hey team, i have been thrashing around a bit and i’m pretty sure i’ve got ssl enabled between my proxy and invoiceninja now…but i’m still having the same problems.
to enable ssl between my proxy (linuxserver.io’s swag container which uses nginx reverse proxy and letsencrypt ssl) i believe this is a comprehensive list of all the changes:
- added
fastcgi_param HTTPS 1;
and ssl on;
(plus pointing to dummy certs) to config/nginx/in-vhost.conf like so:
server {
listen 80 default_server;
listen 443 default_server;
listen 49142 default_server;
listen 44143 default_server;
server_name _;
root /var/www/app/public/;
index index.php;
#not a default option, see github issue invoiceninja/dockerfiles 319
client_max_body_size 2048M;
#not default, from https://reinout.vanrees.org/weblog/2017/05/02/https-behind-proxy.html
ssl on;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass invoiceninja-app:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#not default, found in https://github.com/invoiceninja/dockerfiles/issues/14#issuecomment-241860289
fastcgi_param HTTPS 1;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
}
- changed my nginx proxy conf to point to the https port passed through to my container
proxy conf:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name in....co;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDH
E-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
### Linuxserver.io Defaults
# Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;
# Diffie-Hellman Parameters
ssl_dhparam /config/nginx/dhparams.pem;
# Enable TLS 1.3 early data
ssl_early_data on;
client_max_body_size 0;
location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app invoiceninja-server;
# set $upstream_port 49142;
# set $upstream_proto http;
set $upstream_port 44143;
set $upstream_proto https;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
docker-compose.yml entry showing port passthroughs to server
invoiceninja-server:
image: nginx
container_name: invoiceninja-server
env_file: ./invoiceninja/invoiceninja.env
restart: unless-stopped
volumes:
# Vhost configuration
- ./invoiceninja/config/nginx/in-vhost.conf:/etc/nginx/conf.d/in-vhost.conf:ro
- ./invoiceninja/docker/app/public:/var/www/app/public:ro
depends_on:
- invoiceninja-app
ports:
- 49142:80
- 44143:443
specified asset_url in env file and set require https per env examle doc
APP_URL=https://in....co/
#not default, comes from https://github.com/invoiceninja/invoiceninja/issues/3278
ASSET_URL=https://in....co/
APP_KEY=base64:<redacted>
APP_DEBUG=false
MULTI_DB_ENABLED=false
DB_HOST1=mariadb
DB_PORT1=3306
DB_USERNAME1=<redacted>
DB_PASSWORD1=<redacted>
DB_DATABASE1=<redacted>
TRUSTED_PROXIES='192.168.xx.xx/32'
API_SECRET=<redacted>
REQUIRE_HTTPS=true
MAIL_DRIVER=smtp
MAIL_PORT=587
MAIL_ENCRYPTION=tls
MAIL_HOST=<redacted>
MAIL_USERNAME=<redacted>
MAIL_FROM_ADDRESS=<redacted>
MAIL_FROM_NAME=<redacted>
MAIL_PASSWORD=<redacted>
#this is a system variable please do not remove
IS_DOCKER=true
PHANTOMJS_PDF_GENERATION=false
##V4 env vars
#DB_STRICT=false
#DB_HOST=db
#DB_DATABASE=ninja
#DB_USERNAME=ninja
#DB_PASSWORD=ninja
#APP_CIPHER=AES-256-CBC
but even still, i’m getting an error in the same place:
same error from iOS app on WAN link so my local DNS server isn’t involved:
i’m pretty new to re-encrypting connections like this so i might be way off base.
are you guys unable to replicate this? do you see any obvious flaws in my configuration?