plane icon indicating copy to clipboard operation
plane copied to clipboard

Published 20 hours ago • verified publisher icon makeplane

[bug]: No obvious SSL certificate support

Open gareth-johnstone opened this issue 1 year ago • 1 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Current behavior

I visit the URL i have plane.so self hosted on and there is no SSL support.

Steps to reproduce

Go to website no SSL

Browser

Google Chrome

Version

Self-hosted

gareth-johnstone avatar Jun 07 '23 12:06 gareth-johnstone

Hi @gareth-johnstone

On the self-hosted version, you are running it via the nginx reverse proxy. On nginx, you can setup a certbot which can generate the cert for you and you can replace all the http to https or configure the nginx to redirect http:// to https://

Give it a try !

me-abhishekpal avatar Jun 07 '23 15:06 me-abhishekpal

As we had the same issue and spent quite some time on it, we`d like to share our setup:

  • There is a reverse proxy serving at ports 80 (for certificate issuing) and 443 with SSL
  • There is a certbot to issue the SSL certificate
  • There is plane running on port 12345 - should be around version v0.8-dev. Since the project seems to be in its early stages, things might have changed when you read this!

1. Setup Host Machine

  1. Install Docker: https://docs.docker.com/engine/install/ubuntu/
  2. Enable rootless Docker: https://docs.docker.com/engine/security/rootless/
  3. Enable privileged ports for serving on 80 / 443: https://docs.docker.com/engine/security/rootless/#exposing-privileged-ports

In our setup, we organized the following directories:

  • ~/plane: The plane files and configurations
  • ~/volume/certbot: The certbot volumes (logs, configs)
  • ~/volume/nginx: The nginx volumes (logs, configs)

2. Setup Plane.so

  1. Follow self-host tutorial: https://docs.plane.so/self-hosting
  2. In the version we used, you have to make some further configurations (overwrite passwords, add email settings)
  3. Apply the configuration: set -a; source .env; set +a;
  4. Start plane.so: docker compose -f docker-compose-hub.yml up -d

Make sure you configure the following variables to your needs in .env:

NGINX_PORT=12345
NEXT_PUBLIC_API_BASE_URL=https://<domain>.com
WEB_URL=https://<domain>.com

Please note the https in the URLs.

3. Reverse Proxy

  1. Setup SSL with certbot and nginx. I'll skip the necessary steps to issue the certificate. We found this tutorial helpful: https://mindsers.blog/post/https-using-nginx-certbot-docker/
  2. Start the reverse proxy: docker compose up webserver -d

These are the final configurations we used:

File volume/nginx/conf/default.conf:

server {
    listen 80;
    listen [::]:80;

    server_name <domain>.com www.<domain>.com;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://<domain>.com$request_uri;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;

    server_name <domain>.com www<domain>.com;

    ssl_certificate /etc/nginx/ssl/live/<domain>.com/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/<domain>.com/privkey.pem;
    
    location / {
	proxy_pass http://<domain>.com:12345;
	proxy_set_header  X-Real-IP  $remote_addr;
	proxy_set_header  Host $host;
	proxy_set_header X-Forwarded-Proto $scheme;
	add_header 'Content-Security-Policy' 'upgrade-insecure-requests'; # Otherwise error:  The page at '<URL>' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint '<URL>'.
    }
}

File docker-compose.yaml

version: '3'

services:
  webserver:
    image: nginx:latest
    ports:
      - 80:80
      - 443:443
    restart: always
    volumes:
      - ./volume/nginx/conf/:/etc/nginx/conf.d/:ro
      - ./volume/certbot/www:/var/www/certbot/:ro
      - ./volume/certbot/conf/:/etc/nginx/ssl/:ro
      - ./volume/nginx/log/:/var/log/nginx/:rw
  certbot:
    image: certbot/certbot:latest
    volumes:
      - ./volume/certbot/www/:/var/www/certbot/:rw
      - ./volume/certbot/conf/:/etc/letsencrypt/:rw

Caveats

  • The port of plane needs to be exposed as well (I think)

Let me know if you have thoughts (especially on how to deal with the caveats)!

@me-abhishekpal It would be awesome if the plane-internal nginx would also allow configuration via an environment variable pointing to the certificates. However, I understand if this might not be in line with your commercial Open Source strategy.

georg-schwarz avatar Jul 14 '23 14:07 georg-schwarz

- By the nginx YAML file, @georg-schwarz, Do you mean adding that config under services in ~/plane-selfhost/plane-app/docker-compose.yaml?

- In the following snippet, why 12345, why not 443? as we are going to have HTTPS!

Make sure you configure the following variables to your needs in .env:

NGINX_PORT=12345
NEXT_PUBLIC_API_BASE_URL=https://<domain>.com
WEB_URL=https://<domain>.com

- What does NEXT_PUBLIC_API_BASE_URL do?

mohaa7 avatar Oct 15 '23 12:10 mohaa7

@georg-schwarz, Do you mean adding that config under services in ~/plane/docker-compose.yaml?

No. I created a separate ~/docker-compose.yaml file. So with the plane one there are 2 in total. This way, you can easily upgrade plane independently of the reverse proxy adding SSL.

Why 12345, why not 443? as we are going to have HTTPS!

Since port 443 will be exposed by the reverse proxy, not plane itself. If plane exposes port 443, you might get a port collision.

What does NEXT_PUBLIC_API_BASE_URL do?

I don't know tbh, I'm also just another plane user ;-)

georg-schwarz avatar Oct 15 '23 13:10 georg-schwarz