Add Feature: Support for HTTPS (TLS/SSL)

[NoodleBB]

When setting the ROOT_URL to https, restarting Wekan and try to access wekan via browser and the https-URL i just get:

ERR_CONNECTION_CLOSED

Tested with Wekan v.0.13, v.0.12, v.0.10.1 Manual installation on CentOS

[davydov-vyacheslav]

one of the possible workaround - is to wrap wekan with apache and do smoething like that:

<VirtualHost *:443>

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/some.cert
        SSLCertificateKeyFile /etc/apache2/ssl/some.key

        ServerName servername
        ServerAdmin webmaster@mytodo.org

        DocumentRoot /var/www/wekan.site.com
        <Directory />
                Options FollowSymLinks
                AllowOverride AuthConfig FileInfo Indexes Options=MultiViews
        </Directory>

        <Directory /var/www/wekan.site.com>
                Options -Indexes +FollowSymLinks +MultiViews
                AllowOverride AuthConfig FileInfo Indexes Options=MultiViews
                Require all granted
        </Directory>

        ErrorLog /var/log/apache2/wekan.site.com-error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/wekan.site.com-access.log combined
        ServerSignature Off

        ProxyPassMatch   "^/(sockjs\/.*\/websocket)$" "ws://127.0.0.1:8085/$1"
        ProxyPass        "/" "http://127.0.0.1:8085/"
        ProxyPassReverse "/" "http://127.0.0.1:8085/"

</VirtualHost>

where 8085 - is your local wekan's port

Don't know where ... but somewhere I saw such installation ..

[NoodleBB]

I don't have root access to that server.

[iAdanos]

@NoodleBB, did you set up HTTPS in webserver config correctly?
You should attach your webserver config here.

If you trying to start "stock" wekan in HTTPS mode (doesn't matter docker instance or compiled from source), it will not work, because wekan needs webserver proxying it with SSL.

Offtop: IMHO, SSL is not the function Wekan itself must provide. It's an app. Commutity must be concentrated on functions and stability of the primary service.
I beleve, we want make a lightweight, fast and cool service. Making a monster with integrated webserver, DB etc. functions will kill the idea.

[NoodleBB]

Here is my .htaccess.

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{ENV:HTTPS} !=on
RewriteRule .* https://${SERVER_NAME}%{REQUEST_URI} [R=301,L]
RewriteRule ^(.*) http://localhost:61199/$1 [P]

When i access a sample page on that host, it redirects me to the secured page. This works fine. But when i add the last line to redirect to Wekan it fails.

Respond to OT:
I agree with you, that Wekan should be stay lean and fast, but...

• As an App it should be self-contained.
• As a Webservice which hold private data a TLS/SSL-Connection is an obligation.
• When a Password request is necessary, unencrypted connections are an absolute No-Go.

P.S.: There exist a Meteor package for that. force-ssl

[xet7]

Does Meteor / Node.js have support for virtual hosts, redirects, let's encrypt etc? URL?

[xet7]

That force-ssl seems to just redirect

[NoodleBB]

Yes. Im not an Node.js (or Meteor) expert. But Node supports TLS and HTTPS.

How-Tos:

• https://docs.nodejitsu.com/articles/cryptography/how-to-use-the-tls-module/
• https://docs.nodejitsu.com/articles/HTTP/servers/how-to-create-a-HTTPS-server/
• https://www.sitepoint.com/how-to-use-ssltls-with-node-js/
• http://www.giacomovacca.com/2015/02/websockets-over-nodejs-from-plain-to.html

This could be possibly helpful.

• https://github.com/nodejitsu/node-http-proxy#using-https
• https://taylorpetrick.com/blog/post/https-nodejs-letsencrypt

[xet7]

Does somebody use only Node.js in production?

In all articles I found with Google search, Nginx/Caddy/some other webserver is used for load balancing and delivering static content in front of Node.js.

[iAdanos]

@xet7, i tried to tell this. Wekan is a backend application. User can have multiple wekan instances and a load balancer proxying them. It's a classic practice.
Using only backend application in production is a very bad idea. I think, nobody really do that. No caching, no access log, no filters, no load balancers, no access control.

The best example for me is a Ghost Blogging Platform. It can be run standalone, but developpers assume that it is always behind Nginx/Apache/whatever.
The application itself does not provide SSL, virtual hosts etc.
I think, that's the right way.

I use Caddy to provide Wekan HTTPS access, and i have almost no problems.

@NoodleBB doesn't have root access to server, that's his main problem. With all possible respect, it's not Wekan functionality problem.

