After spending almost the entirety of yesterday searching and experimenting with different methods, I am hoping you experts might be able to help me out on this. As some background, I am a tech literate guy, but not to a great extent.
I have Invoice Ninja running in a Bitnami VM behind a Pound reverse proxy server. When I have this set up and go to any page, my browser (Chrome) states that the website is attempting to run scripts from unauthenticated sources. I have the pound server redirecting all HTTP traffic to the HTTPS address. When I enable the option in the .env file to require HTTPS, I get an error about a redirect loop. When I set this to false, I get the page with almost no styling stating that I am trying to run scripts from unauthenticated sources.
Some of the things that I tried doing was setting the .env file’s address to use HTTPS, I’ve tried to add the SESSION_ENCRYPT=true and SESSION_SECURE=true lines to the .env file without success.
If there are any suggestions you can provide, I would be immensely appreciative. This is an amazing project and I hope that I can get this working for production.
Try setting a value for TRUSTED_PROXIES in your .env file.
Here’s the code from the top of app/Http/Middleware/StartupCheck.php
// Set up trusted X-Forwarded-Proto proxies
// TRUSTED_PROXIES accepts a comma delimited list of subnets
// ie, TRUSTED_PROXIES='10.0.0.0/8,172.16.0.0/12,192.168.0.0/16'
if (isset($_ENV['TRUSTED_PROXIES'])) {
Request::setTrustedProxies(array_map('trim', explode(',', env('TRUSTED_PROXIES'))));
}
Hi Hillel! Thank you for your response! I added TRUSTED_PROXIES=‘192.168.1.196/16’ to the .env file and restarted the server and have not had any change. For reference, here’s what my .env file looks like.
The login page still just consists of the text boxes without the styling. I checked the source of the page and its still trying to point to the HTTP address of everything. Any other suggestions or am I not understanding this option?
The last error block in the laravel.log file is below. It There is one identical error like this earlier but given how often the page is being accessed, it does not look like any relevant errors are popping up in this log. What I notice as interesting is that when I inspect the page source of the login page, I see that all references are being made with HTTP as opposed to HTTPS. Is there a way to hardcode that HTTP so that it is not being dynamically generated?
When I tell the browser to allow the unsafe scripts to run, the page renders normally. Also, when I direct port 443 to the VM directly, everything works great. It’s only when funneled through the reverse proxy that these issues arise. As I am planning to host other sites, forwarding standard port 443 directly to the VM is not an option.
Setting REQUIRE_HTTPS=true generates a redirect loop. The HTTPS request comes in through the reverse proxy server, decrypted, and sent via HTTP to the Bitnami VM hosting Invoice Ninja. My guess is that Invoice Ninja sees the funneled decrypted traffic as HTTP and requires HTTPS. This new request loops through the reverse proxy server where it is decrypted into HTTP and hits Invoice Ninja again generating this same loop.
Got it! I’m so happy I can barely contain myself! I want to post my configuration here so anyone in my shoes can fix this and maybe help the community out!
This web page told me to add the AddHeader "X-Forwarded-Proto: https"
option to my Pound server configuration. This means that my configuration for pound looks like this:
ListenHTTPS
Address 0.0.0.0
Port 443
AddHeader "X-Forwarded-Proto: https"
Cert "/path/to/cert"
CAList "/path/to/cabundle"
Service
HeadRequire "Host:.billing.xxx.com.*"
BackEnd
Address 192.168.1.197
Port 80
End
End
End
As soon as I implemented this and restarted the server, everything worked beautifully. Thank you so much for your help Hillel and I hope this helps anyone who is running into this issue like me! I look forward to pushing Invoice Ninja into production!