zoraxy
zoraxy copied to clipboard
tobychui
[BUG] Proxy rules requiring TLS don't connect after 3.0.3
Describe the bug After the update to 3.0.3, it looks like all rules that have the "Require TLS" box ticked, aren't able to connect. For services like Portainer, I can remove the tickbox, and the server still responds with "Client sent an HTTP request to an HTTPS server." so the service is running properly. Just as soon as the tickbox is selected, I get a 404.
To Reproduce Steps to reproduce the behavior:
- Create Proxy rule to https accessed service such as portainer.
- Ensure "Requires TLS" checkbox is selected.
- Ensure rule is active.
- Navigate to service using subdomain, get a 404 error.
Screenshots
Browser (if it is a bug appears on the UI section of the system):
- OS: Windows 11
- Chrome
Host Environment (please complete the following information):
- Arch: linux x86
- Device: Dell Poweredge Server
- OS: Ubuntu running docker through portainer
Additional context I will say that doing the test for the fix for #129, this problem didn't arise.
Can you try to remove all "Require TLS" boxes and use the global setting? For external services I use the global setting, see screenshot below
Does this help?
I already had these settings enabled, but I went ahead and removed all "Require TLS" boxes, but from the services that have https only access such as portainer, I'm now getting the http response:
@jacojazz I am unable to reproduce your issue with a self sign cert and arozos (listening to port 8443, with HTTP disabled) running in localhost
ArozOS is also written in golang and if the client is requesting HTTP to the HTTPS server listener, the same error will show up. The following is an example of me manually triggering this error with direct http to :8443 access
I setup the rule like yours and I am seeing no problem regarding sending HTTP request to HTTPS server error
Updates
One thing I notice is that are you using the IP address of your portainer instance instead of the domain? Let say if you are using IP address, make sure to check "Skip Verification" as IP address is not a valid host name in the certificate CN field.
I never used "Require TLS" in addition, just the global setting and the force HTTPS redirect. Zoraxy listens on port 443
The proxy rule is set to the container HTTP port. HTTP because TLS is done by Zoraxy. Do not use the HTTPS port in the proxy rule for portainer!
Can you try port 9000 for portainer in your rule?
Can you try to remove all "Require TLS" boxes and use the global setting? For external services I use the global setting, see screenshot below
Does this help?
Thank you! Coming from NPM I missed this section inside the configuration and struggled too. Works great now.
@jacojazz
For Portainer, unless you configure a valid SSL certificate inside portainer itself you may want to use the "Skip Verification" toggle in Zoraxy: doing so, the proxy manager will ignore the "certificate warning" and reach portainer on port 9443.
(as explained pretty much in the tip under the checkbox, you are just instructing zoraxy to skip verification of the self-signed certificate generated and used by portainer while connecting locally. From the outside, if everything else is configured accordingly, you will tunnel trough https using the provided/generated certificate)
[please note that in my example the "Require TLS" option is flagged due to the configuration of my host: I'm using Cloudflare with Origin Certificate + Strict SSL + HSTS Enabled]
