search

tobybatch / kimai2

Docker containers for the kimai2 web application including docker-compose and kubernetes/helm deployment.
MIT License
183 stars 96 forks source link

Kimai with Traefik as reverse proxy redirects to http when only https is set-up in docker-compose.yml #548

Closed lustrant closed 6 months ago

lustrant commented 8 months ago

Hello, based on your compose/traefik/docker-compose.yml I have created my own docker-compose.yml file, however I have commented out the section with the redirect from HTTP to HTTPS.

When accessing https://kimai.doma.pawouk I get redirected to http://kimai.doma.pawouk/cs_CZ/login where its stuck, because I dont have Traefik configured to handle non-https requests at all.

When I enable the HTTP section, it works. However, I would like to have it without HTTP completely. Is it possible at all?

My docker-compose.yml is as follows

version: '3.5'
services:

  kimai:
    image: kimai/kimai2:apache-latest
    environment:
      APP_ENV: prod
      ADMINMAIL: ${KIMAI_ADMIN_MAIL}
      ADMINPASS: ${KIMAI_ADMIN_PASS}
      DATABASE_URL: mysql://${SQL_USER_NAME}:${SQL_USER_PASS}@${SQL_DB_HOST}/${SQL_DB_NAME}
      TRUSTED_HOSTS: nginx,localhost,127.0.0.1,traefik,kimai.${HOST}
      TRUSTED_PROXIES: nginx,localhost,127.0.0.1,traefik,kimai.${HOST}
      memory_limit: 500M
    networks:
      - sit-databaze
      - sit-proxy
    volumes:
      - ${PWD}/data/public:/opt/kimai/public
      # - var:/opt/kimai/var
      # - ./ldap.conf:/etc/openldap/ldap.conf:z
      # - ./ROOT-CA.pem:/etc/ssl/certs/ROOT-CA.pem:z
    restart: unless-stopped
    labels:
      traefik.enable: true
      traefik.docker.network: sit-proxy

      # HTTP -> HTTPS redirect middleware  -- DISABLED
#      traefik.http.routers.kimai-redirect.entrypoints: web
#      traefik.http.routers.kimai-redirect.rule: Host(`kimai.${HOST}`)
#      traefik.http.routers.kimai-redirect.middlewares: httpsredirect
#      traefik.http.middlewares.httpsredirect.redirectscheme.scheme: https

      # HTTPS -> Service router
      traefik.http.routers.kimai.entrypoints: websecure
      traefik.http.routers.kimai.rule: Host(`kimai.${HOST}`)
      traefik.http.routers.kimai.tls: true
      traefik.http.routers.kimai.service: kimai

      # Service
      traefik.http.services.kimai.loadbalancer.server.port: 8001
      traefik.http.services.kimai.loadbalancer.server.scheme: http
      traefik.http.services.kimai.loadbalancer.passHostHeader: true

networks:
  sit-proxy:
    external: true
  sit-databaze:
    external: true

My .env file is as follows

HOST=doma.pawouk

KIMAI_ADMIN_MAIL=admin@kimai.local
KIMAI_ADMIN_PASS=changemeplease

SQL_DB_HOST=mariadb
SQL_DB_NAME=kimai

SQL_USER_NAME=kimai
SQL_USER_PASS=password
kevinpapst commented 8 months ago

Kimai needs to know that it is running at https, so your proxy needs to set the correct headers: https://www.kimai.org/documentation/webserver-configuration.html#reverse-proxy

tobybatch commented 8 months ago

I'll add those to the example set up

lustrant commented 8 months ago

I believe Traefik emits them correctly; I hacked the entrypoint index.php and added the var_dump()

<?php

var_dump($_SERVER, $_ENV);
exit();

use App\Kernel;

require_once dirname(__DIR__).'/vendor/autoload_runtime.php';

return function (array $context) {
    return new Kernel($context['APP_ENV'], (bool) $context['APP_DEBUG']);
};

