Mixed (insecure) content behind an Apache reverse proxy
Closed this issue · 3 comments
Hello,
I'm trying to run a docker with baikal behind apache reverse proxy, which is in another container. Event though, there is connectivity between the containers, baikal does not seem to work this way at all. The main webpage always complain about insecure / mixed content and can't be loaded, whatever settings I try. Please, has anybody get it working in a similar kind of setup? It does not matter if I choose the dav.domain.com
or domain.com/dav
URL model, the same issue comes with both. Thank you.
Container setup
docker run \
-d \
--net bridge \
--ip 10.0.0.21 \
-p 9005:80 \
--name baikal \
--restart always \
-e BAIKAL_SERVERNAME=dav.domain.com \
-v /home/apps/.local/share/docker/volumes/baikal_volume/_data/config:/var/www/baikal/config \
-v /home/apps/.local/share/docker/volumes/baikal_volume/_data/Specific:/var/www/baikal/Specific \
ckulka/baikal:latest
Apache reverse proxy
<VirtualHost *:3443>
ServerName dav.domain.com
DocumentRoot /usr/local/apache2/htdocs/www.domain.com/root
SSLEngine on
SSLCertificateFile /usr/local/apache2/certs/domain.com/fullchain.pem
SSLCertificateKeyFile /usr/local/apache2/certs/domain.com/privkey.pem
CustomLog /usr/local/apache2/logs/access_dav.domain.com.log combined
ErrorLog /usr/local/apache2/logs/error_dav.domain.com.log
LogLevel warn
#Baikal
ProxyPass / http://10.0.0.21
ProxyPassReverse / http://10.0.0.21
</VirtualHost>
I tried adding these settings, one after another and they seem to do half a job done, cause the browser tries to access the elements securely, however the connection times out on them.
RequestHeader set X-Forwarded-Proto "https"
Header always set Content-Security-Policy "upgrade-insecure-requests"
Browser console
Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'attribution-reporting'.
Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'run-ad-auction'.
Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'join-ad-interest-group'.
:3443/:1 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure element 'http://10.0.0.21/res/core/BaikalAdmin/Templates/Page/baikal-text-20.png'. This request was not upgraded to HTTPS because its URL's host is an IP address.
:3443/:1 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure element 'http://10.0.0.21/res/core/Baikal/Images/logo-baikal.png'. This request was not upgraded to HTTPS because its URL's host is an IP address.
5Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.
dav.domain.com/:58 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure element 'http://10.0.0.21/res/core/BaikalAdmin/Templates/Page/baikal-text-20.png'. This request was not upgraded to HTTPS because its URL's host is an IP address.
dav.domain.com/:58 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure image 'http://10.0.0.21/res/core/BaikalAdmin/Templates/Page/baikal-text-20.png'. This request has been blocked; the content must be served over HTTPS.
dav.domain.com/:58 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure element 'http://10.0.0.21/res/core/Baikal/Images/logo-baikal.png'. This request was not upgraded to HTTPS because its URL's host is an IP address.
dav.domain.com/:58 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure image 'http://10.0.0.21/res/core/Baikal/Images/logo-baikal.png'. This request has been blocked; the content must be served over HTTPS.
dav.domain.com/:1 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure script 'http://10.0.0.21/res/core/TwitterBootstrap/js/jquery-3.1.0.min.js'. This request has been blocked; the content must be served over HTTPS.
dav.domain.com/:1 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure script 'http://10.0.0.21/res/core/TwitterBootstrap/js/jquery.color-2.2.0.min.js'. This request has been blocked; the content must be served over HTTPS.
dav.domain.com/:1 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure script 'http://10.0.0.21/res/core/TwitterBootstrap/js/bootstrap.min.js'. This request has been blocked; the content must be served over HTTPS.
dav.domain.com/:1 Mixed Content: The page at 'https://dav.domain.com:3443/' was loaded over HTTPS, but requested an insecure script 'http://10.0.0.21/res/core/BaikalAdmin/main.js'. This request has been blocked; the content must be served over HTTPS.
favicon.ico:1
GET https://dav.domain.com:3443/favicon.ico 502 (Proxy Error)
Fixed
ProxyPass / http://10.0.0.21/
ProxyPassReverse / http://10.0.0.21/
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
Working also for domain.com/dav
but you have to edit the config (baikal.yaml) and add the base_uri parameter.
Hi I am also trying to get baikal working from behind a apache reverse proxy with no success. I have been struggling with this for several hours.
You mention that you have to edit baikal.yaml, exactly what did you put in this field to get it working?
If I do this base_uri 'dav'
or any combination such as '/dav' 'dav/' '/dav/' etc. then load the http://localhost/dav
in the browser, the admin page is broken. If I can get this working then I could do what you suggested in apache:
ProxyPass /dav http://10.0.0.21/dav
ProxyPassReverse /dav http://10.0.0.21/dav
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
but the localhost needs to work first and after I change the base_uri parameter I always get a 404 error on the new page: http://localhost/dav and a broken page on the original root page: http://localhost. I would love to know how you go this working.
Are you sure you got localhost/dav
working or did you get d.localhost
working? Could you post your entire solution including the yaml file and the apache.conf?
Yes, well, the problem I had was with loading mixed content and had to do probably something with the apache config. I fixed it with the configuration above on the apache side. Also, I had to configure the apache suffix folder in the baikal.yaml settings: base_uri: 'dav/'
, or base_uri: '/dav/'
also worked. This issue got resolved, until I found another problem. As you say, the admin redirect is not working properly. It was an issue with the app itself as mentioned here , but it got fixed and the problem remained probably for the docker users, etc...
I got tired after several hours trying to get this to work - the solutions in the thread are temporary and not always stated as 100%, what I needed, so I switched to the dav.domain.com setup. This got me a good functional version of the Baikal container behind a proxy.