-
Notifications
You must be signed in to change notification settings - Fork 281
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL load balancer X-Header-Protocol is not honored #160
Comments
We are still running production with http because all links have http-protocol on every page. I have not been able to fix this yet. |
This is intentionally not honored for security reasons. You need to add the IP of your load balancer in Cachet's trusted proxy config. |
By default, we ship with CloudFlare's IP. You will need to add the ones you need: https://github.com/CachetHQ/Cachet/blob/2.4/config/trustedproxy.php#L30. |
Hy, Would it be possible to have this as an option to bypass it, and just allow any IP? Just to give an example: |
Sounds like we could maybe override this via the |
We could add this to the |
I don't know how I should implement this, as it's currently not something in the config of cachet itself, but I'm certainly interested in this, as there's no way to run cachet based on this image behind an ssl terminating load balancer. @jbrooksuk are you still considering to add this as an option? |
This makes Cachet completely unusable for me on GKE behind Google's HTTPS terminating LB. We consciously decide not to open port 80 so that users don't send requests to an insecure port, and thus cannot set up any nginx redirects. |
Unfortunately I am not able to help Cachet to fix this. However I see this as a limitation of Docker + Cachet and not with cachet as a standalone installation. |
@CachetHQ/core We could just ship the trusted proxies with |
I agree this needs to be fixed upstream. Due to https://github.com/CachetHQ/Cachet/blob/2.4/config/trustedproxy.php#L30 this would happen even on a non-docker Cachet install if I am understanding correctly. One could also just bind mount in a customized trustedproxy.php if needed. |
Simply allow users to override that list with their own via an environment variable, and fall back to that list as a default if not specified. It needs to accept |
Right, but since this trusted proxy list is not part of Cachet's |
cachethq/cachet#2694 Might help with this issue somewhat. |
Seems to be blocked on fideloper/TrustedProxy#81 or some other upstream bit implementing it. cachethq/cachet#2694 will help if your proxy is on one of the reserved local IP ranges. Closing as there is nothing we can do on this side until one of the upstream projects helps support it. |
Hi,
On a AWS load balancer SSL termination configuration with version v2.3.9 we are having issues with links on the pages. The links are back in the http protocol and we can not make them use https.
Given a request:
the service is responding with html having links with http:
There must be something wrong with our nginx config inside the container.
I hope someone could see where the problem might be.
The text was updated successfully, but these errors were encountered: