HTTPS doesn't seem to be working...?

[bugbountyguy]

Okay, this is probably just me personally and not a bug, but I just can't get HTTPS to work. My app keeps going straight to HTTP instead even though I've set the few environment variables mentioned on some issues and the docs... Is there something obvious that I'm missing?

Here are the 3 environment variables I set in the .env file:

CSRF_TRUSTED_ORIGINS="https://[redacted]"
SECURE_PROXY_SSL_HEADER=True
DEBUG=1

And my docker-compose:

version: "3.9"
services:
  babybuddy:
    image: ghcr.io/linuxserver/babybuddy:latest
    container_name: babybuddy
    volumes:
      - ./appdata:/config
    ports:
      - 8000:8000
    restart: unless-stopped
    env_file: .env

I've tried to also have these environment variables under environment: in the docker-compose but that didn't make any difference. Am I missing something obvious? Last few logs in docker logs babybuddy:

[2022-02-27 05:07:28 +0000] [300] [INFO] Starting gunicorn 20.1.0
[2022-02-27 05:07:28 +0000] [300] [INFO] Listening at: http://0.0.0.0:8000 (300)
[2022-02-27 05:07:28 +0000] [300] [INFO] Using worker: gthread
[2022-02-27 05:07:28 +0000] [316] [INFO] Booting worker with pid: 316
[2022-02-27 05:07:28 +0000] [317] [INFO] Booting worker with pid: 317

^ As can be seen here, it's doing http instead of https.

Any guidance or clarification would be appreciated. I'm working on trying to make this externally accessible for us and don't want to do so until I know I can make sure it's setup over https :)

Oh and in case it's needed, the version in the dropdown on the UI shows v1.10.1 👍

Thank you!

[cdubz]

I think it’s normal for the app inside Docker to be on plain http. The important part is the proxy configuration. What are you using? Could you share those configs as well?

[bugbountyguy]

Okay, I guess I thought the gunicorn thing was a proxy of some sort. I would use nginx if I needed to set that up, but my question would be about the https traffic for the app in that case. Since it would need to be on a separate port, is there some configuration required to get the app to listen in on that port so that I can then forward traffic to it? When running netstat -tupnl, I only see 8000 being open:

tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      -

Or does this app listen to the same port for both traffic and just interpret whether it's HTTP vs. HTTPS based on that header that's passed in? If so, then I could see how I would setup nginx to redirect to the https with setting that header to true. I'm not sure if that's where you were going with that. If so, I can give it a try and report back with whether or not I got it working. 🤔

[cdubz]

Oh wait yeah maybe this should work without something like NGINX in between… I think I just did that yesterday hah.

Will try to find some time soon to test this. I also recommend dropping in the Baby Buddy gitter for advice. Lots of Docker users there.

[cdubz]

Ok so backtracking again... I'm pretty sure this is expected (: Gunicorn is only going to serve up the app over an unencrypted connection so you'll need a proxy like NGINX in front of it to handle SSL and redirect the traffic appropriately.

I'm going to see if I can cook up some quick documentation on this.

[bugbountyguy]

Ah hah okay, that makes sense. I haven't had the chance to tackle this much further today, so documentation would be awesome! Thank you so much for quickly looking into this :D When I get some time to do this on my end too, I'd be more than happy to report how I set it up too if you haven't done the documentation by then (just in case it helps).

[cdubz]

Well you made me curious and caught me at a good time with the little ones napping so I think I got this all documented!

https://docs.baby-buddy.net/setup/ssl/

Give it a go and let me know if you have any trouble/suggestions/additions/etc. There are lots of other ways to do this but this a pattern I am most familiar with. It can also be done all within the docker-compose.yml but that seemed a bit too complicated for me. If anyone ever does that and reports back I'll add it to the documentation as well 😄

[bugbountyguy]

Hey @cdubz thanks a ton again for this.

I did modify my docker-compose to work with this and I now have HTTPS! For others who may need this, or if you want to add this to future docs, my docker-compose looks like the following:

version: "3.9"
services:
  babybuddy:
    image: ghcr.io/linuxserver/babybuddy:latest
    container_name: babybuddy
    volumes:
      - ./appdata:/config
    restart: unless-stopped
    env_file: .env
  babybuddy-nginx:
    image: nginx
    container_name: babybuddy-nginx
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./nginx_logs:/var/log/nginx
      - ./certs:/certs
    ports:
      - 18000:18000
    depends_on:
      - babybuddy

I decided to listen in on 18000 (to avoid conflicts w/ another port 8000 service I have)
I have self-signed certificates since I host this on my own network instead of on a public domain. I placed the self-signed certs in the certs directory in the same folder as the project. Here's the nginx.conf file I placed (replaced the domain with the example in the docs for convenience):

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    sendfile        on;
    keepalive_timeout  65;

    server_tokens               off;
    access_log                  /var/log/nginx/babybuddy.access.log;
    error_log                   /var/log/nginx/babybuddy.error.log;

    server {
        server_name         babybuddy.example.com;
        listen              18000 ssl;
        ssl_certificate     /certs/babybuddy.example.com.crt;
        ssl_certificate_key /certs/babybuddy.example.com.key;
        location / {
            proxy_pass              http://babybuddy:8000;
            proxy_set_header        Host $host;
        }
    }
}

Lastly, here's my .env file:

SECURE_PROXY_SSL_HEADER=True
CSRF_TRUSTED_ORIGINS="https://babybuddy.example.com:18000"
DEBUG=1

I hope this helps someone else who wants to run nginx behind docker-compose instead of a full blown service, and thanks again cdubz for the quick responses :)

[cdubz]

Cool! This helps me understand better some of the Docker config examples I saw. I should be able to add to the documentation for this method as well.