Nginx, letsencrypt, reverse proxies, open to the internet?

We are testing Appsmith on-prem and I had a couple of questions

1. I am hesitant to expose our server to ports 80 and 443 directly to the internet. Am I being to paranoid?
2. I’d like to set up nginx to proxy connection and terminate ssl for Appsmith in our DMZ. Has anyone else done that? Care to share your configs?
3. I’d also like to use LetsEncrypt on that nginx proxy, will that interfere with LetsEncrypt in Appsmith?

I can see how and where to configure Appsmith to use different ports in the documentation but I haven’t gotten much further.

Hey @workinonit530, thank you for writing to us. Sorry for the delay in getting back.

1. Perhaps yes, but for exposing services on the public Internet, there’s no such thing as too much paranoia. You don’t have to expose Appsmith to the outside world. You can just have it available in your VPN or Intranet or LAN or whatever. But please do ensure that Appsmith will have access to Internet.

2. That should be okay. I don’t recall an instance that was setup exactly like that, unfortunately, but we have seen instances where Appsmith was set behind an SSL-terminating reverse proxy. Like ALB etc. NGINX shouldn’t be any different. An initial config fragment might look something like this:

   server {
     listen 80;
     server_name _;
     ssl_certificate /certs/fullchain.pem;
     ssl_certificate_key /certs/privkey.pem;
     location / {
       proxy_pass http://appsmith-host-port;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Forwarded-Host $host;
     }
   }
   

3. Shouldn’t be a problem. Just ensure your NGINX sets X-Forwarded-Proto and X-Forwarded-Host headers correctly, and you should be fine.

Let us know if you have any further questions.

This seems to be working! Thanks.

I have one more question. Anything I need to do to get Google Oauth2 working behind nginx? I can see that the internal IP of the server that was proxied to is returned and Google doesn’t like that.

device_id and device_name are required for private IP: http://internalIP/login/oauth2/code/google

Hey, actually, no. It should work well enough. Can you double-check if your NGINX is set to send the X-Forwarded-Host header correctly? This is included in my example config in my previous message.

It is set in my nginx config. I feel like I am taking up too much of your time. We are not paying customers yet so maybe I’ll just keep working on creating an app and open some support tickets once we are ready to go live.

But if you don’t mind helping, I also noticed that while appsmith works on port 8080, it does not work on port 8443. So I am sure I have a few things that I am just doing wrong. I can post configs if it helps.

Hey @workinonit530, sorry missed your reply. Not working on another port is odd indeed. If you are still facing this issue, can you share the config so I can try reproduce please? Thanks!

Don’t worry about taking up too much time. I respond when I can. That’s the beauty of communicating async.

I think I have it working. First I had to get my SSL cert under control (no thanks to GoDaddy and their non fully chained certs). I took a look at this thread and modified my nginx config.

NGinx config (On a separate server)

server {
        listen 80;
        server_name apps.domain.org;

        location / {
                proxy_pass http://10.100.5.10:8080;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host $host;
        }
}

server {
        listen 443 ssl;
        server_name apps.domain.org;

        ssl_certificate /etc/ssl/certs/domain-wildcard-fullchain.crt;
        ssl_certificate_key /etc/ssl/certs/domain-wildcard.key;


        location / {
#               proxy_pass https://10.100.5.10:8443;
                proxy_pass http://10.100.5.10:8080;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host $host;
        }

}

As long as this works I guess I don’t have to have Appsmith running on port 8443. I appreciated the work done on that other post. It really helped me understand what Appsmith does to generate SSL certs (or not as the case may be).

Google Auth still doesn’t work with this NGinx config

I get

Error 400: invalid_request

device_id and device_name are required for private IP: https://INTERNALIP/login/oauth2/code/google

I can’t seem to find a fix for this. I get why it is happening, sort of, but I can’t find a good fix for it, just a bunch of hacks.

Thank you for reporting @workinonit530, this appears to be a bug in the routing. Should be fixed with fix: Fix X-Forwarded-Host with multiple rev-proxies by sharat87 · Pull Request #16951 · appsmithorg/appsmith · GitHub.

Thanks!

Has this patch been released yet?

Hey @workinonit530, unfortunately not. The fix is failing in some edge cases during QA, and I need to investigate it. I’ll likely get to it next week.

@sharat87 - Hopefully the PR gets merged soon.

I changed the code manually inside the docker image to get it working.

Thanks for sharing the PR link here.

Hey @harsha-vahan, awesome, thank you for doing the change and confirming the fix. I’ve merged it in, but and should be a part of next week’s release. Thanks again!

I will keep an eye out for the fix in the patch notes

I am still getting the error 400 even after the latest patch.

if you’re talking about v1.8.5 from nine days ago, that didn’t have the fix @sharat87 linked to above. v1.8.6 going out tomorrow has the fix. apologies for the delay.

AWWWWWWWWWWWWWW YEAH! It is working now! Thanks Devs!!!