OUTPUT


array(59) {
  ["REDIRECT_MAILER_FROM"]=>
  string(17) "kimai@example.com"
  ["REDIRECT_APP_ENV"]=>
  string(4) "prod"
  ["REDIRECT_APP_SECRET"]=>
  string(31) "change_this_to_something_unique"
  ["REDIRECT_DATABASE_URL"]=>
  string(48) "mysql://kimai:g1uFYKq9gaalginEVE5a@mariadb/kimai"
  ["REDIRECT_MAILER_URL"]=>
  string(16) "null://localhost"
  ["REDIRECT_TRUSTED_PROXIES"]=>
  string(51) "nginx,localhost,127.0.0.1,traefik,kimai.doma.pawouk"
  ["REDIRECT_TRUSTED_HOSTS"]=>
  string(51) "nginx,localhost,127.0.0.1,traefik,kimai.doma.pawouk"
  ["REDIRECT_STATUS"]=>
  string(3) "200"
  ["MAILER_FROM"]=>
  string(17) "kimai@example.com"
  ["APP_ENV"]=>
  string(4) "prod"
  ["APP_SECRET"]=>
  string(31) "change_this_to_something_unique"
  ["DATABASE_URL"]=>
  string(48) "mysql://kimai:g1uFYKq9gaalginEVE5a@mariadb/kimai"
  ["MAILER_URL"]=>
  string(16) "null://localhost"
  ["TRUSTED_PROXIES"]=>
  string(51) "nginx,localhost,127.0.0.1,traefik,kimai.doma.pawouk"
  ["TRUSTED_HOSTS"]=>
  string(51) "nginx,localhost,127.0.0.1,traefik,kimai.doma.pawouk"
  ["HTTP_HOST"]=>
  string(17) "kimai.doma.pawouk"
  ["HTTP_USER_AGENT"]=>
  string(111) "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
  ["HTTP_ACCEPT"]=>
  string(135) "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
  ["HTTP_ACCEPT_ENCODING"]=>
  string(17) "gzip, deflate, br"
  ["HTTP_ACCEPT_LANGUAGE"]=>
  string(14) "cs-CZ,cs;q=0.9"
  ["HTTP_COOKIE"]=>
  string(49) "PHPSESSID=2hqvtjskfnkui8njqs1s137i3q; K2P=desktop"
  ["HTTP_DNT"]=>
  string(1) "1"
  ["HTTP_SEC_CH_UA"]=>
  string(58) ""Chromium";v="114", "Not.A/Brand";v="8", "Vivaldi";v="6.1""
  ["HTTP_SEC_CH_UA_MOBILE"]=>
  string(2) "?0"
  ["HTTP_SEC_CH_UA_PLATFORM"]=>
  string(9) ""Windows""
  ["HTTP_SEC_FETCH_DEST"]=>
  string(8) "document"
  ["HTTP_SEC_FETCH_MODE"]=>
  string(8) "navigate"
  ["HTTP_SEC_FETCH_SITE"]=>
  string(4) "none"
  ["HTTP_UPGRADE_INSECURE_REQUESTS"]=>
  string(1) "1"
  ["HTTP_X_FORWARDED_FOR"]=>
  string(11) "192.168.2.3"
  ["HTTP_X_FORWARDED_HOST"]=>
  string(17) "kimai.doma.pawouk"
  ["HTTP_X_FORWARDED_PORT"]=>
  string(3) "443"
  ["HTTP_X_FORWARDED_PROTO"]=>
  string(5) "https"
  ["HTTP_X_FORWARDED_SERVER"]=>
  string(7) "traefik"
  ["HTTP_X_REAL_IP"]=>
  string(11) "192.168.2.3"
  ["PATH"]=>
  string(60) "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
  ["SERVER_SIGNATURE"]=>
  string(80) "<address>Apache/2.4.38 (Debian) Server at kimai.doma.pawouk Port 8001</address>
"
  ["SERVER_SOFTWARE"]=>
  string(22) "Apache/2.4.38 (Debian)"
  ["SERVER_NAME"]=>
  string(17) "kimai.doma.pawouk"
  ["SERVER_ADDR"]=>
  string(10) "10.120.4.2"
  ["SERVER_PORT"]=>
  string(4) "8001"
  ["REMOTE_ADDR"]=>
  string(11) "10.120.4.15"
  ["DOCUMENT_ROOT"]=>
  string(17) "/opt/kimai/public"
  ["REQUEST_SCHEME"]=>
  string(4) "http"
  ["CONTEXT_PREFIX"]=>
  string(0) ""
  ["CONTEXT_DOCUMENT_ROOT"]=>
  string(17) "/opt/kimai/public"
  ["SERVER_ADMIN"]=>
  string(19) "webmaster@localhost"
  ["SCRIPT_FILENAME"]=>
  string(27) "/opt/kimai/public/index.php"
  ["REMOTE_PORT"]=>
  string(5) "41704"
  ["REDIRECT_URL"]=>
  string(1) "/"
  ["GATEWAY_INTERFACE"]=>
  string(7) "CGI/1.1"
  ["SERVER_PROTOCOL"]=>
  string(8) "HTTP/1.1"
  ["REQUEST_METHOD"]=>
  string(3) "GET"
  ["QUERY_STRING"]=>
  string(0) ""
  ["REQUEST_URI"]=>
  string(1) "/"
  ["SCRIPT_NAME"]=>
  string(10) "/index.php"
  ["PHP_SELF"]=>
  string(10) "/index.php"
  ["REQUEST_TIME_FLOAT"]=>
  float(1697124435.05769)
  ["REQUEST_TIME"]=>
  int(1697124435)
}
array(0) {
}
lustrant commented 6 months ago

Hello, Apparently similar bug has been opened directly for Kimai

https://github.com/kimai/kimai/issues/4533

So it seems its really a problem with the Kimai code.