Insecure Content Issue Behind SSL Proxy in Docker Container

Question

Insecure Content Issue Behind SSL Proxy in Docker Container

Closed this issue 4 months ago · 7 comments

DanielRondonGarcia commented 4 months ago

Describe the bug

When using BaGetter NuGet package within a Docker container and behind a proxy with SSL, the application is unable to recognize the correct DNS or URL for assets. This results in mixed content issues, as the browser blocks insecure requests.

To Reproduce

Using BaGetter version 1.0.4
Running the application inside a Docker container with a proxy with SSL.
Navigating to the package list.
Browser blocking content with the error:

Expected behavior

I expect the application to recognize the correct DNS or URL when using a proxy for SSL, ensuring that assets are served over HTTPS, and avoiding mixed content issues.

Additional context

I have researched extensively but couldn't find any relevant information on how to address this issue. It would be helpful to have guidance on changing the URL inside the application to return assets with the correct URL when using a proxy. Alternatively, documentation on integrating SSL inside the Docker container would also be appreciated.

Regenhardt commented 4 months ago

Nice!

Answer 1 · 2024-03-08T14:35:40.000Z

This should be no problem, not sure what's going on. Can you call https://nuget.actsis.com/v3/index.json in a browser and check if the output includes those internal IP addresses too? They should include the host from the request header, not an IP address. Can you check if the proxy is forwarding headers correctly? I think the host header is the important one here.

Answer 2 · 2024-03-08T21:57:32.000Z

Hi @Regenhardt

Well, im using an IIS with URL rewrite

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://10.3.0.5:5555/{R:1}" />
                </rule>
            </rules>
        </rewrite>
		<security>
			<requestFiltering>
				<fileExtensions allowUnlisted="true" applyToWebDAV="true">
					<clear />
				</fileExtensions>
				<verbs allowUnlisted="true" applyToWebDAV="true" />
				<hiddenSegments applyToWebDAV="true">
					<clear />
				</hiddenSegments>
			</requestFiltering>
		</security>
    </system.webServer>
</configuration>

and when i go to the index, this is the responde:

Thank you for your time and effort on this project!

Best regards

Answer 3 · 2024-03-09T14:13:58.000Z

I thought URL rewrite actually rewrites the URL in the browser? Anyway, not sure it works this way, as a browser will always flag this unless you either activate https for the internal connection or configure the proxy so that it forwards the request headers from the caller to the internal server. I do have a few ideas here.

Is the 10.3.0.5 a different server than the one handling nuget.actsis.com?

If it's the same server, rewrite the URL to add the port, but don't change it to the IP address but keep the domain instead.

If it's a different server:

Either find out how to configure IIS to forward the headers of the caller.

Or configure IIS so that it also changes returned URLs back to the original URL from the internal IP address: https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing

Answer 4 · 2024-03-11T19:00:59.000Z

Hi @Regenhardt, appreciate your support on this.

I've updated and reconfigured the reverse proxy based on your instructions, but unfortunately, it's still not working. I suspect it might be a limitation of IIS.

I'll give the proxy manager a try to see if that resolves the issue.

Answer 5 · 2024-03-12T17:54:59.000Z

I've tried NGINX Proxy Manager, and it's been working well for me. I believe IIS has some limitations that may have been causing issues.

Answer 6 · 2024-03-15T01:57:48.000Z

i already found the solution for the IIS with rewrite reverse proxy:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
				 <clear />
                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://10.3.0.5:5000/{R:1}" logRewrittenUrl="true" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
                    <match filterByTags="A, Area, Base, Form, Head, Img, Input, Link, Script" pattern="^http(s)?://10.3.0.5:5000/(.*)" />
                    <action type="Rewrite" value="https://nuget.com/{R:2}" />
                </rule>
                <preConditions>
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>
		<security>
			<requestFiltering>
				<fileExtensions allowUnlisted="true" applyToWebDAV="true">
					<clear />
				</fileExtensions>
				<verbs allowUnlisted="true" applyToWebDAV="true" />
				<hiddenSegments applyToWebDAV="true">
					<clear />
				</hiddenSegments>
			</requestFiltering>
		</security>
    </system.webServer>
</configuration>

In IIS, the variables that set standard HTTP headers are prefixed with HTTP

And finally, you need to be sure that host headers are preserved. This is set at the IIS server level, by executing the following command.

C:\Windows\system32\inetsrv\appcmd.exe set config -section:system.webServer/proxy -preserveHostHeader:true /commit:apphost

Uncheck the box Reverse rewrite host in response headers from Application Request Routing > Server proxy settings set at the server level in IIS
Apply the change
Restart IIS

And there you go!

I hope it help someone that have the same problem.