Cachet: ssl proxy support (partly) broken?

Created on 16 Aug 2015  路  13Comments  路  Source: CachetHQ/Cachet

i have cachet running inside docker on port 8000. on the docker host, in front of it i have an apache ssl proxy.

<VirtualHost *:443>
  ServerName status.example.com

  ProxyPreserveHost On
  RequestHeader set X-Forwarded-Proto "https"

  <Location />
    Require all granted
    ProxyPass        http://127.0.0.1:8000/
    ProxyPassReverse http://127.0.0.1:8000/
  </Location>

  ProxyVia Off

  SSLEngine on
  SSLCertificateFile    ssl/status.example.com.crt
  SSLCertificateKeyFile ssl/status.example.com.key
  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>

now i do curl -v https://status.example.com/ and get:

< HTTP/1.1 302 Found
< Server: nginx/1.6.2
< Content-Type: text/html; charset=UTF-8
< Cache-Control: no-cache
< Location: http://status.example.com/setup
< Transfer-Encoding: chunked
<
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="1;url=http://status.example.com/setup" />

        <title>Redirecting to http://status.example.com/setup</title>
    </head>
    <body>
        Redirecting to <a href="http://status.example.com/setup">http://status.example.com/setup</a>.
    </body>
</html>

if the issue is the trusted proxy configuration, there should be an easy way to add yourself to the list of trusted proxies. not everybody is just using cloudflare.

however, the app should _always_ consider the X-FORWARDED_PROTO header and properly redirect.

now i don't know laravel enough but i think this might even be an upstream issue because friends over at ruby on rails to this automatically.

All 13 comments

What do you think @GrahamCampbell?

Not broken. It's like this for security reasons.

for security reasons, cachet won't redirect to an _encrypted_ connection?
for security reasons, i have to use cloudflare?

cachet does not respect X_FORWARDED_FOR?

in fact, for security reasons, cachet redirects me from https to http?

can somebody please point me to a solution? how to keep the https protocol across redirects? @jbrooksuk @GrahamCampbell

@glaszig @jbrooksuk Was this issue ever addressed? I was having the exact same problem with haproxy.
I had to set my Dockerfile to override this config file with my own addresses for cachet to work behind haproxy.

This isn't anything that I've had experience with I'm afraid @aksalj.

@aksalj no because this is for security reasons, obviously...

@jbrooksuk if you're running on docker, you most likely have a proxy in front of it because there might be many web services running on one docker host.
do that, enforce https and watch that magic happen.

disclaimer: turned my back on cachet since posting this issue.

disclaimer: turned my back on cachet since posting this issue.

Ok :)

So it sounds like from this thread that you cannot put a haproxy in front of your cachet docker container and have it redirect from http to https?... Is this true? I don't want to go down this path of trying to install if this functionality is not there.

You can add to ./config/trustedproxies.php I think?

I was having this issue with nginx fronting Cachet in a docker-compose situation. My solution ended up being this:

docker-compose.yml
...

volumes:
      - "./volumes/cachet/config/trustedproxy.php:/var/www/html/config/trustedproxy.php"

...

trustedproxy.php
...

    // all Docker subnets
    'proxies' => [
        '172.0.0.0/8',
    ],

...

For those just running on a private network, from a private network, you can add these addresses and you'll be fine.

192.168.0.0/16
172.16.0.0/12
10.0.0.0/8

The 172.0.0.0/8 is wrong and will include some ip addresses that are actually public.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

GrahamCampbell picture GrahamCampbell  路  3Comments

brianjking picture brianjking  路  4Comments

gn-ley picture gn-ley  路  5Comments

vesper8 picture vesper8  路  6Comments

doreplado picture doreplado  路  6Comments