feat: try to implement single level subdomain A records#2425
Conversation
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the WalkthroughThis change updates configuration files and scripts to switch the Portainer subdomain naming convention from a dot separator (e.g., portainer.example.com) to a hyphen separator (e.g., portainer-example.com). Related Nginx configuration, Docker Compose environment variables, certificate setup scripts, and the changelog were updated accordingly, with some SSL and proxy enhancements. Changes
Sequence Diagram(s)sequenceDiagram
participant User
participant Nginx (HTTP)
participant Nginx (HTTPS)
participant Portainer
User->>Nginx (HTTP): Request http://portainer-$SERVER_HOSTNAME/
Nginx (HTTP)-->>User: 301 Redirect to https://portainer-$SERVER_HOSTNAME/
User->>Nginx (HTTPS): Request https://portainer-$SERVER_HOSTNAME/
Nginx (HTTPS)->>Portainer: Proxy request using $upstream_portainer
Portainer-->>Nginx (HTTPS): Response
Nginx (HTTPS)-->>User: Response
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Suggested labels
✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
Status, Documentation and Community
|
10d3035 to
fde317e
Compare
|
@coderabbitai full review |
✅ Actions performedFull review triggered. |
c8987d1 to
4b7cb7b
Compare
rija
left a comment
There was a problem hiding this comment.
Hi @kencho51,
question: After deploying this PR (following the instructions in PR) I encountered “too many redirect” errors when navigating to both my gigadb and portainer endpoints on staging (Tried with Safari and Firefox).
Turning off the Cloudflare proxy doesn’t seem to make a difference.
https://rija-staging.gigadb.host/
https://portainer-rija-staging.gigadb.host/
I then redeployed another branch and the gigadb website was reachable normally (with Cloudflare proxy still on).
Is there something I missed, or is there something in need of tweaking in the nginx configuration files?
(I’ve now redeployed your branch so you can see for yourself)
151dd1a to
7fc7bdc
Compare
|
Hi @rija,
Regarding this error, I think the reason for it is your domains are not from Cloudflare DNS, so when your nginx instance receives a secure HTTPS request, it will then forward the request to the application/portainer over an insecure channel (HTTP), which then would send a redirect back to the browser, telling it to use HTTPS, which starts the loop all over again. A quick fix is to migrate your URLs to Cloudflare DNS, it will make sure the request to the application contains the header But in order to make the nginx configuration robust enough to handle both direct connections and proxied connections correctly (Cloudflare), the nginx https config need to updated as well, which is in the a88bce0. |
a88bce0 to
4262bfd
Compare
Pull request for issue: #2393
This is a pull request for the following functionalities:
FlexibletoFull (strict)/.well-known/acme-challenge/to handle challenge requests for the Let's Encrypt when creating a new cert using certbot.TRUSTED_ORIGINSenvironment variableHow to test?
In dev
No changes to dev
In Staging
Create new A record for your production ips, as below:
By doing this, all domains will be centralized to Cloudflare DNS, and save cost from managing your own DNS for development.
REMOTE_FILES_PUBLIC_URL,REMOTE_HOME_URL,REMOTE_HOSTNAME,remote_fileserver_hostname` in your gitlab variable page as in the new A record table.setup_cert.shto create new cert for the new domain names duringsd_gigadb.docs/SETUP_PROVISIONING.mdanddocs/SETUP_CI_CD_PIPELINE.mdto spin up servers and execute the CI/CD pipelinesd_gigadbis passed, go to $name-staging.gigadb.org and portainer-$name-staging.gigadb.org to checkIn Live
Repeat the steps in
In Staing, except the for DNA A record which should be:And also follow
docs/RELEASE_PROCESS.mdto make a live deployment.How have functionalities been implemented?
HTTP vs HTTPS request
Originally, the cloudflare SSL/TLS encryption mode was set to
Flexibleand with proxy is turned on, from user to cloudflare is a HTTPS request, but from cloudflare to portainer server is a HTTP request. When Nginx server receives this request on port 80, it matches the server block intended for HTTP traffic in the nginx.target_deployment.http.conf, the location block containstry_files $uri $uri/ /index.php$is_args$args;, this directive tells Nginx to serve a file from the local disk, which fails and results in the browser being told to download a file.It could be simply fixed by changing the SSL/TLS encryption mode to
FULL (strict), it will make sure the requests from user to cloudflare then to portainer server is all HTTPS asBrowser --(HTTPS)--> Cloudflare --(HTTPS)--> Server, this encrypts traffic and verifies the Let's Encrypt certificate is valid. And more importantly, by redirecting all HTTP requests to the corresponding HTTPS URL with a 301Moved Permanentlystatus code, this preserves the code's integrity removes the dependency on Cloudflare.CSRF issue
When tried visit portainer behind the cloudflare proxy, the request has been configured to
httpsonly, user cannot log in portainer from the Chrome browser because of this error:As reported in https://www.portainer.io/blog/origin-invalid-errors-with-portainer-2-27-7-behind-reverse-proxies, portainer has updated a third-party library (gorilla/csrf) introduced since version 2.27.7, the new version of gorilla/csrf was stricter on requirements around Origin and Referer headers than the previous release had been, so they have enabled the
--trusted-originsCLI option (and the equivalent TRUSTED_ORIGINS environment variable) for the Portainer container.The fix for this is to update the production portainer container with this environment variable:
Any issues with implementation?
Describe any problems with your implementation
None.
Any changes to automated tests?
None.
Any changes to documentation?
None.
Any technical debt repayment?
Updated
ops/configuration/nginx-conf/sites/nginx.target_deployment.http.conf.distto redirect all http request to https for the portainer.Upgraded the already EOL php fpm base image from buster to bullseye in the production app dockerfile
Any improvements to CI/CD pipeline?
Describe any improvements to the Gitlab pipeline
Summary by CodeRabbit
Bug Fixes
Chores