Protei/PromucFlow_constructor
2
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

chore: Auto-fix invalid custom domain (#29550)

Browse Source 
Defining custom domain as `https://example.com/` is invalid.

It should be just the domain, just `example.com`. But turns out a lot of
our users have the incorrect configuration, and our previous stack of
NGINX+Certbot was able to ignore this and serve without HTTPS. This PR
brings that behaviour back.


## Test performed

Have Appsmith running on an EC2 instance, and a domain `correct.com`
with an A-record pointed to this EC2 instance.

In the instance, we run Appsmith with `APPSMITH_CUSTOM_DOMAIN` set to
`wrong.com`. Caddy will obviously fail to provision the cert, and so we
expect it to accept connections on just HTTP.

So hitting `curl -i http://correct.com` produced a 200 with the HTML
response, and not a 308 with a redirect. Before the changes from this
PR, the same curl command produced a 308 with a redirect to
`https://correct.com`, which fails with a certificate error.

Next up, we run Appsmith with `APPSMITH_CUSTOM_DOMAIN` set to
`correct.com`. Caddy will succeed in provisioning a cert, and so we
expect HTTP URLs to be redirected to HTTPS.

So hitting `curl -i http://correct.com` produces a 308 redirect to
`http://correct.com` which then works fine, since Caddy now has the cert
for the domain.
This commit is contained in:
Shrikant Sharat Kandula 2023-12-13 13:45:04 +05:30 committed by GitHub
parent 76d40d8bd5
commit caf1d3f95c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
deploy/docker/fs/opt/appsmith/caddy-reconfigure.mjs
View File

@ -33,6 +33,14 @@ const tlsConfig = certLocation == null ? "" : `tls ${certLocation}/fullchain.pem
const frameAncestorsPolicy = (process.env.APPSMITH_ALLOWED_FRAME_ANCESTORS || "'self'")
.replace(/;.*$/, "")
const bind = [
// The custom domain is expected to only have the domain. So if it has protocol or trailing slash, we remove it.
(APPSMITH_CUSTOM_DOMAIN || "").replace(/^https?:\/\//, "").replace(/\/$/, ""),
// Also bind to http on 80, so that if the cert provisioning fails, we can still serve on http.
// But this still means that if cert provisioning is successful, http will be redirected to https.
":80",
].join(" ")
const parts = []
parts.push(`
@ -121,7 +129,7 @@ localhost:80 127.0.0.1:80 {
import all-config
}
${APPSMITH_CUSTOM_DOMAIN || ":80"} {
${bind} {
import all-config
${tlsConfig}
}