Integration Server Non-SSL setup

breuerfelix · January 22, 2020, 3:22pm

Hello,

I try to get non-ssl access to the mender integration server.
In the official GitHub documentation it says that i could use docker-compose.non-ssl.yml which basically just exposes port 80 to 8090. That does NOT work because the nginx server for port 80 looks like this:

server {
        listen 80;

        server_name _;

        return 301 https://$http_host$request_uri;
}

It just redirects the traffic to https and your non-ssl traffic just ends here.

In order to fix this issue you could simply put all application specific nginx logic into the server block for port 80 and on the port 443 you do the ssl termination and proxy pass to localhost:80.
Also the server won’t start if you dont provide certificates even though you just want non-ssl traffic.
This could be solved by disabling the ssl server block if a specific environment variable is set (this will be easy since you already use openresty)
This environment variable also needs to ignore the cert verify in entrypoint.sh.

Why do i even want non-ssl access ?
I currently want to implement the mender integration server in kubernetes / swarm / nomad. Typically in a cluster setup you run some other tools which handles ssl termination for you. For example Certbot / Traefik.
I also want to share the setup for these frameworks as a pull request on the upstream repo.

If you like my idea of handling the ssl termination i would provide you with the correct entrypoint.sh and nginx.conf for this setup because the repository for this is not open source. I would also do this change non-breaking so everything works just like right now, except you can simply disable ssl by setting one environment variable in the docker-compose file.

Is there general interest in this setup, and a chance that my changes will end up in the upstream repo ?

Best Regards,

Felix

tranchitella · January 23, 2020, 10:25am

Hello @breuerfelix

I confirm you the docker-compose.no-ssl.yml exposes the HTTP port from openresty to local port 9080, but as long as the virtual host configuration is not updated, accessing Mender via HTTP is not possible. The only way to solve your issue now is to override/patch the openresty/nginx configuration file in your container to configure it to serve Mender using HTTP.

The configuration can be improved; contributions are always welcome. This specific point is in the roadmap, indeed, but it is unlikely it will be part of our next release, Mender 2.3.

Best regards.
Fabio

breuerfelix · January 23, 2020, 10:31am

Hey @tranchitella

I currently patch the nginx.conf but this requires another file mount. File mounts are not that good for cluster setups cause thats requiring a custom image which needs to be updated if you update the upstream or a shared drive.

Thanks for your response! What is the proper way for me to contribute ?
Is the source really closed or am i just not finding the correct repo ?

If it is closed source, where could i provide you with the sources ? Is this the right place here ?

Cheers,
Felix

tranchitella · January 23, 2020, 11:54am

Hello @breuerfelix,

the git repository for the api gateway is here:

Best regards,
Fabio

Topic		Replies	Views
[Self-hosted Mender 1.7] Non-SSL API-Gateway General Discussions	3	353	February 21, 2019
How to redirect http to https mender-api General Discussions	7	662	August 19, 2020
Has anyone deployed a production instance of Mender behind an nginx reverse proxy? General Discussions	1	135	November 20, 2023
Mender helm chart enhancements for self hosted mender General Discussions	1	275	June 23, 2021
Secure mender-open source server General Discussions	3	283	August 5, 2020

Integration Server Non-SSL setup

Related Topics