How do I set up https with self hosted docker(using self signed certs)

Troubleshooting Self hosted Taiga
1

Do I need to add some sort of extra container sitting in front of gateway (like nginxproxy/nginx-proxy) or do I configure the gateway for https directly.
I tried to do it directly but am getting 502 errors which I can’t track down.

For the self signed certs, I’m mapping
./certs/nginx.key:/etc/nginx/ssl/nginx.key
./certs/nginx.crt:/etc/nginx/ssl/nginx.crt
and not sure if I need to do this but adding intermediate certs to /usr/local/share/ca-certificates/ and running update-ca-certificates at startup

2

Oh it was a silly mistake, I forgot to add port 443 mapping for taiga gateway
taiga-gateway:
image: nginx:1.19-alpine
ports:
- “80:80”
- “443:443”
It loaded afterwards

3

but email seems to have broken
how do you email with it
could setting env variable
REQUESTS_CA_BUNDLE: “/usr/local/share/ca-certificates/star-chain.comp.cer” in taiga-back
for th jira cert chain for import be causing these issues?
taiga-docker-taiga-back-1 | ERROR:2023-03-15 10:04:25,335: Internal Server Error: /api/v1/auth/register
taiga-docker-taiga-back-1 | Traceback (most recent call last):
taiga-docker-taiga-back-1 | File “/opt/venv/lib/python3.7/site-packages/django/core/handlers/exception.py”, line 34, in inner
taiga-docker-taiga-back-1 | response = get_response(request)

taiga-docker-taiga-back-1 | File “/opt/venv/lib/python3.7/site-packages/django/core/handlers/base.py”, line 115, in _get_response
taiga-docker-taiga-back-1 | response = self.process_exception_by_middleware(e, request)
taiga-docker-taiga-back-1 | File “/opt/venv/lib/python3.7/site-packages/django/core/handlers/base.py”, line 113, in _get_response
taiga-docker-taiga-back-1 | response = wrapped_callback(request, *callback_args, **callback_kwargs)
taiga-docker-taiga-back-1 | File “/taiga-back/taiga/base/api/viewsets.py”, line 95, in view
taiga-docker-taiga-back-1 | return self.dispatch(request, *args, **kwargs)
taiga-docker-taiga-back-1 | File “/opt/venv/lib/python3.7/site-packages/django/views/decorators/csrf.py”, line 54, in wrapped_view
taiga-docker-taiga-back-1 | return view_func(*args, **kwargs)
taiga-docker-taiga-back-1 | File “/taiga-back/taiga/base/api/views.py”, line 449, in dispatch
taiga-docker-taiga-back-1 | response = self.handle_exception(exc)
taiga-docker-taiga-back-1 | File “/taiga-back/taiga/base/api/views.py”, line 447, in dispatch
taiga-docker-taiga-back-1 | response = handler(request, *args, **kwargs)
taiga-docker-taiga-back-1 | File “/taiga-back/taiga/auth/api.py”, line 137, in register
taiga-docker-taiga-back-1 | return self._public_register(request)
taiga-docker-taiga-back-1 | File “/taiga-back/taiga/auth/api.py”, line 112, in _public_register
taiga-docker-taiga-back-1 | user = public_register(**data)
taiga-docker-taiga-back-1 | File “/usr/local/lib/python3.7/contextlib.py”, line 74, in inner
taiga-docker-taiga-back-1 | return func(*args, **kwds)
taiga-docker-taiga-back-1 | File “/taiga-back/taiga/auth/services.py”, line 174, in public_register
taiga-docker-taiga-back-1 | send_register_email(user)
taiga-docker-taiga-back-1 | File “/taiga-back/taiga/auth/services.py”, line 124, in send_register_email
taiga-docker-taiga-back-1 | return bool(email.send())
taiga-docker-taiga-back-1 | File “/opt/venv/lib/python3.7/site-packages/django/core/mail/message.py”, line 306, in send
taiga-docker-taiga-back-1 | return self.get_connection(fail_silently).send_messages([self])
taiga-docker-taiga-back-1 | File “/opt/venv/lib/python3.7/site-packages/django/core/mail/backends/smtp.py”, line 103, in send_messages
taiga-docker-taiga-back-1 | new_conn_created = self.open()
taiga-docker-taiga-back-1 | File “/opt/venv/lib/python3.7/site-packages/django/core/mail/backends/smtp.py”, line 68, in open
taiga-docker-taiga-back-1 | self.connection.starttls(keyfile=self.ssl_keyfile, certfile=self.ssl_certfile)
taiga-docker-taiga-back-1 | File “/usr/local/lib/python3.7/smtplib.py”, line 776, in starttls
taiga-docker-taiga-back-1 | server_hostname=self._host)
taiga-docker-taiga-back-1 | File “/usr/local/lib/python3.7/ssl.py”, line 423, in wrap_socket
taiga-docker-taiga-back-1 | session=session
taiga-docker-taiga-back-1 | File “/usr/local/lib/python3.7/ssl.py”, line 870, in _create
taiga-docker-taiga-back-1 | self.do_handshake()
taiga-docker-taiga-back-1 | File “/usr/local/lib/python3.7/ssl.py”, line 1139, in do_handshake
taiga-docker-taiga-back-1 | self._sslobj.do_handshake()
taiga-docker-taiga-back-1 | OSError: [Errno 0] Error
taiga-docker-taiga-gateway-1 | 172.26.0.1 - - [15/Mar/2023:10:04:25 +0000] “POST /api/v1/auth/register HTTP/1.1” 500 37 “https://taiga.apconnet.apcon.com/register” "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.

