SSL error behind Nginx proxy
satoshinotdead opened this issue · comments
I followed the example (as per the documentation) and verified that the container is running well on localhost. However, I can't connect to it from my domain, even though I've set up the certificates and DNS correctly.
What could be causing this issue? Is there a variable or configuration, such as VIRTUAL_HOSTNAME that I need to set?
Thanks!
Same thing here, can't get it to work through https
I just setup Planka behind an nginx (reverse) proxy with TLS-termination at the proxy-level. Both planka and nginx are containers inside the same docker network. I use letsencrypt certificates created by certbot in another container.
Here are the relevant snippets that I changed. Btw, I setup Planka to be available behind a specific , i.e. https:///. As far as I can tell, this setup seems to work, although some optimization regarding the official documentation might be needed, but this should be a good starting point.
nginx.conf
server {
listen 443 ssl;
server_name <domain>;
ssl_certificate /etc/letsencrypt/live/<domain>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location /<path>/ {
proxy_pass http://<planka-container>:1337;
rewrite ^/<path>/(.*)$ /$1 break;
}
docker-compose.yml
services:
planka-app:
container_name: <planka-container>
...
environment:
- BASE_URL=https://<domain>/<path>
I'm still getting a wrong certificate error with that configuration. I'm using a subdomain and have tried both localhost and the container IP.
I suspect the issue is that docs assumes everyone is using a Docker container for Nginx, which isn't true for all of us. I prefer to host Nginx on the host machine to reduce attack vectors.
I run Planka on my local network behind Nginx on a different host. I could not find good documentation on it and I was running into the cross-site blocking errors, I had also run into the SSL cert error previously but it was due to using rewrite.
Below is my configuration for the proxy serving Planka, it does not give me a cert error and does not give me grief with cross-site origin. You will also need to do the following:
- Set BASE_URL in
docker-compose.ymltohttps://<proxy_domain>not to the<upstream_host>:<port> - Adjust any paths in the configuration to fit your deployment
In the end the BASE_URL was what was giving me grief for the cross-site issue, so some of the header directives could be unnecessary, I just haven't got around to removing them one by one to see if it breaks.
To note: I run bind on my network for resolving my LAN domains, you will run into issues if your cert is signed against a certain domain and you try to use it with an IP address as your <proxy_domain>.
upstream <upstream_host> {
server <upstream_host>:<port>;
keepalive 32;
}
server {
listen 443 ssl; # managed by Certbot
server_name <proxy_domain>;
ssl_certificate /etc/letsencrypt/live/<proxy_domain>/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/<proxy_domain>/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
access_log /var/log/nginx/<proxy_domain>_access.log;
error_log /var/log/nginx/<proxy_domain>_error.log error;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_set_header X-Scheme $scheme;
proxy_http_version 1.1;
proxy_pass http://<upstream defined above>;
proxy_pass_header Server;
proxy_pass_request_headers on;
}
location /socket.io/ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Scheme $scheme;
proxy_http_version 1.1;
proxy_pass http://<upstream defined above>;
proxy_pass_header Server;
}
}
I hope this helps you and anyone else struggling with running Planka behind an external Nginx server.
Hey, thanks for your following up.
I tried your configuration (removing a few headers and adding new ones) and still not working. I renewed the certificates and restarted everything as well.
Please, can you reformulate this?
To note: I run bind on my network for resolving my LAN domains, you will run into issues if your cert is signed against a certain domain and you try to use it with an IP address as your <proxy_domain>.
I suspect the issue is related to this and not on the Nginx configuration, which appears to be a commonly used template.
Please, can you reformulate this?
To note: I run bind on my network for resolving my LAN domains, you will run into issues if your cert is signed against a certain domain and you try to use it with an IP address as your <proxy_domain>.
I suspect the issue is related to this and not on the Nginx configuration, which appears to be a commonly used template.
When you request a certificate from a signing authority it will either be a wildcard certificate, which can be used for any sub-domain and the primary domain, or for a specific (sub-)domain. If you have self-signed the certificate it needs to be, again, a wildcard or for a specific IP address/(sub-domain). You will also need the full chain (your cert -> intermediates -> root) as well as the private key.
So in other words, the certificate you are using needs to be signed in a way that it is valid for the value of <proxy_domain> used in server_name <proxy_domain>.
