force https (docker)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

force https (docker)

sebastian.ovide
Hi All

what would be the simplest way to redirect all http to https using the
docker version ?

thanks

--
Sebastian E. Ovide

_______________________________________________
GeoNetwork-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geonetwork-users
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork
Reply | Threaded
Open this post in threaded view
|

Re: force https (docker)

Juan Luis Rodríguez Ponce
Hello,
On Tue, Jan 7, 2020 at 10:14 AM Sebastian E. Ovide <
[hidden email]> wrote:

> Hi All
>
> what would be the simplest way to redirect all http to https using the
> docker version ?
>

Some options:
* Mount a custom Tomcat's server.xml file at
/usr/lib/tomcat/conf/server.xml enabling
the port 8443 connector and mount also a folder with the certificates so it
is available inside the container. For HTTP Connector, set the redirect
port to the HTTPS connector port (redirectPort="8443")
* Extend the image (FROM geonetwork:3.8.2), add a custom server.xml file
with a connector with SSLEnabled="true" and a redirection from HTTP
connector port to HTTPS port.
* Use docker-compose to create a composition with a GeoNetwork container
and an Apache2 or NGINX container acting as a proxy with HTTPs configured.



--










*Vriendelijke groeten / Kind regards,Juan Luis Rodríguez.
<http://www.geocat.net/>Veenderweg 136721 WD BennekomThe NetherlandsT: +31
(0)318 416664 <+31318416664>Please consider the environment before printing
this email.*

_______________________________________________
GeoNetwork-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geonetwork-users
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork
Reply | Threaded
Open this post in threaded view
|

Re: force https (docker)

sebastian.ovide
Thanks Juan

We are deploying GN docker in GCP google app engine. After some research,
what google proposes is to change a header (
https://cloud.google.com/appengine/docs/flexible/php/how-requests-are-handled#forcing_https_connections)
to instruct the browser to prefer https over http.

What would be the simpler way to inject that header ? (without installing
other software)

thanks again

On Tue, 7 Jan 2020 at 09:36, Juan Luis Rodríguez Ponce <
[hidden email]> wrote:

>
> Hello,
> On Tue, Jan 7, 2020 at 10:14 AM Sebastian E. Ovide <
> [hidden email]> wrote:
>
>> Hi All
>>
>> what would be the simplest way to redirect all http to https using the
>> docker version ?
>>
>
> Some options:
> * Mount a custom Tomcat's server.xml file at
> /usr/lib/tomcat/conf/server.xml enabling the port 8443 connector and
> mount also a folder with the certificates so it is available inside the
> container. For HTTP Connector, set the redirect port to the HTTPS
> connector port (redirectPort="8443")
> * Extend the image (FROM geonetwork:3.8.2), add a custom server.xml file
> with a connector with SSLEnabled="true" and a redirection from HTTP
> connector port to HTTPS port.
> * Use docker-compose to create a composition with a GeoNetwork container
> and an Apache2 or NGINX container acting as a proxy with HTTPs configured.
>
>
>
> --
>
>
>
>
>
>
>
>
>
>
> *Vriendelijke groeten / Kind regards,Juan Luis Rodríguez.
> <http://www.geocat.net/>Veenderweg 136721 WD BennekomThe NetherlandsT: +31
> (0)318 416664 <+31318416664>Please consider the environment before printing
> this email.*
>


--
Sebastian E. Ovide

[image: https://www.linkedin.com/in/ovide]
<https://www.linkedin.com/in/ovide>

_______________________________________________
GeoNetwork-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geonetwork-users
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork
Reply | Threaded
Open this post in threaded view
|

Re: force https (docker)

Juan Luis Rodríguez Ponce
On Tue, Jan 7, 2020 at 3:32 PM Sebastian E. Ovide <[hidden email]>
wrote:

> Thanks Juan
>
> We are deploying GN docker in GCP google app engine. After some research,
> what google proposes is to change a header (
> https://cloud.google.com/appengine/docs/flexible/php/how-requests-are-handled#forcing_https_connections)
> to instruct the browser to prefer https over http.
>
> What would be the simpler way to inject that header ? (without installing
> other software)
>

You could extend GN official image and overwrite the file
/usr/local/tomcat/conf/web.xml with a custom configuration when the filter
httpHeaderSecurity is uncommented and configured with hstsEnable,
hstsMaxAgeSeconds and hstsIncludeSubDomains. You can use [1] as base. Check
example at [2].


[1] https://github.com/apache/tomcat/blob/8.5.x/conf/web.xml#L456-L494
[2] https://stackoverflow.com/a/36107139/1140558
<https://stackoverflow.com/a/36107139/1140558>


--










*Vriendelijke groeten / Kind regards,Juan Luis Rodríguez.
<http://www.geocat.net/>Veenderweg 136721 WD BennekomThe NetherlandsT: +31
(0)318 416664 <+31318416664>Please consider the environment before printing
this email.*

_______________________________________________
GeoNetwork-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geonetwork-users
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork