https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-20-04
However, you must ensure that the following have been achieved before you start.
@marigbede Thanks for the information, I prefer to use the official docs and skip hosting providers ones.
I have more than 50 services running. The issue I posted (and few folks around) is related with the Planka architecture and has nothing to do with installing Nginx and/or Docker.
@satoshinotdead Nice going. The documentation does not bind you to Digital Ocean because I have used those steps in all manner of places. I can take a look at your issue if you would like and if for nothing, just another fresh pair of eyes perspective.
@marigbede thanks man, I'm just trying to figure it out.
My configuration is Nginx as Proxy and docker-compose Planka container.
I don't want to containerize Nginx and I usually proxy from it to localhost and port exposed from docker (to localhost or using upstream to container IP).
I understand that's the base for everything else but I see that not everyone host their files and/or manage their own servers. Maybe I'm wrong but I think there are a corporate standard that don't fit with all of us.
I like to be simple when managing my stuff. So, if I have Nginx then I don't want an application bloated with another instance of Nginx.
Tried to use localhost and docker IP like upstream and proxied. Perhaps I need to expose the ports from Planka to localhost?
Planka is asking for Javascript on curl (that's OK, it's working) but there is impossible to proxy to it.
I followed the example (as per the documentation) and verified that the container is running well on localhost. However, I can't connect to it from my domain, even though I've set up the certificates and DNS correctly.
What could be causing this issue? Is there a variable or configuration, such as
VIRTUAL_HOSTNAME
that I need to set?Thanks!