search

simplerisk / docker

SimpleRisk Docker Repository
https://www.simplerisk.com
Mozilla Public License 2.0
29 stars 21 forks source link

redirect loop on startup #88

Closed kale1d0code closed 5 months ago

kale1d0code commented 5 months ago

get 302 for / to redirect to / this causes the web browser to display ERR_TOO_MANY_REDIRECTS

web application should not redirect a path to the same path as this causes redirect loops

jsokol commented 5 months ago

There are only two redirects that I'm aware of:

  1. A redirect from http to https
  2. A redirect if you hit a URL while unauthenticated to the login page and a redirect back once authenticated.

Other than these two scenarios, there should not be any issues here. If you're seeing something else, we'd need more information on your configuration here to assist.

kale1d0code commented 5 months ago

The configuration is how it comes with the image.

downstream to simplerisk, our hosting looks like the following traefik:443 -> simplerisk:80

I'm using the following environment variables

    - SIMPLERISK_DB_HOSTNAME=dbms
    - SIMPLERISK_DB_PORT=3306
    - DB_SETUP=manual
    - DB_SETUP_USER=${DB_USER}
    - DB_SETUP_PASS=${DB_PASS}
    - SIMPLERISK_DB_USERNAME=${DB_USER}
    - SIMPLERISK_DB_PASSWORD=${DB_PASS}
    - SIMPLERISK_DB_DATABASE=${DB_NAME}
    - SIMPLERISK_DB_FOR_SESSIONS=false
    - SIMPLERISK_CRON_SETUP=true

and the following labels

    - traefik.enable=true
    - traefik.docker.network=public
    - traefik.http.routers.${ROUTER_NAME}.rule=Host(`${DOMAIN_NAME}`)
    - traefik.http.routers.${ROUTER_NAME}.entrypoints=web,websecure
    - traefik.http.routers.${ROUTER_NAME}.tls=true
    - traefik.http.routers.${ROUTER_NAME}.tls.certresolver=default
    - traefik.http.services.${ROUTER_NAME}.loadbalancer.server.port=80
jsokol commented 5 months ago

The Docker is configured to use a self-signed SSL certificate and automatically redirect from port 80 to 443. If you are using a proxy (I'm assuming that's what "traefik" is) to connect, you should update it to use port 443 instead of 80. Otherwise, you will experience the redirect loop that you mentioned. You're connecting to 443 on your proxy, the proxy connects to 80 on the Docker, the Docker redirects to 443, etc. If you update that traefik.http.services.${ROUTER_NAME}.loadbalancer.server.port=80 value to 443, I'd think that should stop the redirect loop, but I'm not familiar with this loadbalancer service.

kale1d0code commented 5 months ago

I have tried your suggestion. I get a 400 error message from Apache with the following message:

Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Apache Server at 10.0.3.193 Port 443

What would need to be changed in/removed from the configuration to stop apache from redirecting http to https? I've tried adding 

RewriteCond %{HTTP:X-Forwarded-Proto} !https

To the 000-default.conf file This should prevent apache from redirecting if the Forwarded-Proto header exists however I have a limited working knowledge of Apache and my code doesn't have the desired effect.

jsokol commented 5 months ago

Your message says that your proxy is sending HTTP data to the HTTPS port. So it is connecting to port 443, but is using the HTTP protocol. We have no experience with traefik, but you should check their documentation for how you would tell it to use HTTPS to communicate with the back-end service.

Unfortunately, modifying our Docker containers would be outside of the scope of what we can support.

kale1d0code commented 4 months ago

I found a way around the limitation of the docker container. The configuration for Apache inside the image does not allow for SSL-Offloading which is why handling SSL Termination in a reverse proxy/load balancer will result in an infinite redirect loop.

Using the apache configuration shared by @gveltri found here https://github.com/simplerisk/code/issues/24#issuecomment-579337994 solves the problem

jsokol commented 4 months ago

@kale1d0code Unfortunately, enabling SSL-Offloading may solve your issue, but it potentially creates a bigger one. SimpleRisk is a product made by a security practitioner for security practitioners. By enabling SSL-Offloading, you are disabling TLS encryption of sensitive data passed between the proxy/load balancer and the server. This could be usernames, passwords, cookies and risk data. As I mentioned earlier in this thread, the issue is that you are trying to proxy HTTP data, but SimpleRisk is expecting to use HTTPS on port 443. We provide a self-signed SSL certificate for baseline security and the customer can configure their own SSL certificate, if so desired. We will not support a configuration where the customer wants to downgrade our baseline security to not use TLS at all, as it is a security issue. I'm happy to hear that you found a solution that works for you, but we will not be implementing it in our images.