search

snipe / snipe-it

A free open source IT asset/license management system
https://snipeitapp.com
GNU Affero General Public License v3.0
10.85k stars 3.14k forks source link

SnipeIT shows mixed content issue when loaded over https behind Ingress in k8s #7592

Closed kcan closed 4 years ago

kcan commented 4 years ago

Please confirm you have done the following before posting your bug report:

Describe the bug A clear and concise description of what the bug is.

My setup for snipeIT was running behind an Ingress on kubernetes cluster. The SSL loading was working for the ingress. But when trying setting up pre-light, chrome and Firefox both throws warning for mixed content issue.

As an example:

Mixed Content: The page at 'https://snipeitdev.demo.io/setup' was loaded over HTTPS, but requested an insecure script 'http://snipeitdev.demo.io/js/dist/all.js?id=bf1b244d8cc9096e4a18'. This request has been blocked; the content must be served over HTTPS.

If choose to let Chrome ignore the issue, then I cannot go further with creating the user during pre-light setup. The page just reload and I am stuck on the page.

To Reproduce

Steps to reproduce the behavior:

  1. No image show when opening pre-light setup page
  2. Open chrome developer tool
  3. Go to Console
  4. Chrome shows mixed content warning
  5. Go to right of chrome navigation bar, there is a shield symbol
  6. Click on 'load unsafe scripts'
  7. Click on 'create database tables'
  8. Click on 'create user'
  9. The page just reload and I am stuck on the page.

Expected behavior A clear and concise description of what you expected to happen.

SnipeIT works with https behind ingress during pre-light setup.

Screenshots If applicable, add screenshots to help explain your problem. image

Server (please complete the following information):

Desktop (please complete the following information):

Error Messages

Additional context

Add any other context about the problem here.

  1. I tried also suggestion from https://snipe-it.readme.io/docs/configuration#section-optional-set-your-htaccess-to-redirect-to-ssl, it does not work. This will result browser to have error: ERR_TOO_MANY_REDIRECTS:
  2. I tried also suggestion from https://snipe-it.readme.io/docs/reverse-proxies, it does not help. Chrome still shows Mixed Content warning.
  3. It seems when running behind a reverse proxy, in snipeIT docker instance, the apache never listens on 443, but always on 80. I cannot add 443 in virtualhost settings because apache will require a ssl certificate to run behind 443, and this will not work when the reverse proxy is already doing ssl offloading.
hapm commented 4 years ago

I tried also suggestion from https://snipe-it.readme.io/docs/reverse-proxies, it does not help. Chrome still shows Mixed Content warning.

Did you setup APP_TRUSTED_PROXIES correctly? Make sure the IP you see in the access.log of the snipe it container is the one you expect it to be, and that it is listed in APP_TRUSTED_PROXIES. Snipe-IT will not accept the X-Forwarded headers for ssl if the remote address is not listed as a trusted proxy. It took me some time to figure this out in my setup (not k8s, but dockerized reverse proxy with ssl offloading).

Reverse Proxies
If you wish to use a Reverse Proxy in front of your web server, you'll need to take a few extra steps to make it work. A typical Reverse Proxy scenario looks like this: Internet Reverse Proxy Server (Public & Private IPs) Web Serv...
kcan commented 4 years ago

Hi @hapm ,

Thank you for reply. Because k8s ingress is changing IP addresses quite a lot. It seems not possible to whitelist a fixed IP. Is it possible to allow from all IP sources?

Previously what I have done:

1.APP_TRUSTED_PROXIES='0.0.0.0,' 2.uncommenting 'proxies' => '', in `config/trustedproxies.php'.

  1. set header for ingress to use: proxy_set_header X-Forwarded-Proto https;

But still chrome warn about mixed content issue.

hapm commented 4 years ago

You can use CIDR notation to allow the full subnet used by k8s ingress network. In my case I used 10.0.0.0/8. If you don't control the ingress network completly, be aware that in such a case any container on the ingress network can fake to be a trusted gateway for snipeit. If you have strict security guidelines make sure this configuration is compatible to them.

kcan commented 4 years ago

Hi @hapm, Thank you for further reply. I tried to update the proxy setting:

root@snipeit-5769cff97d-pqcbm:/var/www/html# printenv | grep APP_TRUSTED_PROXIES
APP_TRUSTED_PROXIES=0.0.0.0/0, 8.17.0.0/16

root@snipeit-5769cff97d-pqcbm:/var/www/html# grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' /var/log/apache2/access.log
8.17.0.141
8.17.2.143
8.17.0.141
8.17.2.143
8.17.0.141
8.17.2.143
8.17.0.141
8.17.2.143
8.17.0.141
8.17.2.143
8.17.0.141
8.17.2.143
8.17.0.141
8.17.2.143
8.17.0.141
8.17.2.143
8.17.0.141
8.17.2.143
8.17.0.141
8.17.2.143
8.17.0.141
8.17.2.143
8.17.0.141
8.17.2.143

But still chrome warn about mixed content issue. Did I do correctly?

kcan commented 4 years ago

anyone could help? thanks

justinh-rahb commented 4 years ago

Ditto for me. Help.

Marhbere commented 4 years ago

Hello. May by you need set to options of Ingress with:

use-forwarded-headers: "true"

And in the config of proxy reverse set headers:

Host
X-Forwarded-Proto
X-Forwarded-Port
X-Forwarded-For

Remember too set on Snipe-it this ENV variable:

APP_TRUSTED_PROXIES: 0.0.0.0/0 Warning This ACL is too much permisive

Regards. Marhbere

stale[bot] commented 4 years ago

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail. This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

stale[bot] commented 4 years ago

This issue has been automatically closed because it has not had recent activity. If you believe this is still an issue, please confirm that this issue is still happening in the most recent version of Snipe-IT and reply to this thread to re-open it.

PaulChristophel commented 3 years ago

Can this be reopened? I'm still seeing this problem with the helm chart.

hapm commented 3 years ago

If you know how to use the dev tools in your browser, use them to watch the network and look up the resources requested over http instead of https. Will probably be an image or something like that. Probably that helps to analyze the problem further.

myevit commented 1 year ago

Same issue

snipe commented 1 year ago

As mentioned in several other issues, you want to set APP_ALLOW_INSECURE_HOSTS to true. https://snipe-it.readme.io/docs/configuration#optional-misc

Screenshot 2023-04-18 at 3 06 44 PM
Snipe-IT Documentation
Configuration
This section is where you edit the Snipe-IT configuration file to reflect your own settings, such as your database credentials, mail server, preferred language, timezone, and so on. Some of the settings are optional, some are required.Don't be intimidated by the length of this page. The configuratio...
myevit commented 1 year ago

It is set to true

image

Have the warning Uh oh! Snipe-IT thinks your URL is https:/xxxxx, but your real URL is http://xxxxx Please update your APP_URL settings in your .env file and Mixed content error in Chrome Snipe-it just ignoring APP-URL