4

Hi @RT-AP SSL/TLS termination should be dealt in your host system. You are expected to have an Nginx/Apache/traeffic… where you can configure your certificates.

taiga-gateway is not meant to have this configuration; you can map certificates and (maybe) edit the nginx configuration, but it’s not officially tested nor supported.

Cheers!

5

I don’t know if its unsupported but I got it to work.
And it seems to be doing ok for the most part.
I think I had to add a few proxy_set_header

  # docker-compose.yml
  # ...
  taiga-gateway:
    
    #image: nginx:1.19-alpine
    image: nginx:1.19
    ports:
      - "80:80"
      - "443:443"
    volumes:

      - ./taiga-gateway-nginx-https-certs/nginx.crt:/etc/nginx/ssl/nginx.crt
      - ./taiga-gateway-nginx-https-certs/nginx.key:/etc/nginx/ssl/nginx.key
      - ./taiga-gateway/taiga.conf:/etc/nginx/conf.d/default.conf
      - ./docker-entrypoint.d:/docker-entrypoint.d/
      - taiga-static-data:/taiga/static
      - taiga-media-data:/taiga/media
    networks:
      - taiga
    depends_on:
      - taiga-front
      - taiga-back
      - taiga-events

     # taiga-gateway/taiga.conf
server {
    server_name taiga.company.com
    listen 80 default_server;
    listen 443 ssl default_server;
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;

    client_max_body_size 100M;
    charset utf-8;

    # Frontend
    location / {
        proxy_pass http://taiga-front/;
        proxy_pass_header Server;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    # API
    location /api/ {
        proxy_pass http://taiga-back:8000/api/;
        proxy_pass_header Server;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
    }

    # Admin
    location /admin/ {
        proxy_pass http://taiga-back:8000/admin/;
        proxy_pass_header Server;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
    }

    # Static
    location /static/ {
        alias /taiga/static/;
    }
    # Media
    location /_protected/ {
        internal;
        alias /taiga/media/;
        add_header Content-disposition "attachment";
    }

    # Unprotected section
    location /media/exports/ {
        alias /taiga/media/exports/;
        add_header Content-disposition "attachment";
    }

    location /media/ {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://taiga-protected:8003/;
        proxy_redirect off;
    }

    # Events
    location /events {
        proxy_pass http://taiga-events:8888/events;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_connect_timeout 7d;
        proxy_send_timeout 7d;
        proxy_read_timeout 7d;
    }
}
1 Like
6

Great! thank you for sharing your solution, so it may be useful for other users.

Cheers!

1 Like
7

Could you clarify this question - is it inside docker? There is an instruction on how it looks throughout the installation process. I have my own installation option, but it requires consideration of the issue.

Thanks!