Reverse proxy http not allowed

Support apps
1

Hello,

since a redirect update, I cannot set up a reverse entry to another server in the same network.

Obviously, the reverse entry has a problem with the HTTP protocol.

Is that wanted and there is an alternative solution?

args:
  app: redirect
  force: false
  label: undefined
  no_remove_on_failure: false
ended_at: 2024-01-08 20:27:03.854760
env:
  YNH_APP_ACTION: install
  YNH_APP_ARG_DOMAIN: wetter.maindomain.tld
  YNH_APP_ARG_INIT_MAIN_PERMISSION: visitors
  YNH_APP_ARG_PATH: /
  YNH_APP_ARG_REDIRECT_TYPE: reverseproxy
  YNH_APP_ARG_TARGET: http://10.0.0.120/weewx
  YNH_APP_BASEDIR: /var/cache/yunohost/app_tmp_work_dirs/app__mk2tzla
  YNH_APP_ID: redirect
  YNH_APP_INSTANCE_NAME: redirect__2
  YNH_APP_INSTANCE_NUMBER: '2'
  YNH_APP_MANIFEST_VERSION: 2.0~ynh1
  YNH_APP_PACKAGING_FORMAT: '2.0'
  YNH_ARCH: amd64
  YNH_DEBIAN_VERSION: bullseye
error: Im Installationsscript ist ein Fehler aufgetreten
interface: api
operation: app_install
parent: null
related_to:
- - app
  - redirect
started_at: 2024-01-08 20:26:58.984693
success: false
yunohost_version: 11.2.9.1

============

2024-01-08 21:26:58,992: INFO - redirect wird installiert...
2024-01-08 21:26:58,997: INFO - Provisioning system_user...
2024-01-08 21:26:59,090: INFO - Provisioning permissions...
2024-01-08 21:26:59,582: DEBUG - Berechtigung 'redirect__2.main' aktualisiert
2024-01-08 21:26:59,774: DEBUG - Vollständiges Log dieser Operation: '<a href="#/tools/logs/20240108-202659-permission_url-redirect__2" style="text-decoration:underline">Aktualisiere URL, die mit der Berechtigung 'redirect__2' verknüpft ist</a>'
2024-01-08 21:27:00,184: DEBUG - Berechtigung 'redirect__2.main' erstellt
2024-01-08 21:27:00,185: DEBUG - Vollständiges Log dieser Operation: '<a href="#/tools/logs/20240108-202659-permission_create-redirect__2" style="text-decoration:underline">Erstelle Berechtigung 'redirect__2'</a>'
2024-01-08 21:27:00,795: DEBUG - Berechtigung 'redirect__2.main' aktualisiert
2024-01-08 21:27:00,795: DEBUG - Vollständiges Log dieser Operation: '<a href="#/tools/logs/20240108-202700-user_permission_update-redirect__2" style="text-decoration:underline">Aktualisiere Zugriffe für Berechtigung 'redirect__2'</a>'
2024-01-08 21:27:01,255: DEBUG - Nothing to update in LDAP
2024-01-08 21:27:01,256: DEBUG - Berechtigung 'redirect__2.main' aktualisiert
2024-01-08 21:27:01,456: DEBUG - Vollständiges Log dieser Operation: '<a href="#/tools/logs/20240108-202701-permission_url-redirect__2" style="text-decoration:underline">Aktualisiere URL, die mit der Berechtigung 'redirect__2' verknüpft ist</a>'
2024-01-08 21:27:01,667: DEBUG - The permission database has been resynchronized
2024-01-08 21:27:02,280: DEBUG - SSOwat-Konfiguration neu generiert
2024-01-08 21:27:02,302: DEBUG - Executing command '['sh', '-c', '/bin/bash -x "./install"  7>&1']'
2024-01-08 21:27:02,310: DEBUG - + source _common.sh
2024-01-08 21:27:02,311: DEBUG - ++ URL_REGEX_VALID='(https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]'
2024-01-08 21:27:02,311: DEBUG - ++ URL_REGEX_SECURE='^(http://(127\.[0-9]+\.[0-9]+\.[0-9]+|localhost)|https://.*)(:[0-9]+)?(/.*)?$'
2024-01-08 21:27:02,311: DEBUG - + source /usr/share/yunohost/helpers
2024-01-08 21:27:02,311: DEBUG - +++ set +o
2024-01-08 21:27:02,311: DEBUG - +++ grep xtrace
2024-01-08 21:27:02,312: DEBUG - ++ readonly 'XTRACE_ENABLE=set -o xtrace'
2024-01-08 21:27:02,312: DEBUG - ++ XTRACE_ENABLE='set -o xtrace'
2024-01-08 21:27:02,328: DEBUG - + _validate_redirect_uri
2024-01-08 21:27:02,329: DEBUG - + [[ ! http://10.0.0.120/weewx =~ (https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|] ]]
2024-01-08 21:27:02,329: DEBUG - + [[ reverseproxy = \r\e\v\e\r\s\e\p\r\o\x\y ]]
2024-01-08 21:27:02,329: DEBUG - + [[ ! http://10.0.0.120/weewx =~ ^(http://(127\.[0-9]+\.[0-9]+\.[0-9]+|localhost)|https://.*)(:[0-9]+)?(/.*)?$ ]]
2024-01-08 21:27:02,329: DEBUG - + ynh_die '--message=For secure reason, you can'\''t use an unencrypted http remote destination couple with ssowat for your reverse proxy: http://10.0.0.120/weewx' 1
2024-01-08 21:27:02,349: DEBUG - + ynh_exit_properly
2024-01-08 21:27:02,349: DEBUG - + [[ install =~ ^install$|^upgrade$|^restore$ ]]
2024-01-08 21:27:02,350: WARNING - For secure reason, you can't use an unencrypted http remote destination couple with ssowat for your reverse proxy: http://10.0.0.120/weewx;1
2024-01-08 21:27:03,853: ERROR - Installation von redirect fehlgeschlagen: Im Installationsscript ist ein Fehler aufgetreten
2

I think it’s eeeeh … a feature … which if i recall correctly was buggy hence not really working, but now it’s fixed hence the now-working featured turned into a major inconvenience ¯\_(ツ)_/¯

3

Hello Alex,

thank you for your message! This should be a feature :-)))!? I confess, but it’s still a step back. Because the SSL administration took over Yunohost. I have a small Weewx weather server that I had connected with Subdomain.

What does that mean to delete the SSL administration of the subdomain and to entrust the certificate management Weewx?

With my external Home Assistant server, this leads to problems, because it accesses the weather data and the weather station (Ecowitt) is https incompatible.

I know you can say now that is not the problem of Yunohost. But the new “feature” has extreme effects.

I’m not happy with it!

1 Like
4

This makes no sense. How well intended, this prevents too many legit scenarios, like having a subdomain for another Yunohost (e.g. for testing), or docker/proxmox host that can request its own LE certs for its services (you can’t request a cert because you need http for the initial cert), or for hosting your own root certificates that use a CRL, or simple ESP/IoT devices that lacks SSL support…

By having nginx in front of the http services you turn it into a transparent VPN solution. And if the service only offers http internally anyway and is used like that, this adds no protection.

We also don’t prevent users opening access to their internal router admin with default user credentials, or even worse, just doing a simple port forward because it’s blocked in Yunohost. :stuck_out_tongue:

I do appreciate a warning though…

1 Like
5

To be fixed in version 2.0~ynh3 : Testing | only display a warning when people are reverseproxying to an external IP by alexAubin · Pull Request #52 · YunoHost-Apps/redirect_ynh · GitHub

2 Likes
6

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.