I run Planka on my local network behind Nginx on a different host. I could not find good documentation on it and I was running into the cross-site blocking errors, I had also run into the SSL cert error previously but it was due to using
rewrite.Below is my configuration for the proxy serving Planka, it does not give me a cert error and does not give me grief with cross-site origin. You will also need to do the following:
- Set BASE_URL in
docker-compose.ymltohttps://<proxy_domain>not to the<upstream_host>:<port>- Adjust any paths in the configuration to fit your deployment
In the end the BASE_URL was what was giving me grief for the cross-site issue, so some of the header directives could be unnecessary, I just haven't got around to removing them one by one to see if it breaks.
To note: I run bind on my network for resolving my LAN domains, you will run into issues if your cert is signed against a certain domain and you try to use it with an IP address as your
<proxy_domain>.upstream <upstream_host> { server <upstream_host>:<port>; keepalive 32; } server { listen 443 ssl; # managed by Certbot server_name <proxy_domain>; ssl_certificate /etc/letsencrypt/live/<proxy_domain>/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/<proxy_domain>/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot access_log /var/log/nginx/<proxy_domain>_access.log; error_log /var/log/nginx/<proxy_domain>_error.log error; location / { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header X-Scheme $scheme; proxy_http_version 1.1; proxy_pass http://<upstream defined above>; proxy_pass_header Server; proxy_pass_request_headers on; } location /socket.io/ { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Scheme $scheme; proxy_http_version 1.1; proxy_pass http://<upstream defined above>; proxy_pass_header Server; } }I hope this helps you and anyone else struggling with running Planka behind an external Nginx server.
Thanks! This solved my mix-content issue like a charm.
Please, can you reformulate this?
To note: I run bind on my network for resolving my LAN domains, you will run into issues if your cert is signed against a certain domain and you try to use it with an IP address as your <proxy_domain>.
I suspect the issue is related to this and not on the Nginx configuration, which appears to be a commonly used template.
When you request a certificate from a signing authority it will either be a wildcard certificate, which can be used for any sub-domain and the primary domain, or for a specific (sub-)domain. If you have self-signed the certificate it needs to be, again, a wildcard or for a specific IP address/(sub-domain). You will also need the full chain (your cert -> intermediates -> root) as well as the private key.
So in other words, the certificate you are using needs to be signed in a way that it is valid for the value of
<proxy_domain>used inserver_name <proxy_domain>.
Thanks, I'm using Let's Encrypt and signing certificates for each subdomain. I'm hosting ~30 services and that's the only facing this SSL issue.
I'm sadly moving to another service because I tried a lot of modifications without success.
I would suggest you follow the following links one after the other.
https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-20-04
https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-20-04
However, you must ensure that the following have been achieved before you start.
- The Host has permissions to allow port 80 and 443
- The A Record (and maybe CNAME) for the desired Domain Name (or Sub Domain) has been configured and it is resolving properly.
@marigbede Thanks for the information, I prefer to use the official docs and skip hosting providers ones.
I have more than 50 services running. The issue I posted (and few folks around) is related with the Planka architecture and has nothing to do with installing Nginx and/or Docker.
@satoshinotdead Nice going. The documentation does not bind you to Digital Ocean because I have used those steps in all manner of places. I can take a look at your issue if you would like and if for nothing, just another fresh pair of eyes perspective.
@marigbede thanks man, I'm just trying to figure it out.
My configuration is Nginx as Proxy and docker-compose Planka container.
I don't want to containerize Nginx and I usually proxy from it to localhost and port exposed from docker (to localhost or using upstream to container IP).
I understand that's the base for everything else but I see that not everyone host their files and/or manage their own servers. Maybe I'm wrong but I think there are a corporate standard that don't fit with all of us.
I like to be simple when managing my stuff. So, if I have Nginx then I don't want an application bloated with another instance of Nginx.
Tried to use localhost and docker IP like upstream and proxied. Perhaps I need to expose the ports from Planka to localhost?
Planka is asking for Javascript on curl (that's OK, it's working) but there is impossible to proxy to it.
Hi,
Planka is working just fine with a normally installed NGINX.
I do it the same way in the Planka installer.
Here is the config: https://github.com/plankanban/planka-installer/blob/main/config/nginx-planka.conf.
That configuration is working just fine on a freshly installed nginx (Debian, Ubuntu, and CentOS)
You just need to add a cert (the certbot will be your friend).
I wrote it so often in the issues, but here again: You need to adjust the BASE_URL=https://your.domain.tld