Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Https issue behind reverse proxy (traefik) #5

Open
xfouloux opened this issue May 11, 2021 · 9 comments
Open

Https issue behind reverse proxy (traefik) #5

xfouloux opened this issue May 11, 2021 · 9 comments

Comments

@xfouloux
Copy link

xfouloux commented May 11, 2021
edited

Hello,

anyone successfully put this behind reverse proxy ?

I'm puting it behind traefik, but as traefik entrypoint is HTTPS and gip is HTTP there is issues as the generated code call css in forced HTTP

Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.

i tried to put the container in SSL, but then i have login issues (using LDAP)

is there something doable around that ?

I think the issue is in the code, calling files with a leading "/" instead of "//" or nothing even

<link rel="stylesheet" href="/css/bootstrap/bootstrap.min.css">
to
<link rel="stylesheet" href="css/bootstrap/bootstrap.min.css">

would work

Thanks
@toninog
Copy link

toninog commented May 20, 2021

bump

1 similar comment
@jthop
Copy link

jthop commented Oct 8, 2022

bump

@vkhatuwala
Copy link

I solved this with following options in .env
USE_SSL="yes"
CONTAINER_PORT="443"
HOST_PORT="1443"

I generated self-signed certificates and mounted them as volumes with the following docker-compose
volumes:
- ./apache/certs:/etc/apache2/ssl/certs
- ./apache/keys:/etc/apache2/ssl/keys

in your reverse proxy, such as nginx and assuming its running on same host:
proxy_pass https://127.0.0.1:1443;

@cairoapcampos
Copy link

@vkhatuwala Was this the only way you got it? I want to use reverse proxy with Nginx.

@vkhatuwala
Copy link

@cairoapcampos I am also using nginx reverse proxy as per my example.

@cairoapcampos
Copy link

@vkhatuwala I did the same as you and got the error: 401 Unauthorized. Did you set SERVER_NAME?

@cairoapcampos
Copy link

I found that when I disabled proxy_intercept_errors on in Nginx reverse proxy, the 401 error disappears. I can log in but the page doesn't load the menus correctly.

@geektbee
Copy link

@xfouloux said:

anyone successfully put this behind reverse proxy ?

I'm puting it behind traefik, but as traefik entrypoint is HTTPS and gip is HTTP there is issues as the generated code call css in forced HTTP

Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.

i tried to put the container in SSL, but then i have login issues (using LDAP)

is there something doable around that ?

Hiya!
We seem to have found a solution to the LDAP issue when "USE_SSL = 'Yes'", whether it's behind a reverse proxy or not.
(We are on NGINX at the time of this discovery and writing.)

We've put it into our internal documentation to copy-paste-run the following lines in the docker console for the container after it's deployed and running:

sed -i "s|AuthFormProvider file|AuthFormProvider file ldap|g" /etc/apache2/sites-available/gestioip.conf
sed -i "s|AuthUserFile /etc/apache2/users-gestioip|AuthUserFile /usr/share/gestioip/etc/apache/users-gestioip|g" /etc/apache2/sites-available/gestioip.conf
sed -i "s|ErrorDocument 401 /login/login.html|ErrorDocument 401 /gestioip/login/login.html|g" /etc/apache2/sites-available/gestioip.conf
sed -i "s|ErrorDocument 403 /errors/error403.html|ErrorDocument 403 /gestioip/errors/error403.html|g" /etc/apache2/sites-available/gestioip.conf
sed -i "s|ErrorDocument 404 /errors/error404.html|ErrorDocument 404 /gestioip/errors/error404.html|g" /etc/apache2/sites-available/gestioip.conf
sed -i "s|ErrorDocument 500 /errors/error500.html|ErrorDocument 500 /gestioip/errors/error500.html|g" /etc/apache2/sites-available/gestioip.conf
sed -i "s|AuthFormLogoutLocation /login/logout.cgi|AuthFormLogoutLocation /gestioip/login/logout.cgi|g" /etc/apache2/sites-available/gestioip.conf
service apache2 restart

This is basically updating the gestioip.conf file to more closely reflect its original self when USE_SSL was set to No before enabling it to Yes. There's a few other lines in the No version that we'd didn't pull over, like LimitRequestLine, TimeOut, and Require ip; but that hasn't seemed to have a negative effect on our setup (yet, teehee!).

I hope that can help someone else out there that's fighting with Docker + GestioIP + LDAP + SSL + Reverse Proxy.

@shark0x00
Copy link

If you are running this application behind a reverse proxy, that is also handling SSL, then you can just change the URL writing. For this to happen, just change the default variable called "server_proto" to "https" like in the example below. This configuration shouldn't have an impact on, the Apache Web server itself.

#/var/www/html/gestioip/modules/GestioIP.pm

sub get server proto {
        my $self = shift:
        my $server_proto="https";
        if ( SENV<HTTPS} ) {
               $server_ proto = "https" if $ENV{HTTPS} =~ /on/i;
        }
return $server proto
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@toninog @jthop @xfouloux @geektbee @cairoapcampos @vkhatuwala @shark0x00