I identified that the issue on my setup is related to having the APP_FULL_BASE_URL configured in the docker-compose file with an hardcoded value (“https://passbolt.domain.com/”).
I have external collaborators accessing the passbolt server, but since this is a segregated environment, I have the upper-level firewall ports being filtered, and each of the collaborators have a different dedicated open port in the firewall, from where they can access Passbolt server.
Given this context, their HOST header include that port, which is also included in the full URL of the requests as well
e.g. “https://passbolt.domain.com:8443/js/app/api-vendors.js?v=4.2.0”
Traefik is doing its job nicely to reverse-proxy the requests coming from the firewall, and these are arriving successfully to the passbolt web server in the backend with the correct Host and X-Forwarded-For headers including the port.
This issue is that, since cake PHP is configured to use the hardcoded value from fullbaseUrl, and the links in the webserver pages are included by calling the Router::url
function (which contains the hardcoded value in fullBaseUrl
), thee responses to their requests don’t have the port included in the webpages responded to their clients:
The links in the pages returned are something like:
https://passbolt.domain.com/js/app/api-vendors.js
Instead of the original requested and expected
https://passbolt.domain.com:8443/js/app/api-vendors.js
.
.
This also causes their requests to fail, and to not even leave their browsers, because the resources included in the web page fail the CSP (content security policy), since the page is trying to fetch resources from a host different than https://passbolt.domain.com:8443
.
Althouh it is not ideal, I could have this solved by going directly to the passbolt server itself, and replacing, in /etc/passbolt/app.php
:
'fullBaseUrl' => env('APP_FULL_BASE_URL', false),
with
‘fullBaseUrl’ => “https://” . $_SERVER[‘HTTP_HOST’],
After this (and nginx restart on Passbolt container level), the webserver started to reply correctly, including the links in the pages replied to their requests, including the port associated in the hyperlinks written in the html body of the page.
Question
Do you know how can I configure the docker-compose file itself to have this issue fixed diretcly there, instead of passing the hardcoded “https://passbolt.domain.com” and having the change things directly in the container after creation?
P.S.: This is just a temporary fix, because everytime I docker-compose stop/start
the containers, the server is unavailable an returns 502. I have to jump into the passbolt container, uncomment the default one ('fullBaseUrl' => env('APP_FULL_BASE_URL', false)
), restart nginx, comment the default one and uncomment the lat one I mentioned ('fullBaseUrl' => env('APP_FULL_BASE_URL_NON_EXISTENT', false)
) and restart nginx again for it to become available.