Superdesk not being served over HTTPS

Question

Superdesk not being served over HTTPS

Closed this issue 6 years ago · 4 comments

When trying to access Superdesk over HTTPS, Firefox and Chrome blocks all content as insecure parts. Looking at the console, I see an error messages "Blocked loading mixed active content 'http://[my url]/api'" and "SecurityError: The operation is insecure." for app.bundle.js.

Is it possible to server Superdesk over HTTPS? I'm using a certificate from Let's Encrypt.

Answer 1 · 2018-11-16T10:53:42.000Z

it is, we use nginx to handle https and as a proxy to gunicorn

Answer 2 · 2018-11-16T14:42:07.000Z

So will it always "appear" to be served over HTTP then? With a fresh install of Superdesk, Firefox does not connect over HTTPS and gives a warning of insecure connection on the login screen, which could get annoying for users.

Answer 3 · 2018-11-19T08:29:53.000Z

yep gunicorn will do http, the rest can be set to use https via nginx

Answer 4 · 2019-03-06T18:18:28.000Z

For anyone trying to set up Superdesk and having the same issue, I finally figured out the correct configuration.

First, here's the Nginx configuration I have to handle HTTPS requests and redirect HTTP requests to HTTPS:

server {
    listen                      443 ssl http2;
    listen                      [::]:443 ssl http2;
    server_name                 my.domain.com;

    ssl on;
    ssl_certificate             /path/to/my/cert.pem;
    ssl_certificate_key         /path/to/my/key.pem;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    location /ws {
    proxy_pass http://localhost:5100;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_read_timeout 3600;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
}

location /api {
	proxy_pass http://localhost:5000;
	proxy_set_header Host my.domain.com;
	expires epoch;

	sub_filter_once off;
	sub_filter_types application/json;
	sub_filter 'http://localhost' 'https://$host';
}

location /contentapi {
	proxy_pass http://localhost:5400;
	proxy_set_header Host my.domain.com;
	expires epoch;
}

location /.well-known {
	root /var/tmp;
}
location / {
	root /opt/superdesk/client/dist;

	# TODO: use "config.js:server" for user installations
	sub_filter_once off;
	sub_filter_types application/javascript;
	sub_filter 'http://localhost' 'https://$host';
	sub_filter 'ws://localhost/ws' 'wss://$host/ws';
}
location /mail {
	alias /var/log/superdesk/mail/;
	default_type text/plain;
	autoindex on;
	autoindex_exact_size off;
}

}

server {
    listen                      80;
    listen                      [::]:80;
    server_name                 my.domain.com;
    return                      301 https://$host$request_uri;
}

What I was missing in the configuration:

The proxy_set_header field had to be set to proxy_set_header Host <my_domain name> and in the sub_filter field, it was the second parameter only that had to be set to use HTTPS

Superdesk-specific stuff that had to be configured:

In /opt/superdesk/activate.sh, set HOST_SSL to HOST_SSL=${HOST_SSL:-s}. This will make sure links sent out by mail (like password rest emails) are sent as HTTPS.

It seems simple in retrospect but wow was it difficult to figure out with limited knowledge of Nginx...