Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/mastodon] websocket served unencrypted over TLS ingress #15507

Open
daimoniac opened this issue Mar 15, 2023 · 4 comments
Open

[bitnami/mastodon] websocket served unencrypted over TLS ingress #15507

daimoniac opened this issue Mar 15, 2023 · 4 comments
Assignees
@migruiz4
Labels
mastodon on-hold Issues or Pull Requests with this label will never be considered stale tech-issues The user has a technical issue about an application

Comments

@daimoniac
Copy link

daimoniac commented Mar 15, 2023
edited by carrodher
Loading

Name and Version

bitnami/mastodon 1.1.1

What architecture are you using?

amd64

What steps will reproduce the bug?

On a cluster running cert-manager (bitnami chart) that issues certificates using letsencrypt:

Using the following command and values.yaml, mastodon starts up correctly, but the website fails to create a websocket connection to streaming because of mixed content.

helm upgrade --install pascal-mastodon --create-namespace --namespace pascal-mastodon bitnami/mastodon -f mastodon/values.yaml

image

Are you using any custom parameters or values?

values.yaml:

local_https: true
localDomain: mastodon.development.socialhub.dev

adminUser: admin
adminPassword: admin

smtp:
  server: mailcatcher
  port: 25
  from_address: [email protected]

apache:
  ingress:
    enabled: true
    hostname: mastodon.development.socialhub.dev
    ingressClassName: nginx
    certManager: true
    tls:
    - hosts:
        - mastodon.development.socialhub.dev
      secretName: mastodon.development.socialhub.dev-tls
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod

initJob:
  createAdmin: false

What is the expected behavior?

full functionality, service of websocket via wss: URLs rather than ws: URLs

What do you see instead?

mastodon is trying to serve websockets in an unencrypted way via ws: URLs
@daimoniac daimoniac added the tech-issues The user has a technical issue about an application label Mar 15, 2023
@github-actions github-actions bot added the triage Triage is needed label Mar 15, 2023
@carrodher
Copy link
Member

Thanks for reporting this issue. Would you like to contribute by creating a PR to solve the issue? The Bitnami team will be happy to review it and provide feedback. Here you can find the contributing guidelines.

@daimoniac
Copy link
Author

Thanks for reporting this issue. Would you like to contribute by creating a PR to solve the issue? The Bitnami team will be happy to review it and provide feedback. Here you can find the contributing guidelines.

sure, but i don't have a solution :(. I already have invested many hours in trying to fix this but was not successful.

@github-actions github-actions bot added in-progress and removed triage Triage is needed labels Mar 15, 2023
@bitnami-bot bitnami-bot assigned migruiz4 and unassigned carrodher Mar 15, 2023
@migruiz4
Copy link
Member

Hi @daimoniac,

Thank you for reporting this issue. It looks like the current approach of the bitnami/mastodon Helm chart does not currently support HTTPS because of how the apache sub chart is configured.

If apache.enabled=true, an apache container will be configured as a reverse proxy on port HTTP using the default configuration. Although HTTPS can be enabled in the ingress-controller, the browser may be refusing the webSocket creation because of Apache container listening in HTTP.

I have created an internal task to review this feature.

I'm sorry for the inconvenience.

@migruiz4 migruiz4 added the on-hold Issues or Pull Requests with this label will never be considered stale label Mar 20, 2023
@joelparker
Copy link
Contributor

#15549 adds useSecureWebSocket to values.yaml. It's set to false by default but setting it to true will force STREAMING_API_BASE_URL in mastodon/templates/default-configmap.yaml to be set with wss://

This change was just merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@migruiz4 migruiz4

Labels
mastodon on-hold Issues or Pull Requests with this label will never be considered stale tech-issues The user has a technical issue about an application
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@joelparker @daimoniac @carrodher @migruiz4