search

plankanban / planka

The realtime kanban board for workgroups built with React and Redux.
https://planka.app
GNU Affero General Public License v3.0
7.25k stars 675 forks source link

SSL error behind Nginx proxy #775

Open satoshinotdead opened 1 month ago

satoshinotdead commented 1 month ago

I followed the example (as per the documentation) and verified that the container is running well on localhost. However, I can't connect to it from my domain, even though I've set up the certificates and DNS correctly.

What could be causing this issue? Is there a variable or configuration, such as VIRTUAL_HOSTNAME that I need to set?

Thanks!

dev0T commented 1 month ago

Same thing here, can't get it to work through https

Dherlou commented 3 weeks ago

I just setup Planka behind an nginx (reverse) proxy with TLS-termination at the proxy-level. Both planka and nginx are containers inside the same docker network. I use letsencrypt certificates created by certbot in another container.

Here are the relevant snippets that I changed. Btw, I setup Planka to be available behind a specific , i.e. https:///. As far as I can tell, this setup seems to work, although some optimization regarding the official documentation might be needed, but this should be a good starting point.

nginx.conf

server {
    listen 443 ssl;
    server_name <domain>;

    ssl_certificate /etc/letsencrypt/live/<domain>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location /<path>/ {
        proxy_pass http://<planka-container>:1337;
        rewrite ^/<path>/(.*)$ /$1 break;
    }

docker-compose.yml

services:
  planka-app:
    container_name: <planka-container>
    ...
    environment:
      - BASE_URL=https://<domain>/<path>
satoshinotdead commented 2 weeks ago

I'm still getting a wrong certificate error with that configuration. I'm using a subdomain and have tried both localhost and the container IP.

I suspect the issue is that docs assumes everyone is using a Docker container for Nginx, which isn't true for all of us. I prefer to host Nginx on the host machine to reduce attack vectors.

RustyClanker commented 2 weeks ago

I run Planka on my local network behind Nginx on a different host. I could not find good documentation on it and I was running into the cross-site blocking errors, I had also run into the SSL cert error previously but it was due to using rewrite.

Below is my configuration for the proxy serving Planka, it does not give me a cert error and does not give me grief with cross-site origin. You will also need to do the following:

In the end the BASE_URL was what was giving me grief for the cross-site issue, so some of the header directives could be unnecessary, I just haven't got around to removing them one by one to see if it breaks.

To note: I run bind on my network for resolving my LAN domains, you will run into issues if your cert is signed against a certain domain and you try to use it with an IP address as your <proxy_domain>.

upstream <upstream_host> {
        server <upstream_host>:<port>;
        keepalive 32;
}

server {
        listen 443 ssl; # managed by Certbot
        server_name <proxy_domain>;

        ssl_certificate /etc/letsencrypt/live/<proxy_domain>/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/<proxy_domain>/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        access_log /var/log/nginx/<proxy_domain>_access.log;
        error_log /var/log/nginx/<proxy_domain>_error.log error;

        location / {
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host $http_host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Host $host:$server_port;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Frame-Options SAMEORIGIN;
                proxy_set_header X-Scheme $scheme;
                proxy_http_version 1.1;
                proxy_pass http://<upstream defined above>;
                proxy_pass_header Server;
                proxy_pass_request_headers on;
        }

        location /socket.io/ {
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Host $host:$server_port;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Scheme $scheme;
                proxy_http_version 1.1;
                proxy_pass http://<upstream defined above>;
                proxy_pass_header Server;
        }
}

I hope this helps you and anyone else struggling with running Planka behind an external Nginx server.

satoshinotdead commented 2 weeks ago

Hey, thanks for your following up.

I tried your configuration (removing a few headers and adding new ones) and still not working. I renewed the certificates and restarted everything as well.

Please, can you reformulate this?

To note: I run bind on my network for resolving my LAN domains, you will run into issues if your cert is signed against a certain domain and you try to use it with an IP address as your .

I suspect the issue is related to this and not on the Nginx configuration, which appears to be a commonly used template.

RustyClanker commented 2 weeks ago

Please, can you reformulate this?

To note: I run bind on my network for resolving my LAN domains, you will run into issues if your cert is signed against a certain domain and you try to use it with an IP address as your .

I suspect the issue is related to this and not on the Nginx configuration, which appears to be a commonly used template.

When you request a certificate from a signing authority it will either be a wildcard certificate, which can be used for any sub-domain and the primary domain, or for a specific (sub-)domain. If you have self-signed the certificate it needs to be, again, a wildcard or for a specific IP address/(sub-domain). You will also need the full chain (your cert -> intermediates -> root) as well as the private key.

So in other words, the certificate you are using needs to be signed in a way that it is valid for the value of <proxy_domain> used in server_name <proxy_domain>.

michaeledi commented 2 weeks ago

I run Planka on my local network behind Nginx on a different host. I could not find good documentation on it and I was running into the cross-site blocking errors, I had also run into the SSL cert error previously but it was due to using rewrite.

Below is my configuration for the proxy serving Planka, it does not give me a cert error and does not give me grief with cross-site origin. You will also need to do the following:

  • Set BASE_URL in docker-compose.yml to https://<proxy_domain> not to the <upstream_host>:<port>
  • Adjust any paths in the configuration to fit your deployment

In the end the BASE_URL was what was giving me grief for the cross-site issue, so some of the header directives could be unnecessary, I just haven't got around to removing them one by one to see if it breaks.

To note: I run bind on my network for resolving my LAN domains, you will run into issues if your cert is signed against a certain domain and you try to use it with an IP address as your <proxy_domain>.

upstream <upstream_host> {
        server <upstream_host>:<port>;
        keepalive 32;
}

server {
        listen 443 ssl; # managed by Certbot
        server_name <proxy_domain>;

        ssl_certificate /etc/letsencrypt/live/<proxy_domain>/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/<proxy_domain>/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        access_log /var/log/nginx/<proxy_domain>_access.log;
        error_log /var/log/nginx/<proxy_domain>_error.log error;

        location / {
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host $http_host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Host $host:$server_port;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Frame-Options SAMEORIGIN;
                proxy_set_header X-Scheme $scheme;
                proxy_http_version 1.1;
                proxy_pass http://<upstream defined above>;
                proxy_pass_header Server;
                proxy_pass_request_headers on;
        }

        location /socket.io/ {
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Host $host:$server_port;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Scheme $scheme;
                proxy_http_version 1.1;
                proxy_pass http://<upstream defined above>;
                proxy_pass_header Server;
        }
}

I hope this helps you and anyone else struggling with running Planka behind an external Nginx server.

Thanks! This solved my mix-content issue like a charm.

satoshinotdead commented 2 weeks ago

Please, can you reformulate this?

To note: I run bind on my network for resolving my LAN domains, you will run into issues if your cert is signed against a certain domain and you try to use it with an IP address as your .

I suspect the issue is related to this and not on the Nginx configuration, which appears to be a commonly used template.

When you request a certificate from a signing authority it will either be a wildcard certificate, which can be used for any sub-domain and the primary domain, or for a specific (sub-)domain. If you have self-signed the certificate it needs to be, again, a wildcard or for a specific IP address/(sub-domain). You will also need the full chain (your cert -> intermediates -> root) as well as the private key.

So in other words, the certificate you are using needs to be signed in a way that it is valid for the value of <proxy_domain> used in server_name <proxy_domain>.

Thanks, I'm using Let's Encrypt and signing certificates for each subdomain. I'm hosting ~30 services and that's the only facing this SSL issue.

I'm sadly moving to another service because I tried a lot of modifications without success.

marigbede commented 1 week ago

@satoshinotdead

I would suggest you follow the following links one after the other.

https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-20-04

https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-20-04

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-20-04

However, you must ensure that the following have been achieved before you start.

  1. The Host has permissions to allow port 80 and 443
  2. The A Record (and maybe CNAME) for the desired Domain Name (or Sub Domain) has been configured and it is resolving properly.
satoshinotdead commented 1 week ago

@marigbede Thanks for the information, I prefer to use the official docs and skip hosting providers ones.

I have more than 50 services running. The issue I posted (and few folks around) is related with the Planka architecture and has nothing to do with installing Nginx and/or Docker.

marigbede commented 1 week ago

@satoshinotdead Nice going. The documentation does not bind you to Digital Ocean because I have used those steps in all manner of places. I can take a look at your issue if you would like and if for nothing, just another fresh pair of eyes perspective.

satoshinotdead commented 5 days ago

@marigbede thanks man, I'm just trying to figure it out.

My configuration is Nginx as Proxy and docker-compose Planka container.

I don't want to containerize Nginx and I usually proxy from it to localhost and port exposed from docker (to localhost or using upstream to container IP).

I understand that's the base for everything else but I see that not everyone host their files and/or manage their own servers. Maybe I'm wrong but I think there are a corporate standard that don't fit with all of us.

I like to be simple when managing my stuff. So, if I have Nginx then I don't want an application bloated with another instance of Nginx.

Tried to use localhost and docker IP like upstream and proxied. Perhaps I need to expose the ports from Planka to localhost?

Planka is asking for Javascript on curl (that's OK, it's working) but there is impossible to proxy to it.