New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Feature: Support for HTTPS (TLS/SSL) #916

Open
NoodleBB opened this Issue Mar 16, 2017 · 33 comments

Comments

Projects
None yet
@NoodleBB
Copy link

NoodleBB commented Mar 16, 2017

When setting the ROOT_URL to https, restarting Wekan and try to access wekan via browser and the https-URL i just get:

ERR_CONNECTION_CLOSED

Tested with Wekan v.0.13, v.0.12, v.0.10.1 Manual installation on CentOS

@davydov-vyacheslav

This comment has been minimized.

Copy link

davydov-vyacheslav commented Mar 16, 2017

one of the possible workaround - is to wrap wekan with apache and do smoething like that:


<VirtualHost *:443>

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/some.cert
        SSLCertificateKeyFile /etc/apache2/ssl/some.key

        ServerName servername
        ServerAdmin webmaster@mytodo.org

        DocumentRoot /var/www/wekan.site.com
        <Directory />
                Options FollowSymLinks
                AllowOverride AuthConfig FileInfo Indexes Options=MultiViews
        </Directory>

        <Directory /var/www/wekan.site.com>
                Options -Indexes +FollowSymLinks +MultiViews
                AllowOverride AuthConfig FileInfo Indexes Options=MultiViews
                Require all granted
        </Directory>

        ErrorLog /var/log/apache2/wekan.site.com-error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/wekan.site.com-access.log combined
        ServerSignature Off

        ProxyPassMatch   "^/(sockjs\/.*\/websocket)$" "ws://127.0.0.1:8085/$1"
        ProxyPass        "/" "http://127.0.0.1:8085/"
        ProxyPassReverse "/" "http://127.0.0.1:8085/"

</VirtualHost>

where 8085 - is your local wekan's port

Don't know where ... but somewhere I saw such installation ..

@NoodleBB

This comment has been minimized.

Copy link
Author

NoodleBB commented Mar 16, 2017

I don't have root access to that server.

@iAdanos

This comment has been minimized.

Copy link

iAdanos commented Mar 16, 2017

@NoodleBB, did you set up HTTPS in webserver config correctly?
You should attach your webserver config here.

If you trying to start "stock" wekan in HTTPS mode (doesn't matter docker instance or compiled from source), it will not work, because wekan needs webserver proxying it with SSL.

Offtop: IMHO, SSL is not the function Wekan itself must provide. It's an app. Commutity must be concentrated on functions and stability of the primary service.
I beleve, we want make a lightweight, fast and cool service. Making a monster with integrated webserver, DB etc. functions will kill the idea.

@NoodleBB

This comment has been minimized.

Copy link
Author

NoodleBB commented Mar 17, 2017

Here is my .htaccess.

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{ENV:HTTPS} !=on
RewriteRule .* https://${SERVER_NAME}%{REQUEST_URI} [R=301,L]
RewriteRule ^(.*) http://localhost:61199/$1 [P]

When i access a sample page on that host, it redirects me to the secured page. This works fine. But when i add the last line to redirect to Wekan it fails.

Respond to OT:
I agree with you, that Wekan should be stay lean and fast, but...

  • As an App it should be self-contained.
  • As a Webservice which hold private data a TLS/SSL-Connection is an obligation.
  • When a Password request is necessary, unencrypted connections are an absolute No-Go.

P.S.: There exist a Meteor package for that. force-ssl

@xet7

This comment has been minimized.

Copy link
Member

xet7 commented Mar 17, 2017

Does Meteor / Node.js have support for virtual hosts, redirects, let's encrypt etc? URL?

@xet7

This comment has been minimized.

Copy link
Member

xet7 commented Mar 17, 2017

That force-ssl seems to just redirect

@xet7

This comment has been minimized.

Copy link
Member

xet7 commented Mar 19, 2017

Does somebody use only Node.js in production?

In all articles I found with Google search, Nginx/Caddy/some other webserver is used for load balancing and delivering static content in front of Node.js.

@iAdanos

This comment has been minimized.

Copy link

iAdanos commented Mar 19, 2017

@xet7, i tried to tell this. Wekan is a backend application. User can have multiple wekan instances and a load balancer proxying them. It's a classic practice.
Using only backend application in production is a very bad idea. I think, nobody really do that. No caching, no access log, no filters, no load balancers, no access control.

The best example for me is a Ghost Blogging Platform. It can be run standalone, but developpers assume that it is always behind Nginx/Apache/whatever.
The application itself does not provide SSL, virtual hosts etc.
I think, that's the right way.

I use Caddy to provide Wekan HTTPS access, and i have almost no problems.

@NoodleBB doesn't have root access to server, that's his main problem. With all possible respect, it's not Wekan functionality problem.

@NoodleBB

This comment has been minimized.

Copy link
Author

NoodleBB commented Mar 19, 2017

@iAdanos
With all possible respect, could you imagine, that there are different setups and needs than yours. The thumping majority doesn't have root access to the servers they are using.

@REJack

This comment has been minimized.

Copy link

REJack commented Mar 19, 2017

It's important which Control Panel your hoster/ISP use, if it's Plesk or CPanel you have not much problems depending on the restrictions.

I use Wekan on my own little root server with Deb 8, Plesk 17, a nginx proxy and Lets Encrypt SSL Certificate 😄 and it runs perfectly.

@NoodleBB

This comment has been minimized.

Copy link
Author

NoodleBB commented Mar 19, 2017

I don't use a control panel. I use SSH and GeoTrust certificates.

But i'm sure the most users do use Plesk & Lets Encrypt.

