crater-invoice/crater

The installation documentation needs urgent updating and more detailed help

noseshimself opened this issue · 0 comments

noseshimself commented

Is your feature request related to a problem? Please describe.
I have not yet been able to integrate crater into our docker environment even for testing.
As soon as I do not want to open the non-SSL server to the public I'm getting CSRF/XSRF problem because I do not have the slightest idea what the crater service is expecting here.

The reverse proxy is running with a configuration like

server {
  listen 80;
  server_name accounting.company.net accounting.mesh.company.net, accounting.servers.mesh.company.net;
  # enforce https
  return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
  server_name accounting.company.net accounting.mesh.company.net, accounting.servers.mesh.company.net;

    ssl_certificate     /etc/nginx/cert.d/accounting.company.net/fullchain.pem;
    ssl_certificate_key /etc/nginx/cert.d/accounting.company.net/privkey.pem;

    # strange errors without this
    large_client_header_buffers 4 32k;
    proxy_buffers 4 64k;
    proxy_buffer_size 32k;
    proxy_busy_buffers_size 64k;

    location / {
      proxy_pass http://crater-nginx-1.production-front:80/;
#      proxy_set_header Host $host;
      proxy_set_header Host $http_host;
#      proxy_set_header Host accounting.servers.mesh.company.net;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_http_version 1.1;

      client_max_body_size 100m;
    }
}

and I've obviously tried several variants of the Host header.

The only way to get it running right now is forwarding port 80 of crater-app-1 to the host. This is not exactly anything anyone should do. Yet it is the only installation you describe.

Describe the solution you'd like
Provide an example configuration for crater running behind a reverse proxy peeling off the SSL layer before forwarding connections.

Describe alternatives you've considered
I tried it in all the usual ways but always ran into the CSRF mismatch problem and could not log in. The only way I could run the system right now was moving it into an area only reachable via VPN. But clients would not be able to access it.