BaGet icon indicating copy to clipboard operation
BaGet copied to clipboard
verified publisher icon loic-sharma

HTTPS support and documentation

Open R4cOOn opened this issue 3 years ago • 6 comments

Hi,

We recently installed BaGet as a Docker server. It worked well until a .NET update started throwing errors:

/src/something-redacted.csproj : error NU1803: You are running the 'restore' operation with an 'HTTP' source, 'http://172.17.0.1:5555/v3/index.json'. Non-HTTPS access will be removed in a future version. Consider migrating to an 'HTTPS' source.

Is it possible to enable HTTPS for the Docker installation?

Cheers.

R4cOOn avatar Aug 10 '22 08:08 R4cOOn

We are currently having the same issue.

Mahoney0101 avatar Aug 10 '22 13:08 Mahoney0101

Same here, we don't want to use reverse proxy to set https for Baget.

kenoma avatar Aug 12 '22 17:08 kenoma

Hi,

We recently installed BaGet as a Docker server. It worked well until a .NET update started throwing errors:

/src/something-redacted.csproj : error NU1803: You are running the 'restore' operation with an 'HTTP' source, 'http://172.17.0.1:5555/v3/index.json'. Non-HTTPS access will be removed in a future version. Consider migrating to an 'HTTPS' source.

Is it possible to enable HTTPS for the Docker installation?

Cheers.

BaGet on Docker runs using Kestrel, so you can follow the instructions here to configure HTTPS.

wazzamatazz avatar Aug 18 '22 11:08 wazzamatazz

Thanks. I wasn't aware of these instructions.

We ended up spinning up an Nginx image to do the HTTPS for us.

R4cOOn avatar Aug 18 '22 12:08 R4cOOn

Upstream issue: https://github.com/NuGet/Home/issues/12013

Workaround: <NoWarn>$(NoWarn);NU1803</NoWarn>

lonix1 avatar Aug 18 '22 13:08 lonix1

You can run BaGet as HTTPS in Docker easily. We have our self signed certificate a run BaGet in Docker by Docker Compose. Just see code bellow

 baget:
    image: loicsharma/baget
    restart: always
    environment:
      - ApiKey=apikey
      - AllowPackageOverwrites=true
      - Storage__Type=FileSystem
      - Storage__Path=/data/packages
      - Database__Type=Sqlite
      - Database__ConnectionString=Data Source=/data/baget.db
      - Search__Type=Database
      - Kestrel__Endpoints__https__Url=https://*:443
      - Kestrel__Endpoints__https__Certificate__Path=/certs/wildcard_selfsigned_infra.p12
      - Kestrel__Endpoints__https__Certificate__Password=password
    volumes:
      - ./data/baget:/data 
      -./certs:/certs:ro
    ports:
      - 443 :443

kubalunacek avatar Aug 30 '22 06:08 kubalunacek

We don't use docker but IIS of Windows. It would be nice if there is HTTPS Support for IIS too. Or instruction how to update it to HTTPS, thank you in advance!

iiey avatar Jan 11 '23 07:01 iiey

To use HTTPS via Kestrel, you can edit the appsettings.json like so (we use this extensively for internal services, this may or may not work with automatic certificates such as Let's Encrypt - we haven't tried it since we have an internal CA for creating certificates):

"Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://hostname:5000",
        "Certificate": {
          "Store": "My",
          "Location": "LocalMachine",
          "Subject": "commonName"
        }
      }
    }
  }

Running on IIS with HTTPS is trivial - install the .NET Core hosting bundle, add a website that points to the BaGet instance then add your certificate in IIS (we use wacs to get Let's Encrypt certificates). The IIS instructions on the website are actually a bit more complicated than necessary and can be simplified quite a bit.

ahwm avatar Aug 03 '23 17:08 ahwm

In november nuget will drop HTTP support - it does however look like this issue has been resolved for both the guy using docker and the guy using IIS, right? If not, what could be done from the BaGet side to support https, enable hosting a specific file for lets encrypt auto updates? Or can this be closed?

Regenhardt avatar Aug 11 '23 08:08 Regenhardt

I think the only thing that needs done on BaGet side is an update of the documentation. I don't think there's anything specific BaGet can do itself for HTTPS support. In my opinion it's a little outside scope (other than documentation).

Kestrel: https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel/endpoints?view=aspnetcore-6.0#replace-the-default-certificate-from-configuration-1

Docker (link from comment above): https://learn.microsoft.com/en-us/aspnet/core/security/docker-https?view=aspnetcore-6.0

IIS:

  1. Install Hosting Bundle from https://dotnet.microsoft.com/en-us/download/dotnet/6.0 (current LTS, but latest .NET version should work fine as well)
  2. Create Website (by default a new application pool will be created with the same name)
  3. Update application pool to "No Managed Code" (optional, not required)
  4. Update permissions as necessary (user will be IIS AppPool\sitename)
  5. Utilize traditional IIS methods of managing HTTPS (generating CSR, etc.) or use something like wacs to use Let's Encrypt certificates

ahwm avatar Aug 11 '23 14:08 ahwm

Where would this be best located? The IIS part goes nicely into the IIS docs, the Docker part goes nicely into the Docker docs, but where to put the Kestrel part?

Or a whole new section for HTTPS, although this doesn't seem right to me since HTTPS is the default nowadays and should be part of the default installation doc.

Regenhardt avatar Aug 12 '23 12:08 Regenhardt

Kestrel settings go in the "On your computer" part of the installation docs since the instructions there use Kestrel. Or an HTTPS section is added to the configuration docs.

wazzamatazz avatar Aug 13 '23 09:08 wazzamatazz