[NoodleBB]

@iAdanos
With all possible respect, could you imagine, that there are different setups and needs than yours. The thumping majority doesn't have root access to the servers they are using.

[REJack]

It's important which Control Panel your hoster/ISP use, if it's Plesk or CPanel you have not much problems depending on the restrictions.

I use Wekan on my own little root server with Deb 8, Plesk 17, a nginx proxy and Lets Encrypt SSL Certificate 😄 and it runs perfectly.

[NoodleBB]

I don't use a control panel. I use SSH and GeoTrust certificates.

But i'm sure the most users do use Plesk & Lets Encrypt.

[REJack]

@NoodleBB Which kind of access you have on your server trough SSH, do you can modify stuff in /etc, /var & /opt or install new packages?

[NoodleBB]

Nope. Just read.

[REJack]

Ok thats a bit hard. You need to check which modules are available in the apache2 instance.
One method to check which modules are available, create empty phpfile and add <?php phpinfo() ?> then search for apache2handler.

If there are proxy modules avaible you can setup a reserve proxy like @davydov-vyacheslav's workaround.

These lines can be added into a .htaccess file too.

        ProxyPassMatch   "^/(sockjs\/.*\/websocket)$" "ws://127.0.0.1:61199/$1"
        ProxyPass        "/" "http://127.0.0.1:61199/"
        ProxyPassReverse "/" "http://127.0.0.1:61199/"

[NoodleBB]

@REJack
No proxy around there.

[NoodleBB]

@xet7
Sure. Not in global or enterprise setups, but in infinity small and private groups like families, school classes, fraternities, walking club, dance groups, boycouts, churches, choral society, neighborhood, etc., etc.

[Zokormazo]

I prefer using reverse proxy with nginx instead of exposing the nodejs socket to internet so https goes on nginx. Better practice

[itsmedani]

I all,

I tried to configure Apache for SSL connection. I have SSL connections until I opened a card.

Indeed, the URL switch to the URL which are configured on the URL_ROOT line.

Do you know why?

Regards

[NoodleBB]

Try to set the protocol of the URL_ROOT to https://

[itsmedani]

Hi,

It's work!

Thanks :)

[Zokormazo]

why not? I'm using official docker image behind nginx reverse proxy with let's encrypt certificates. 2017 eka. 13 15:35 erabiltzaileak hau idatzi du ("bitsandnumbers" < notifications@github.com>):

…

@Zokormazo <https://github.com/zokormazo> and what if you use docker ? the dockerfile wekan team provide does not include a web server (nginx, apache) other than node.js, so reverse-proxy with https won't work : no way to set ssl keys (setting them in nginx proxy host is not enough it seems). Or am I missing something ? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#916 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABYVoAbi-bjCorv05fDZygFGBxsJhWxpks5sDpACgaJpZM4MfKQN> .

[bitsandnumbers]

@Zokormazo Yeah, sorry I deleted my comment after realizing that it could work. I actually found my solution.

[supercrypt]

Hey all,

we are using Wekan with Stunnel4 to support encrypted connections over SSL and want to activate HSTS. Would it possible to integrate this in a future release?

As far I can see it's already supported by Node:
https://stackoverflow.com/a/29293551

[xet7]

@supercrypt

Does that http-proxy include support for SSL ?

Otherwise, if it requires separate install of stunnel, it's the same as using Nginx/Caddy etc in front of Wekan.

[supercrypt]

Hi @xet7

Yes, the proxy supports SSL/TLS.
We didn't want to run a full webserver only for wekan so we decided for the solution with stunnel :)

[xet7]

@supercrypt

Is stunnel included inside http-proxy npm package? So there is no need for stunnel setup separately?

[supercrypt]

@xet7 I don't know if this is the case.

[cknoll]

@NoodleBB As you are the main author of https://github.com/wekan/wekan/wiki/Install-latest-Wekan-release-on-Uberspace, I guess this issue is related to that platform. Have you in the meantime been able to server Wekan on uberspace with https?

[y0d4a]

is there news about this feature?

[patrickdung]

Securing the http port with TLS is important.
If the reverse proxy web server connect to wekan's/nodejs http port without encryption, the data communication between them can be sniffed.
stunnel can be setup to secure the proxy traffic but it would be less convenient.

[xet7]

@patrickdung

Having Nginx/Apache/Caddy/Stunnel/Traefik to provide SSL in front of Wekan is already possible.

This issue is only about having SSL in Wekan's node.js server itself.

[y0d4a]

little more help? :)