Nginx, letsencrypt, reverse proxies, open to the internet?

workinonit530 · August 31, 2022, 6:31pm

We are testing Appsmith on-prem and I had a couple of questions

I am hesitant to expose our server to ports 80 and 443 directly to the internet. Am I being to paranoid?
I’d like to set up nginx to proxy connection and terminate ssl for Appsmith in our DMZ. Has anyone else done that? Care to share your configs?
I’d also like to use LetsEncrypt on that nginx proxy, will that interfere with LetsEncrypt in Appsmith?

I can see how and where to configure Appsmith to use different ports in the documentation but I haven’t gotten much further.

sharat87 · September 6, 2022, 5:26am

Hey @workinonit530, thank you for writing to us. Sorry for the delay in getting back.

Perhaps yes, but for exposing services on the public Internet, there’s no such thing as too much paranoia. You don’t have to expose Appsmith to the outside world. You can just have it available in your VPN or Intranet or LAN or whatever. But please do ensure that Appsmith will have access to Internet.
That should be okay. I don’t recall an instance that was setup exactly like that, unfortunately, but we have seen instances where Appsmith was set behind an SSL-terminating reverse proxy. Like ALB etc. NGINX shouldn’t be any different. An initial config fragment might look something like this:
```
server {
  listen 80;
  server_name _;
  ssl_certificate /certs/fullchain.pem;
  ssl_certificate_key /certs/privkey.pem;
  location / {
    proxy_pass http://appsmith-host-port;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $host;
  }
}
```
Shouldn’t be a problem. Just ensure your NGINX sets X-Forwarded-Proto and X-Forwarded-Host headers correctly, and you should be fine.

Let us know if you have any further questions.

workinonit530 · September 6, 2022, 7:54pm

This seems to be working! Thanks.

workinonit530 · September 6, 2022, 10:02pm

I have one more question. Anything I need to do to get Google Oauth2 working behind nginx? I can see that the internal IP of the server that was proxied to is returned and Google doesn’t like that.

device_id and device_name are required for private IP: http://internalIP/login/oauth2/code/google

sharat87 · September 7, 2022, 9:59am

Hey, actually, no. It should work well enough. Can you double-check if your NGINX is set to send the X-Forwarded-Host header correctly? This is included in my example config in my previous message.

workinonit530 · September 7, 2022, 3:46pm

It is set in my nginx config. I feel like I am taking up too much of your time. We are not paying customers yet so maybe I’ll just keep working on creating an app and open some support tickets once we are ready to go live.

But if you don’t mind helping, I also noticed that while appsmith works on port 8080, it does not work on port 8443. So I am sure I have a few things that I am just doing wrong. I can post configs if it helps.

sharat87 · September 17, 2022, 4:16am

Hey @workinonit530, sorry missed your reply. Not working on another port is odd indeed. If you are still facing this issue, can you share the config so I can try reproduce please? Thanks!

Don’t worry about taking up too much time. I respond when I can. That’s the beauty of communicating async.

workinonit530 · September 20, 2022, 6:00pm

I think I have it working. First I had to get my SSL cert under control (no thanks to GoDaddy and their non fully chained certs). I took a look at this thread and modified my nginx config.

NGinx config (On a separate server)

server {
        listen 80;
        server_name apps.domain.org;

        location / {
                proxy_pass http://10.100.5.10:8080;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host $host;
        }
}

server {
        listen 443 ssl;
        server_name apps.domain.org;

        ssl_certificate /etc/ssl/certs/domain-wildcard-fullchain.crt;
        ssl_certificate_key /etc/ssl/certs/domain-wildcard.key;


        location / {
#               proxy_pass https://10.100.5.10:8443;
                proxy_pass http://10.100.5.10:8080;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host $host;
        }

}

As long as this works I guess I don’t have to have Appsmith running on port 8443. I appreciated the work done on that other post. It really helped me understand what Appsmith does to generate SSL certs (or not as the case may be).

workinonit530 · September 20, 2022, 8:30pm

Google Auth still doesn’t work with this NGinx config

I get

Error 400: invalid_request

device_id and device_name are required for private IP: https://INTERNALIP/login/oauth2/code/google

I can’t seem to find a fix for this. I get why it is happening, sort of, but I can’t find a good fix for it, just a bunch of hacks.

sharat87 · September 21, 2022, 10:39am

Thank you for reporting @workinonit530, this appears to be a bug in the routing. Should be fixed with fix: Fix X-Forwarded-Host with multiple rev-proxies by sharat87 · Pull Request #16951 · appsmithorg/appsmith · GitHub.

Thanks!