kubernetes + ingress controller + lets encrypt + block mixed content
Question
Thanks for taking the time to read this.
I am testing a cluster of kubernetes in digitalocean.
I have installed an ingress controler with cert-manager and letsencript (I followed this guide https://cert-manager.io/docs/tutorials/acme/ingress/ ) and when I launch some deployment I have problems with the files that are not in the root (Blocked loading mixed active content).
To give a more concrete example, I'm trying to put the application bookstack, if I not active tls, I see everything correctly. On the other hand if I activate tls I see everything without css and in the console I see that there are files that have been blocked by the browser.
On the other hand if I do a port-forward I see it correctly ( http://localhost:8080/ ) -> note http and not https
I have done the test also with a wordpress, with the same problem, the main page is seen without the styles. In this case, for wordpress there is a plugin, that if you get into the backend (browsing the page without css is a torture) and install it solves the problem (this is the plugin https://es.wordpress.org/plugins/ssl-insecure-content-fixer/ ). On plugin i have to check "HTTP_X_FORWARDED_PROTO" to make it work. But I'm realizing that it's a recurring problem, and I think there are concepts that are not clear to me and I do not know very well what I have to do.
Here is an example of the ingress controller
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: bookstack
annotations:
kubernetes.io/ingress.class: "nginx"
# cert-manager.io/issuer: "letsencrypt-staging"
cert-manager.io/issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- k1.athosnetwork.es
secretName: tls-bookstack
rules:
- host: k1.athosnetwork.es
http:
paths:
- path: /
backend:
serviceName: bookstack
servicePort: 80
Thanks very much for your time
1 answers
solution1
0 2019-12-01 06:06:18
you can try the following approach for the same, it works fine.
Install cert-mananger from here , using helm chart based steps.
Then follow this stackoverflow post , following this you will have to perform three steps as follows -
a. apply the certificate yaml b. apply the clusterissuer yaml ( try using cert-manager.io/v1alpha2 as the apiVersion, if the one mentioned in that post is not acceptable) c. Add the secret name, mentioned in the certificate to the ingress rule, under the TLS, this will make the cert-manager to perform an internal acme-challenge.
Once the acme challenge is completed successfully by cert-manager , then you can see
kubectl get certificate
The status of the certificate shall be ready.
And your host name will get encrypted via LetsEncrypt.
Note that - cert-manager will create the TLS secret on its own, you have nothing to do with that, just place it in the ingress rule
solution2
0 2019-12-01 12:38:06
Tushar Mahajan thanks for your reply. But I think i dont explain the problem very well. I can request the certificate with lets encript, and in hello world examples, like httpd docker image that I only see "it works" and there is not assets I can see the webpage over ssh without problem. The problem is when on page, there are assets like css or images or js. On images, I see a warning on console but I see the images. this is because images are not active content, but css and js I see an error (not warning) on console that say me this content are blocked. More info about mixed content: https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content
You can check here: https://k1.athosnetwork.es http://k1.athosnetwork.es
you can see on https that certificate is valid, but there are some assets that there are on http protocol and the browser block it
Thanks in advance
solution3
0 2019-12-01 15:12:20
I have found the solution, I write it for other person on my situation.
The problem were on one environment variable that I dont write on my deployment.
APP_URL .
On bookstack dockerhub repository talk about it:
-e APP_URL=http://your.site.here.xyz for specifying the url your application will be accessed on (required for correct operation of reverse proxy)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.