ThomasBoom89
commented
2 years ago After a long search, I finally found a "solution". Actually, I could not imagine that such an important point was not taken into account. The fault lies, as so often, in front of the computer. In the .env.docker trusted proxies can be specified. As found in the documentation, of course, also for reverse proxy setups. Link to Symfony Proxy Settings
# .env.docker
TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR
akondas
Hello,
when I tried to deploy repman to production I ran into several issues, depending on correct url scheme handling in symfony but wrong for the reverse proxy setup (for my understanding and what I found out in my troubleshooting). So this might more be a question asking for help and/or a feature to support reverse proxy setup. Also I am willing to contribute.
Setup
Instead of open the port from the repman-nginx with ssl certificate to the machine directly, there is a nginx reverse proxy with ssl wildcard certificate in front of it (docker setup for multiple docker services). To understand my problem, if you access http://repman_url.xxx it will send a redirect 301 https://repman_url.xxx to the requesting client. And if the client access https://repman_url.xxx the reverse proxy will proxy_pass to http://ip:port to repman-nginx-docker. So on application side, the request is http, that's why symfony generates route urls with http not with https if not explicitly set. Composer (in newer versions, didn't do further research) will not follow these redirects when downloading (MITM attacks), only if you set secure-http to false in composer.json config node (see Problem 1).
Problems
Added the repository urls to my composer.json, I did composer require psr/simple-cache -vvv to prove it will be downloading via repman proxy. It recieves package.json etc. but in the download step it throws an error and did a fallback to the github url. Error-Message: Failed downloading psr/simple-cache: [Composer\Downloader\TransportException] 0: Your configuration does not allow connections to http://repo.xxxx.xxx/dists/psr/simple-cache/3.0.0.0/764e0b3939f5ca87cb904f570ef9be2d78a07865.zip. See https://getcomposer.org/doc/06-config.md#secure-http for details. I tripple checked the url in composer.json but there was https://repo..... After that i added psr/monolog from github via git repository type to my organisation in repman and did the same with require -vvv and it worked. Long story short, there is a difference between the organisation and proxy package.json. In https://repo.xxxxx.xxx/packages.json the dist-url is http (also the notify-batch) while the organisation package.json is https.
Tried to add repositories from gitlab/bitbucket, the redirect url in get params is also http. Example: https://bitbucket.org/site/oauth2/authorize?redirect_uri=http%3A%2F%2Fxxxxx.xxx%2Fuser.... So i had to add the redirect url in gitlab for example to http://...
What I found out and might help or be a partial solution
(Don't know symfony that well)
The declared routes have no scheme selected so they default to http or match request scheme if scheme = any, except for routes scheme set in config/routes/annotation.yml -> schemes: ['%url_scheme%'].
For Problem 1, I figgured out that the generated url for dist-url is currently index but should be proxy_repo_url (ProxyController.php:53). This solves my first problem.
As I said before, for my understanding, the application is handling the url generation correct but breaks reverse proxy setups. Maybe it is the best to set a current default scheme for all routes which need to maintain the url scheme. Not sure about side effects, but it shouldn't effect "normal" setups.
From Symfony Routes Page
Could be a solution to quickly change all routes and would stick to env:APP_URL_SCHEME
Maybe I am missing some critical points, did a second setup on different server with lets encrypt certificate and resolved in same issues. I stripped down the text to a minimum, if something important is missing or you need more informations let me know. Also if you have a different solution or see a different problem I ran into I am open for other suggestions.