Top Menu

Jump to content
Home
    Modules
      • Projects
      • Activity
      • Work packages
      • Gantt charts
      • Calendars
      • Team planners
      • Boards
      • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.
    • Help and support
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Enterprise support
    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
    Activity
  • Roadmap
  • Work packages
    Work packages
  • Gantt charts
    Gantt charts
  • Calendars
    Calendars
  • Team planners
    Team planners
  • Boards
    Boards
  • News
  • Forums
  • Feature tour
    Feature tour

Content

You are here:
  1. Forums
  2. Support Installation & Updates

Openproject SSL configuration with Linuxserver.io SWAG (nginx) reverse-proxy

Added by Julien Co over 1 year ago

Hello all,

First of all thanks to all dev and community for this great piece of software.

OpenProject install

  • OpenProject 12.4.5 in a Debian 11 VM (on proxmox).
  • I followed the instructions for packaged installation as described here (https://www.openproject.org/docs/installation-and-operations/installation/packaged/#debian-11)
  • During the install process, I skipped the SSL configuration (answered "no")

Reverse-Proxy

I use the linuxserver.io docker-swag reverse proxy (https://github.com/linuxserver/docker-swag) which is based on Nginx.

SSL configuration

  • The approach is : Internet <--https--> docker-swag (NGINX) <--http--> Apache2 / OpenProject server
  • I followed the instructions from https://www.openproject.org/docs/installation-and-operations/configuration/ssl/

External SSL termination : If you terminate SSL externally before the request hits the OpenProject server, you need to let the OpenProject server know that the request being handled is https, even though SSL was terminated before.

On your outer proxying server, set these commands:

  • In Apache2, set the ProxyPreserveHost On directive
  • In NginX, use the following value: proxy_set_header X-Forwarded-Host $host:$server_port;

I have the following proxy-conf file set in docker-swag (NGINX reverse proxy)

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name openproject.*;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;

    location / {    
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.1.104;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        proxy_set_header X-Forwarded-Host $upstream_app:$upstream_port;
    }
}

Furthermore, the same ressource indicates :

If you’re terminating SSL on the outer server, you need to set the X-Forwarded-Proto https header to let OpenProject know that the request is HTTPS, even though it has been terminated earlier in the request on the outer server.

  • In Apache2, use RequestHeader set "X-Forwarded-Proto" https
  • In Nginx, use proxy_set_header X-Forwarded-Proto https;

My configuration  /etc/apache2/sites-available/openproject.conf is the following

Include /etc/openproject/addons/apache2/includes/server/*.conf
IncludeOptional /etc/openproject/addons/apache2/custom/server/*.conf

<VirtualHost *:80>
  ServerName openproject.redacted.tld
  DocumentRoot /opt/openproject/public

  ProxyRequests off

  Include /etc/openproject/addons/apache2/includes/vhost/*.conf
  IncludeOptional /etc/openproject/addons/apache2/custom/vhost/*.conf

  # Can't use Location block since it would overshadow all the other proxypass directives on CentOS
  ProxyPass / http://127.0.0.1:6000/ retry=0
  ProxyPassReverse / http://127.0.0.1:6000/
  RequestHeader set "X-Forwarded-Proto" https
</VirtualHost>

However, after the modifications / restarting the server, I have the following error showing at the bottom of the page :

Mauvaise configuration du mode HTTPS 
Votre application fonctionne avec le mode HTTPS réglé sur http, mais la requête est une requête https. Cela entraînera des erreurs ! Vous devrez définir la valeur de configuration suivante : OPENPROJECT_HTTPS=true. Veuillez consulter la documentation d'installation pour savoir comment régler cette configuration.

OPENPROJECT_HTTPS=true parameter

Read those instructions : https://www.openproject.org/docs/installation-and-operations/configuration/

root@openproject-prod:~# openproject config:get OPENPROJECT_HTTPS
false

root@openproject-prod:~# cat /etc/openproject/conf.d/server
export SERVER_HOSTNAME="openproject.redacted.tld"
export SERVER_PROTOCOL="http"
export SERVER_USER="www-data"
export SERVER_GROUP="www-data"
export SERVER_PATH_PREFIX="/"

root@openproject-prod:~# cat /etc/openproject/conf.d/other

(...)

export OPENPROJECT_HTTPS="false"
export OPENPROJECT_HSTS="false"

I then issued the following command:

openproject config:set OPENPROJECT_HTTPS=true

root@openproject-prod:~# openproject config:set OPENPROJECT_HTTPS=true
root@openproject-prod:~# openproject config:get OPENPROJECT_HTTPS
true

/etc/openproject/conf.d/server has not changed

/etc/openproject/conf.d/other now has the following:

root@openproject-prod:~# cat /etc/openproject/conf.d/other

(...)

export OPENPROJECT_HSTS="false"
export OPENPROJECT_HTTPS="true"

As per the instructions :

After the file /etc/openproject/conf.d/other is changed the command sudo openproject configure must be issued

However issuing this command seems to revert everything as it was before. The error message is still present.

I even tried to directly modify the /etc/openproject/conf.d/server file to no avail.

I found the following bug that may related : https://community.openproject.org/projects/openproject/work_packages/28954/activity

Any help is welcomed.


Replies (1)

RE: Openproject SSL configuration with Linuxserver.io SWAG (nginx) reverse-proxy - Added by Julien Co over 1 year ago

I finally found the answer, I'm posting it here with the hope that it could increase the activity on this forum (no answer in 3 months), and for future reference.

The instructions from this page :

https://www.openproject.org/docs/installation-and-operations/configuration/ssl/

Finally, to let OpenProject know that it should create links with ‘https’ when no request is available (for example, when sending emails), you need to set the Protocol setting of OpenProject to https. You can set this configuration by setting the ENV OPENPROJECT_HTTPS="true".

are different than from this page :

https://www.openproject.org/docs/installation-and-operations/installation/packaged/

Finally, to let OpenProject know that it should create links with ‘https’ when no request is available (for example, when sending emails), you need to set the following setting: openproject config:set SERVER_PROTOCOL_FORCE_HTTPS="true" followed by an openproject configure. This ensures that OpenProject responds correctly with secure cookies even though it was not configured for https in the server configuration.

Issuing that command did the trick :

sudo openproject config:set SERVER_PROTOCOL_FORCE_HTTPS="true"

I can then verify that the configuration is correct :

sudo cat /etc/openproject/conf.d/other
(...)
export OPENPROJECT_HTTPS="true"
export OPENPROJECT_HSTS="true"

Best,

  • (1 - 1/1)
Loading...