Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Example SSL setup for Nginx/Apache with certbot... #392

Open
corepay opened this issue Dec 4, 2019 · 8 comments
Open

Example SSL setup for Nginx/Apache with certbot... #392

corepay opened this issue Dec 4, 2019 · 8 comments

Comments

@corepay
Copy link

corepay commented Dec 4, 2019
edited
Loading

Example SSL setup for Nginx/Apache with certbot...

Problem

4+ hours trying to figure out how to get NGINX to serve app via SSL. Can reach site using https:// now but getting Maintenance mode. Been stuck for a long time banging the keyboard and kicking the dog.

Tried Caddy but that blew up the Internet it was so wrong.

Using Digital Ocean One-Click Install (perfect!). IMO if you provide a installation for a public site, good security citizenship would be to walk dummies like me through securing our installations to thwart hackers and protect the universe.

BTW - I love, love, love FusionAuth. It is very polished, complete as far as I can tell and am excited to use this in my dream apps...thank you.

Solution

Sample generic APACHE and NGINX configuration with certbot- ideally in docker-compose and part of one-click...think about Caddy also :)

Alternatives/workarounds

Additional context

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
@robotdan
Copy link
Member

robotdan commented Dec 4, 2019
edited
Loading

Thanks for the suggestion @corepay - sorry about your dog. :-)

Glad you're enjoying FusionAuth. This is a great suggestion.

The website and documentation is all open source.. you are also welcome to submit a PR.
https://github.com/FusionAuth/fusionauth-site

@corepay
Copy link
Author

corepay commented Dec 4, 2019
edited
Loading

Fast reply - been noticing that....

So I just got it working 5 minutes ago. Following is an NGINX setup post-certbot


#Setup upstream for backend server

upstream auth {
    server 127.0.0.1:9011;
    keepalive 8;
}

#The Nginx server instance

server {
    server_name auth.example.io;
    access_log /var/log/nginx/example.com.log;

    location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      # proxy_set_header X-NginX-Proxy true;
      proxy_set_header X-Forwarded-Port "443";
      proxy_set_header X-Forwarded-Proto "https";

      proxy_pass http://auth/;
      proxy_redirect off;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/auth.example.io/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/auth.example.io/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = auth.example.io) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 0.0.0.0:80;
    server_name auth.example.io;
    return 404; # managed by Certbot
}

Not going to PR - I don't know enough to put code out there myself in the vulnerable position of experienced server admins exposing me...

Be looking forward to seeing a docker-compose setup if/when you guys get around it. Eventually want everything scripted....

Thanks!

@jerryhopper
Copy link

jerryhopper commented Jan 11, 2020
edited
Loading

In my home-enviroment i use virtualmin (apache) for simple webhosting +SSL.
i have configured a virtualhost that proxies requests to a fusionauth instance.

This is the Apache configuration im using.

RequestHeader unset Host

RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Host "idp.yourserver.ext"
ProxyPass /.well-known !
ProxyPass / http://fusionauth:9011/
ProxyPassReverse / http://fusionauth:9011/

The "/.well-known" proxy-exception is to facilitate certbot's validation.

Without the "RequestHeader unset Host" i expirienced 500 server-errors in the adminBackend of fusionAuth. ( im not sure, yet i think #88 might benefit from this knowledge )

i hope this helps people setting up FA behind Apache.

Nginx

Im not a primary nginx user, but ive noticed there are some issues that seem header-related.

In issue #406 @JesperWe suggests the use of 'proxy_redirect http:// https://;' when having issues with the redirect-url. #406 (comment)

So it seems there are a few caveats when running behind apache/nginx that need to be documented.
Im no expert on both engines, maybe someone with more thorough knowledge of nginx/apache could shine a light on these config suggestions.

@gregoriopellegrino
Copy link

I've set up nginx as @corepay suggested. It seems to work ok, but I get an error in Chrome when, after the login in an iframe, the authentication redirects to http, instead of https.

@gregoriopellegrino
Copy link

Solved following #406 (comment)

@zadigus zadigus mentioned this issue May 9, 2020
Closed
@gjdass
Copy link

gjdass commented May 11, 2020
edited
Loading

Hello guys.

Thanks for the nginx config, tested it and seems to work so far on my homologation cloud instance.

2 problems :

  • my cloud provider blocks outgoing SMTP (to avoid mail bombers I guess) and will enable it soon for my, nothing to do with FusionAuth so far
  • Nginx configuration must miss something still because I discovered with this SMTP stuff that the error is not well randered by the UI

Using nginx with my subdomain and SSL (selfsigned certif though) :

image
image

If I hit direclty the IP, without SSL (so without nginx redirecting anything) :

image
and the console is clean, no JS error.

Nginx is showing one interesting log (I changed sensible datas obviously but mail address and server names are all right) in errors.log :

2020/05/11 19:17:56 [error] 19796#19796: *341 upstream timed out (110: Connection timed out) while reading response header from upstream, client: xx.xx.xx.xx, server: sso.hom-1.xxxxxx.com, request: "POST /ajax/tenant/smtp/test?email=email_address%40gmail.com HTTP/1.1", upstream: "http://[::1]:9011/ajax/tenant/smtp/test?email=email_address%40gmail.com", host: "sso.hom-1.xxxxxx.com", referrer: "https://sso.hom-1.xxxxxxx.com/admin/tenant/edit?tenantId=e94ff3e7-46f9-4233-07e2-7ce1e7da0f06"

Maybe it's in fact a normal behavior from Nginx (I suppose it's normal to time out when you cannot reach what you want ... in this case, SMTP server), but the FusionAuth behavior is still not the same though, it does not error gracefully with nginx.

For information :

  • runs on debian server >> docker
  • behind nginx (exact same config @corepay posted, except server_name of course)
  • SMTP outgoing forbidden by the cloud provider

Any idea where it could come from ?

Posting just in case.

@robotdan
Copy link
Member

What version are you on? It may be related to this issue ( #617 ). To confirm, you can pull the latest 1.16.0 image and re-try.

@gjdass
Copy link

gjdass commented May 11, 2020
edited
Loading

Thanks for your very quick answer. Just deleted the container, pulled and relaunch.
Now it's acting normal under nginx as well, thanks.

Not sure I understood why though. But I'm pretty new here 😃

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@robotdan @jerryhopper @gjdass @gregoriopellegrino @corepay