@REJack

This comment has been minimized.

Copy link

REJack commented Mar 19, 2017

@NoodleBB Which kind of access you have on your server trough SSH, do you can modify stuff in /etc, /var & /opt or install new packages?

@NoodleBB

This comment has been minimized.

Copy link
Author

NoodleBB commented Mar 19, 2017

Nope. Just read.

@REJack

This comment has been minimized.

Copy link

REJack commented Mar 19, 2017

Ok thats a bit hard. You need to check which modules are available in the apache2 instance.
One method to check which modules are available, create empty phpfile and add <?php phpinfo() ?> then search for apache2handler.

If there are proxy modules avaible you can setup a reserve proxy like @davydov-vyacheslav's workaround.

These lines can be added into a .htaccess file too.

        ProxyPassMatch   "^/(sockjs\/.*\/websocket)$" "ws://127.0.0.1:61199/$1"
        ProxyPass        "/" "http://127.0.0.1:61199/"
        ProxyPassReverse "/" "http://127.0.0.1:61199/"
@NoodleBB

This comment has been minimized.

Copy link
Author

NoodleBB commented Mar 19, 2017

@REJack
No proxy around there.

@NoodleBB

This comment has been minimized.

Copy link
Author

NoodleBB commented Mar 19, 2017

@xet7
Sure. Not in global or enterprise setups, but in infinity small and private groups like families, school classes, fraternities, walking club, dance groups, boycouts, churches, choral society, neighborhood, etc., etc.

@NoodleBB NoodleBB changed the title Support for HTTPS (TLS/SSL) Feature Request: Support for HTTPS (TLS/SSL) Mar 19, 2017

@NoodleBB NoodleBB changed the title Feature Request: Support for HTTPS (TLS/SSL) Add Request: Support for HTTPS (TLS/SSL) Mar 19, 2017

@NoodleBB NoodleBB changed the title Add Request: Support for HTTPS (TLS/SSL) Add Feature: Support for HTTPS (TLS/SSL) Mar 20, 2017

@Zokormazo

This comment has been minimized.

Copy link
Contributor

Zokormazo commented Mar 29, 2017

I prefer using reverse proxy with nginx instead of exposing the nodejs socket to internet so https goes on nginx. Better practice

@itsmedani

This comment has been minimized.

Copy link

itsmedani commented Apr 6, 2017

I all,

I tried to configure Apache for SSL connection. I have SSL connections until I opened a card.

Indeed, the URL switch to the URL which are configured on the URL_ROOT line.

Do you know why?

Regards

@NoodleBB

This comment has been minimized.

Copy link
Author

NoodleBB commented Apr 6, 2017

Try to set the protocol of the URL_ROOT to https://

@itsmedani

This comment has been minimized.

Copy link

itsmedani commented Apr 6, 2017

Hi,

It's work!

Thanks :)

@Zokormazo

This comment has been minimized.

Copy link
Contributor

Zokormazo commented Jun 13, 2017

@bitsandnumbers

This comment has been minimized.

Copy link

bitsandnumbers commented Jun 14, 2017

@Zokormazo Yeah, sorry I deleted my comment after realizing that it could work. I actually found my solution.

@supercrypt

This comment has been minimized.

Copy link

supercrypt commented Feb 6, 2018

Hey all,

we are using Wekan with Stunnel4 to support encrypted connections over SSL and want to activate HSTS. Would it possible to integrate this in a future release?

As far I can see it's already supported by Node:
https://stackoverflow.com/a/29293551

@xet7

This comment has been minimized.

Copy link
Member

xet7 commented Mar 12, 2018

@supercrypt

Does that http-proxy include support for SSL ?

Otherwise, if it requires separate install of stunnel, it's the same as using Nginx/Caddy etc in front of Wekan.

@supercrypt

This comment has been minimized.

Copy link

supercrypt commented Mar 12, 2018

Hi @xet7

Yes, the proxy supports SSL/TLS.
We didn't want to run a full webserver only for wekan so we decided for the solution with stunnel :)

@xet7

This comment has been minimized.

Copy link
Member

xet7 commented Mar 12, 2018

@supercrypt

Is stunnel included inside http-proxy npm package? So there is no need for stunnel setup separately?

@supercrypt

This comment has been minimized.

Copy link

supercrypt commented Mar 12, 2018

@xet7 I don't know if this is the case.

@cknoll

This comment has been minimized.

Copy link

cknoll commented Apr 9, 2018

@NoodleBB As you are the main author of https://github.com/wekan/wekan/wiki/Install-latest-Wekan-release-on-Uberspace, I guess this issue is related to that platform. Have you in the meantime been able to server Wekan on uberspace with https?

@y0d4a

This comment has been minimized.

Copy link

y0d4a commented Jun 29, 2018

is there news about this feature?

@patrickdung

This comment has been minimized.

Copy link

patrickdung commented Jul 31, 2018

Securing the http port with TLS is important.
If the reverse proxy web server connect to wekan's/nodejs http port without encryption, the data communication between them can be sniffed.
stunnel can be setup to secure the proxy traffic but it would be less convenient.

@xet7

This comment has been minimized.

Copy link
Member

xet7 commented Jul 31, 2018

@patrickdung

Having Nginx/Apache/Caddy/Stunnel/Traefik to provide SSL in front of Wekan is already possible.

This issue is only about having SSL in Wekan's node.js server itself.

@y0d4a

This comment has been minimized.

Copy link

y0d4a commented Aug 1, 2018

little more help? :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment