diff --git a/docs/web_ui.md b/docs/web_ui.md index fd08f5f..bf3cd35 100644 --- a/docs/web_ui.md +++ b/docs/web_ui.md @@ -12,7 +12,7 @@ The web UI has its own set of environment variables to configure it : - `API_URI` : path of the bunkerized-nginx API (must match the corresponding `API_URI` of the bunkerized-nginx instance) - `DOCKER_HOST` : Docker API endpoint address (default = `unix:///var/run/docker.sock`) -Since the web UI is ia service itself, we can use bunkerized-nginx as a reverse proxy in front of it. +Since the web UI is a web service itself, we can use bunkerized-nginx as a reverse proxy in front of it. **Using the web UI in a Docker environment exposes a security risk because you need to mount the Docker API socket into the web UI container. It's highly recommended to use a middleware like [tecnativa/docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy) to reduce the risk as much as possible.** @@ -59,7 +59,7 @@ $ docker run -d \ Last but not least, you need to start the bunkerized-nginx and configure it as a reverse proxy for the web UI web service : ```shell -$ docker create -d \ +$ docker create \ --name my-bunkerized \ --network ui-net \ -p 80:8080 \ @@ -74,8 +74,8 @@ $ docker create -d \ -e REDIRECT_HTTP_TO_HTTPS=yes \ -e admin.example.com_USE_REVERSE_PROXY=yes \ -e admin.example.com_REVERSE_PROXY_URL=/admin-changeme/ \ - -e admin.example.com_REVERSE_PROXY_HOST=http://my-bunkerized-ui:5000/ \ - -e admin.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /admin-changeme \ + -e admin.example.com_REVERSE_PROXY_HOST=http://my-bunkerized-ui:5000 \ + -e "admin.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /admin-changeme" \ -e admin.example.com_USE_MODSECURITY=no \ -l bunkerized-nginx.UI \ bunkerity/bunkerized-nginx @@ -111,7 +111,7 @@ services: - REDIRECT_HTTP_TO_HTTPS=yes - admin.example.com_USE_REVERSE_PROXY=yes - admin.example.com_REVERSE_PROXY_URL=/admin-changeme/ # change it to something hard to guess - - admin.example.com_REVERSE_PROXY_HOST=http://my-bunkerized-ui:5000/ + - admin.example.com_REVERSE_PROXY_HOST=http://my-bunkerized-ui:5000 - admin.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /admin # must match REVERSE_PROXY_URL - admin.example.com_USE_MODSECURITY=no labels: @@ -177,6 +177,7 @@ Edit the bunkerized-nginx configurations located at `/opt/bunkerized-nginx/varia ```conf HTTP_PORT=80 HTTPS_PORT=443 +DNS_RESOLVERS=8.8.8.8 8.8.4.4 SERVER_NAME=admin.example.com MULTISITE=yes AUTO_LETS_ENCRYPT=yes @@ -184,7 +185,7 @@ REDIRECT_HTTP_TO_HTTPS=yes admin.example.com_USE_REVERSE_PROXY=yes admin.example.com_REVERSE_PROXY_URL=/admin-changeme/ # Local bunkerized-nginx-ui -admin.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:5000/ +admin.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:5000 # Remote bunkerized-nginx-ui #REVERSE_PROXY_HOST=http://service.example.local:5000 admin.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /admin-changeme diff --git a/ui/entrypoint.py b/ui/entrypoint.py index c2e3af6..899c0d5 100644 --- a/ui/entrypoint.py +++ b/ui/entrypoint.py @@ -22,6 +22,8 @@ app.secret_key = vars["FLASK_SECRET"] app.config["ABSOLUTE_URI"] = vars["ABSOLUTE_URI"] app.config["INSTANCES"] = Instances(vars["DOCKER_HOST"], vars["API_URI"]) app.config["CONFIG"] = Config() +app.config["SESSION_COOKIE_DOMAIN"] = vars["ABSOLUTE_URI"].replace("http://", "").replace("https://", "").split("/")[0] +app.config["WTF_CSRF_SSL_STRICT"] = False # Declare functions for jinja2 app.jinja_env.globals.update(env_to_summary_class=utils.env_to_summary_class) @@ -29,6 +31,11 @@ app.jinja_env.globals.update(form_service_gen=utils.form_service_gen) app.jinja_env.globals.update(form_service_gen_multiple=utils.form_service_gen_multiple) app.jinja_env.globals.update(form_service_gen_multiple_values=utils.form_service_gen_multiple_values) +@app.before_request +def log_request(): + app.logger.debug("Request Headers %s", request.headers) + return None + # Login management login_manager = LoginManager() login_manager.init_app(app) diff --git a/ui/src/ReverseProxied.py b/ui/src/ReverseProxied.py index dc9f692..b8f89a7 100644 --- a/ui/src/ReverseProxied.py +++ b/ui/src/ReverseProxied.py @@ -11,7 +11,7 @@ class ReverseProxied(object): if path_info.startswith(script_name): environ['PATH_INFO'] = path_info[len(script_name):] - scheme = environ.get('HTTP_X_SCHEME', '') + scheme = environ.get('HTTP_X_FORWARDED_PROTO', '') if scheme: environ['wsgi.url_scheme'] = scheme return self.app(environ, start_response)