Forced HTTPS redirection

[kevin-ta]

I tried basic troubleshooting first

• Updated both ios-signer-service and the builder (ios-signer-ci or ios-signer-builder) to the latest version
• Read through the FAQ page

Describe the bug

I'm using the docker version of ios-signer-service with port 8080->42270.
Accessing the website via my Nginx reverse proxy gives ERR_TOO_MUCH_REDIRECT with Chrome with a lot of HTTP 302.
When testing with curl http://127.0.0.1:42270 -L -vvv, here is the encountered error:

curl http://127.0.0.1:42270 -L -vvv                                      
* Expire in 0 ms for 6 (transfer 0x5649d127aee0)
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5649d127aee0)
* Connected to 127.0.0.1 (127.0.0.1) port 42270 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:42270
> User-Agent: curl/7.64.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Location: https://127.0.0.1:42270/
< Date: Mon, 02 Aug 2021 03:41:56 GMT
< Content-Length: 0
< 
* Connection #0 to host 127.0.0.1 left intact
* Issue another request to this URL: 'https://127.0.0.1:42270/'
* Hostname 127.0.0.1 was found in DNS cache
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5649d127aee0)
* Connected to 127.0.0.1 (127.0.0.1) port 42270 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 1
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Adding redirect_https: false to signer-cfg.yml does not work as this line is removed from the file on docker run.

To reproduce
Proceed to a fresh installation with the image, use the default signer-cfg.yml.

Expected behavior
Connecting to http://127.0.0.1:8080 should not automatically redirect to https://127.0.0.1:8080. The HTTPS redirection seems forced despite having the possibility to disable it.

System configuration

• ios-signer-service version: 2.4.4
• Installation type: computer, nginx
• Builder type: ios-signer-ci
• Builder version: be43996

[ViRb3]

Hello, thanks for the detailed report. redirect_https: false is a default option - it should be automatically added to your config file on every run, even if you delete it, unless you just changed it to true. If a line is automatically deleted from the config file, that means the program did not recognize it - it's either in the wrong place/indentation, or it has a wrong name. I just tested both a Docker instance and a standalone instance with v2.4.4. Both had redirect_https: false by default, and the line worked as expected - no redirection was performed at all. It's a very strange issue you're having - are you sure you are running v2.4.4 and your nginx conf doesn't do any redirects instead? Try running the program without a config file - it should generate you a default template file, just add your stuff to that template and see how it goes.

[kevin-ta]

Ok so it appeared that docker didn't pull the latest image. The one I got was 2 months ago and it is now working. The weird thing is, even if the image I got was 2 months older, it suddenly stopped working recently. I think we can just close the issue. Thank you.