[SAC] [OSGeo] #2428: Pages on staging.grass.osgeo.org without https

OSGeoTrac · March 22, 2020, 9:31pm

#2428: Pages on staging.grass.osgeo.org without https
---------------------------+-----------------------
Reporter: neteler | Owner: sac@…
Type: defect | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Keywords:
---------------------------+-----------------------
At time the new upcoming GRASS GIS server struggles with https:

http://staging.grass.osgeo.org/ is not redirected to https

all pages on the server are without https, like
http://staging.grass.osgeo.org/contribute/development/

See also original issue at https://github.com/OSGeo/grass-
website/issues/26

I have no idea where that needs to be fixed..

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2428>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · March 22, 2020, 10:43pm

#2428: Pages on staging.grass.osgeo.org without https
---------------------------+------------------------
Reporter: neteler | Owner: sac@…
Type: defect | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+------------------------

Comment (by robe):

Okay I changed to force https and also added a setting I missed to add
proxy_protocol for https.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2428#comment:1>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · March 22, 2020, 10:50pm

#2428: Pages on staging.grass.osgeo.org without https
---------------------------+------------------------
Reporter: neteler | Owner: sac@…
Type: defect | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+------------------------

Comment (by robe):

For future reference commit

https://git.osgeo.org/gitea/sac/osgeo7/commit/495143e3ff441347f0d56a4b46d15a001faea9c6

{{{
diff --git a/etc/nginx/sites-available/grass.osgeo.org b/etc/nginx/sites-
available/grass.osgeo.org
index 31fd76d..03d3b83 100644
--- a/etc/nginx/sites-available/grass.osgeo.org
+++ b/etc/nginx/sites-available/grass.osgeo.org
@@ -1,7 +1,6 @@
  server {
      server_name staging.grass.osgeo.org;
      server_name grass.osgeo.org;
- listen 80 proxy_protocol; # managed by Certbot
      set_real_ip_from 140.211.15.0/24;
      real_ip_header proxy_protocol;

@@ -18,10 +17,29 @@ server {
proxy_redirect off;
}

- listen 443 ssl; # managed by Certbot
+ listen 443 ssl proxy_protocol; # managed by Certbot
      ssl_certificate
/etc/letsencrypt/live/staging.grass.osgeo.org/fullchain.pem; # managed by
Certbot
      ssl_certificate_key
/etc/letsencrypt/live/staging.grass.osgeo.org/privkey.pem; # managed by
Certbot
      include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
      ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
+server {
+ if ($host = staging.grass.osgeo.org) {
+ return 301 https://$host$request_uri;
+ } # managed by Certbot
+
+ if ($host = grass.osgeo.org) {
+ return 301 https://$host$request_uri;
+ } # managed by Certbot
+
+
+
+ server_name staging.grass.osgeo.org;
+ server_name grass.osgeo.org;
+ listen 80 proxy_protocol;
+ return 404; # managed by Certbot
+
+
+}
+
}}}

then did

{{{
nginx -t #verify config has no typos
systemctl reload nginx
}}}

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2428#comment:2>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · March 22, 2020, 10:58pm

#2428: Pages on staging.grass.osgeo.org without https
---------------------------+------------------------
Reporter: neteler | Owner: sac@…
Type: defect | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+------------------------

Comment (by robe):

To have your logs properly log ip on apache, you can add the following
lines to your sites-available/whatever-confs

{{{
RemoteIPHeader X-Real-IP
RemoteIPInternalProxy nginx.lxd
}}}

and then in your /etc/apache2/apache2.conf you should change the %h to %a

in the LogFormat sections

This video describes it pretty well I think

https://youtu.be/1p-fbS_OYTg?t=1542

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2428#comment:3>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · March 23, 2020, 4:30pm

#2428: Pages on staging.grass.osgeo.org without https
---------------------------+------------------------
Reporter: neteler | Owner: sac@…
Type: defect | Status: closed
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+------------------------
Changes (by neteler):

* status: new => closed
* resolution: => fixed

Comment:

Thanks so much for your speedy support @robe, seems to work smoothly now.

Closing.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2428#comment:4>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.