From fd9e62591e13ee93b33cf70a5e5df3b5098cf6cf Mon Sep 17 00:00:00 2001 From: Leendert de Borst Date: Mon, 8 Sep 2025 15:59:21 +0200 Subject: [PATCH] Add optional http to https redirect env setting (#1181) --- dockerfiles/all-in-one/Dockerfile | 4 +- dockerfiles/all-in-one/config/nginx-443.conf | 126 ++++++++++++++++++ .../config/{nginx.conf => nginx-80-443.conf} | 3 +- dockerfiles/all-in-one/s6-scripts/nginx/run | 10 ++ dockerfiles/docker-compose.all-in-one.yml | 1 + 5 files changed, 142 insertions(+), 2 deletions(-) create mode 100644 dockerfiles/all-in-one/config/nginx-443.conf rename dockerfiles/all-in-one/config/{nginx.conf => nginx-80-443.conf} (98%) diff --git a/dockerfiles/all-in-one/Dockerfile b/dockerfiles/all-in-one/Dockerfile index d106f611d..4df3c4be5 100644 --- a/dockerfiles/all-in-one/Dockerfile +++ b/dockerfiles/all-in-one/Dockerfile @@ -134,7 +134,8 @@ COPY --from=dotnet-builder /app /app # Copy configuration files and scripts directly to their destinations COPY dockerfiles/all-in-one/reset-admin-password.sh /usr/local/bin/reset-admin-password.sh COPY apps/server/AliasVault.Client/nginx.conf /app/client/nginx.conf -COPY dockerfiles/all-in-one/config/nginx.conf /etc/nginx/nginx.conf +COPY dockerfiles/all-in-one/config/nginx-80-443.conf /etc/nginx/nginx-80-443.conf +COPY dockerfiles/all-in-one/config/nginx-443.conf /etc/nginx/nginx-443.conf COPY apps/server/status.html /usr/share/nginx/html/status.html COPY dockerfiles/all-in-one/s6-scripts /etc/s6-overlay/s6-rc.d/ @@ -159,6 +160,7 @@ ENV ALIASVAULT_VERBOSITY=0 \ POSTGRES_PORT=5432 \ POSTGRES_USER=aliasvault \ POSTGRES_DATABASE=aliasvault \ + FORCE_HTTPS_REDIRECT=false \ S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 \ S6_VERBOSITY=0 diff --git a/dockerfiles/all-in-one/config/nginx-443.conf b/dockerfiles/all-in-one/config/nginx-443.conf new file mode 100644 index 000000000..3a6da293d --- /dev/null +++ b/dockerfiles/all-in-one/config/nginx-443.conf @@ -0,0 +1,126 @@ +# Nginx configuration for AliasVault all-in-one container with forced HTTP to HTTPS redirect +# and uses a self-signed cert. +events { + worker_connections 1024; +} + +http { + client_max_body_size 25M; + + upstream client { + server localhost:3000 max_fails=1 fail_timeout=5s; + } + + upstream api { + server localhost:3001 max_fails=1 fail_timeout=5s; + } + + upstream admin { + server localhost:3002 max_fails=1 fail_timeout=5s; + } + + # Preserve any existing X-Forwarded-* headers, this is relevant if AliasVault + # is running behind another reverse proxy. + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 172.16.0.0/12; + set_real_ip_from 192.168.0.0/16; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Enable gzip compression, which reduces the amount of data that needs to be transferred + # to speed up WASM load times. + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + # HTTP server - redirects all traffic to HTTPS + server { + listen 80; + server_name _; + + # Redirect all HTTP traffic to HTTPS + return 301 https://$host$request_uri; + } + + # HTTPS server + server { + listen 443 ssl; + server_name _; + + # Include the appropriate SSL certificate configuration generated + # by the entrypoint script. + include /etc/nginx/ssl.conf; + + # Security headers + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Cross-Origin-Resource-Policy "same-origin" always; + add_header Content-Security-Policy "frame-ancestors 'self'" always; + + # Root for static files + root /usr/share/nginx/html; + + # Error page handler location (internal use only) + location = /status.html { + internal; + try_files /status.html =404; + add_header Cache-Control "no-cache, no-store, must-revalidate"; + add_header Pragma "no-cache"; + add_header Expires "0"; + } + + # Admin interface + location /admin { + proxy_pass http://admin; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Prefix /admin/; + + # Add WebSocket support for Blazor server + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 86400; + + # Show status page if admin is down + proxy_intercept_errors on; + error_page 502 503 504 =503 /status.html; + } + + # API endpoints + location /api { + proxy_pass http://api; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # Show status page if api is down + proxy_intercept_errors on; + error_page 502 503 504 =503 /status.html; + } + + # Client app (root path) + location / { + proxy_pass http://client; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # Show status page if client is down + proxy_intercept_errors on; + error_page 502 503 504 =503 /status.html; + } + } +} \ No newline at end of file diff --git a/dockerfiles/all-in-one/config/nginx.conf b/dockerfiles/all-in-one/config/nginx-80-443.conf similarity index 98% rename from dockerfiles/all-in-one/config/nginx.conf rename to dockerfiles/all-in-one/config/nginx-80-443.conf index bd7e5f719..8e287a18c 100644 --- a/dockerfiles/all-in-one/config/nginx.conf +++ b/dockerfiles/all-in-one/config/nginx-80-443.conf @@ -1,5 +1,6 @@ # This is the main Nginx configuration file for the AliasVault all-in-one container. -# which exposes all AliasVault services via a single port 80. +# which exposes all AliasVault services via both 80 (HTTP) +# and optionally 443 (HTTPS) with self-signed cert. events { worker_connections 1024; } diff --git a/dockerfiles/all-in-one/s6-scripts/nginx/run b/dockerfiles/all-in-one/s6-scripts/nginx/run index 761d645d2..2f06ccd78 100644 --- a/dockerfiles/all-in-one/s6-scripts/nginx/run +++ b/dockerfiles/all-in-one/s6-scripts/nginx/run @@ -19,6 +19,16 @@ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDS ssl_prefer_server_ciphers off; SSLEOF +# Configure nginx based on FORCE_HTTPS_REDIRECT environment variable +FORCE_HTTPS_REDIRECT=${FORCE_HTTPS_REDIRECT:-false} +if [[ "${FORCE_HTTPS_REDIRECT}" == "true" ]]; then + echo "Configuring nginx with HTTPS-only (443) - redirects HTTP to HTTPS" + cp /etc/nginx/nginx-443.conf /etc/nginx/nginx.conf +else + echo "Configuring nginx with HTTP and HTTPS support (80+443)" + cp /etc/nginx/nginx-80-443.conf /etc/nginx/nginx.conf +fi + echo "Starting Nginx reverse proxy..." # Set nginx error log level based on verbosity diff --git a/dockerfiles/docker-compose.all-in-one.yml b/dockerfiles/docker-compose.all-in-one.yml index dacda95c9..10747ba58 100644 --- a/dockerfiles/docker-compose.all-in-one.yml +++ b/dockerfiles/docker-compose.all-in-one.yml @@ -17,5 +17,6 @@ services: environment: PUBLIC_REGISTRATION_ENABLED: "true" IP_LOGGING_ENABLED: "true" + FORCE_HTTPS_REDIRECT: "false" SUPPORT_EMAIL: "" PRIVATE_EMAIL_DOMAINS: ""