Need help with invoiceninja behind reverse proxy + https

ovizii · April 19, 2017, 9:27pm

Hi there,

I am running invoiceninja using docker and am using this container as a reverse proxy: https://github.com/jwilder/nginx-proxy and it works well but as soon as I start redirecting all HTTP to HTTPS invoiceninja starts looking funny as in mixed content doesn’t get displayed.

I found this thread here https://www.invoiceninja.com/forums/topic/unable-to-secure-site-with-ssl-with-pound-reverse-proxy-server/ which seems to deal with the exact same problem I am having but the solution doesn’t seem to work for me.

In my dockerfile to build invoiceninja I set the trustedproxy both for my external and for my internal range docker is using:

environment:
     VIRTUAL_HOST: in.domain.tld
     LETSENCRYPT_HOST: in.domain.tld
     LETSENCRYPT_EMAIL: [email protected]
     TRUSTED_PROXIES: '51.xxx.xxx.xxx,172.17.0.0/24'

I have not set these as invoiceninja isn’t supposed to run on https as the proxy connects to it via http but serves https to visitors

REQUIRE_HTTPS=true
SESSION_ENCRYPT=true
SESSION_SECURE=true

I have also set this header in my proxy:
proxy_set_header X-Forwarded-Proto https;
it used to be:
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;

Any more pointers?

hillel · April 19, 2017, 9:30pm

Maybe the info in these issue will help…

https://github.com/invoiceninja/invoiceninja/issues/1425
https://github.com/invoiceninja/invoiceninja/issues/1393

ovizii · April 19, 2017, 11:09pm

Thanks for the pointers, I had not seen the github page. None of those links add anything new to my issue, I think it would be good to post all my config files should I do so ehre or open a separate github issue instead?

hillel · April 19, 2017, 11:12pm

The forum is a better place, if you create a GitHub issue it will likely be closed.

I’m not sure posting your configs will help (if you do please be sure to remove any sensitive data).

ovizii · April 19, 2017, 11:33pm

Well, it clearly works for others so I am sure its a simple mixup of variables so here are my config files:

docker-compose.yml => https://pastebin.com/AWWfNC5N
.env => https://pastebin.com/wFjVQsAY
general proxy settings => https://pastebin.com/8Swc0RqH
extra changed config for this vhost => https://pastebin.com/S7FE32Tw

Can someone spot what is wrong here? This is what the proxied front-end looks like with the above settings => http://take.ms/Qewlb

thomson · April 25, 2017, 2:32am

Had the same problem, adding the following line in the nginx config file saved my live:
fastcgi_param HTTPS 1;
Source: https://github.com/invoiceninja/dockerfiles/issues/14

hillel · April 25, 2017, 2:33am

Thanks for sharing your solution!

ovizii · April 25, 2017, 2:58am

thanks, will give it a try and report back here!

user20398 · October 16, 2020, 11:27pm

This saved my life too!! Was sitting 2 sleepless days trying to figure this out.
So if you have invoiceNinja sitting on another server in the SAME LAN as the Reverse Proxy Server, you will need to have this setting fastcgi_param HTTPS 1; on the backend NGINX of InvoiceNinja, and at the same time disable the following from .env:
REQUIRE_HTTPS=
TRUSTED_PROXIES=
SESSION_ENCRYPT=
SESSION_SECURE=

Otherwise your InvoiceNinja Server tries to redirect to https and then your Proxy is not able to Proxy https anymore. InvoiceNinja Server is the backend and must listen on a non-http port.
Would be nice to know if anyone was able to secure their backend communication between Reverse Proxy and InvoiceNinja backend…?