Better support on API Status Page for Setups behind Traefik/Load Balancers and Proxies

Feature requests Coming soon!
1

I am not sure if this is the right Community Category to write into as this is my first post.

Here a photo to sum up a bit of the context, but more details bellow:
image

I’m really happy with Passbolt so far, it’s a nice product/a nice set of products and a nice community.

I read a few threads already about the PASSBOLT_SSL_FORCE env variable, as I’m using Docker, Docker Compose more specifically, as well the ssl => force => true in passbolt.php.
This setup was failing the passbolt app server as in this thread and the resolution was to mark the ssl as ‘false’ on Passbolt side (either via Compose or via Passbolt.php, as I tried both): Passbolt Dead after Update - Ubuntu 22.04 ERR_TOO_MANY-REDIRECTS - #4 by Duffman

Following the resolution from the thread above, would get me to the point of this topic: API Status Page will complain that SSL is not enabled, even though in fact, this is enabled.

I believe this could go as a feature request to either:

  1. Make the Status Page better test if SSL is enabled, so that it works with Load Balancers / Proxy configs
  2. Have a flag to disable the check on the Status Page, so that Razvan is happy there is no issues, no colored lines, no warnings with the deployment when the Page is opened

The relevant Traefik configuration in the Docker Compose file:

 traefik.enable: "true"
      traefik.http.routers.passbolt-http.entrypoints: "web"
      traefik.http.routers.passbolt-http.rule: "Host(`removed`)"
      traefik.http.routers.passbolt-http.middlewares: "SslHeader@file"
      traefik.http.routers.passbolt-https.middlewares: "SslHeader@file"
      traefik.http.routers.passbolt-https.entrypoints: "websecure"
      traefik.http.routers.passbolt-https.rule: "Host(`removed`)"
      traefik.http.routers.passbolt-https.tls: "true"
      traefik.http.routers.passbolt-https.tls.certresolver: "letsencrypt"

The relevant Passbolt configuration in the Compose File, in the current working state, where the Passbolt Status API page complains about SSL:

  passbolt:
    image: passbolt/passbolt:4.9.1-1-ce
    restart: unless-stopped
    depends_on:
      - db
    environment:
      APP_FULL_BASE_URL: https://removed
      DATASOURCES_DEFAULT_HOST: "db"
      DATASOURCES_DEFAULT_USERNAME: "removed"
      DATASOURCES_DEFAULT_PASSWORD: "removed"
      DATASOURCES_DEFAULT_DATABASE: "removed"
      EMAIL_TRANSPORT_DEFAULT_HOST: "mail.removed.removed"
      EMAIL_TRANSPORT_DEFAULT_PORT: removed
      EMAIL_TRANSPORT_DEFAULT_USERNAME: "removed@removed.removed"
      EMAIL_TRANSPORT_DEFAULT_PASSWORD: 'removed'
      EMAIL_TRANSPORT_DEFAULT_TLS: true
      #PASSBOLT_SSL_FORCE: true
      #PASSBOLT_KEY_EMAIL: "removed@removed.removed"
      #PASSBOLT_EMAIL_VALIDATE_MX: true
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
      #- passbolt_config:/etc/passbolt/passbolt/

Hope the points above are releavant. Thanks for bearing with me on this thread :potato:

3

Hello @RazvanFarte, that’s on our radar, it’s one of the healthcheck point we have planned to improve in Q4.