Lychee/Laravel is unaware of https when sitting behind an nginx reverse proxy. about lychee-docker HOT 9 CLOSED

Chrome however, thinks it knows better:

Ah, of course. My bad.

I've done this live on the running docker container and it seems to work (since my APP_URL starts with https://).

The existing file actually looks backward to me... Surely production should be more likely to force https, not dev. I guess that's my bad too.

Also, imo Laravel is breaking things by adding a scheme it thinks is there - It should either force https or not send a scheme at all, which the browser will interpret as "same scheme" and (last I checked) was standards-compliant.

from lychee-docker.

This issue is closed, but is it fixed?

As stated in the last comment:

This will be available in :dev once it has rebuilt by setting TRUSTED_PROXIES.

It is currently only fixed in the :dev tag. It will be fixed in stable once a new Lychee version is released. You need to set TRUSTED_PROXIES, which you have not.

from lychee-docker.

@d7415 Ah ok sorry... And thanks for the clarification 😅👍

from lychee-docker.

I think best practice is still to 301 http requests to http which sounds like it would solve (or at least work around) this particular issue.

More correctly, Lychee includes fideloper/proxy which appears to be designed for this purpose and seems to use app/Http/Middleware/TrustProxies.php for its configuration. @ildyria may or may not remember why 10.0.2.2 is trusted. That probably needs to a) not be hardcoded as trusted and b) pulled from the environment so that it can be configured easily in .env or with Docker.

I'll see what those who are more familiar with Laravel have to say though.

from lychee-docker.

I think best practice is still to 301 http requests to http which sounds like it would solve (or at least work around) this particular issue.

You're right, and my nginx config does 301 http:// to https://. Chrome however, thinks it knows better:

Mixed Content: The page at 'https://domain.tld/install' was loaded over HTTPS, but requested an insecure favicon 'http://domain.tld/installer/assets/img/favicon/favicon-96x96.png'. This request has been blocked; the content must be served over HTTPS.

There are multiple of this failure, one for each static asset.

I've done this live on the running docker container and it seems to work (since my APP_URL starts with https://).

from lychee-docker.

I have the following installation:
https in managed by the server + proxy queries via Apache to a VM which handle all the lychee part.

The 10.0.2.2 is probably a local ip that I am using to in this setting (and yes, it probably should be in .env, just to lazy to do it: "nothing more permanent than a temporary solution").

from lychee-docker.

So that sounds pretty similar to what I have - https handled by nginx and reverse proxied to Lychee (in a Docker container).

I'm curious if you also observe insecure http:// requests being made by the browser though, even though the page is loaded over https://? i.e, what I described in the initial issue.

Agreed that the particular proxy server IP should definitely not be hard coded.

from lychee-docker.

This will be available in :dev once it has rebuilt by setting TRUSTED_PROXIES.

from lychee-docker.

This issue is closed, but is it fixed? Still encountering the described problems. The installer looks like this for me at some point
(url: https://my.domain/install/env):

With lots of Mixed Content errors in the console.

version: '3'

services:

  lychee_db:
    container_name: db
    env_file:
      - environment.env
    image: mariadb:10
    networks:
      - db-network
    restart: always
    volumes:
      - /my/path/to/db/:/var/lib/mysql
      - /my/path/to/logs/:/var/log/mysql

  lychee:
    image: lycheeorg/lychee
    container_name: lychee
    volumes:
      - ./lychee/conf:/conf
      - ./lychee/uploads:/uploads
      - ./lychee/sym:/sym
    networks:
      - lychee
      - db-network
      - webproxy
    env_file:
      - environment.env
    environment:
      - VIRTUAL_HOST=my.domain
      - LETSENCRYPT_HOST=my.domain
      - PHP_TZ=UTC
      - TIMEZONE=UTC
      - APP_URL=https://my.domain
      - DB_CONNECTION=mysql
      - DB_HOST=lychee_db
      - DB_PORT=3306
      - DB_DATABASE=lychee
      - DB_USERNAME=lychee
      - STARTUP_DELAY=0
    restart: unless-stopped
    depends_on:
      - lychee_db

networks:
  lychee: {}
  db-network: {}
  webproxy:
    external: true

from lychee-docker.