HTTPS with warp-tls and self-signed certificate
78 views
Skip to first unread message
jsch...@gmail.com
Dec 23, 2020, 5:17:59 PM12/23/20
to Yesod Web Framework
Problem
I'd like to run my Yesod app behind a proxy using nginx as documented here.
Unlike as in the documentation, I use HTTPS and therefore nginx must also make HTTPS requests to the Yesod app, e.g. https://localhost:3000/. If not, the HTML returned by my app is full of HTTP links which is against the Same-Origin-Policy.
After all, my problem is simple: How can I use HTTPS with my Yesod app?
I use warp-tls and so runSettings becomes
runTLS (tlsSettings "certificate.pem" "key.pem").
I generated the self-signed certificates as documented in the package README with Common Name is localhost.
At this point, when I want to test and run in GHCi:
:l app/DevelMain.hs
update
, the process does not respond to HTTPS requests.
Sample output of curl:
$ curl -vk https://localhost:3000/
* Trying ::1:3000...
* connect to ::1 port 3000 failed: Connection refused
* Trying 127.0.0.1:3000...
* Connected to localhost (127.0.0.1) port 3000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* Trying ::1:3000...
* connect to ::1 port 3000 failed: Connection refused
* Trying 127.0.0.1:3000...
* Connected to localhost (127.0.0.1) port 3000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
Sorry for the long text, but I couldn't find out why it doesn't respond. The cert/key arguments should be correct; I also tried absolute paths.
Solution
Aaahh! Got it: I changed the runSettings in Application.hs but not DevelMain.hs. That's why it didn't work.
Anyway, if someone can tell me a better way of how to handle this nginx-reverse-proxy-HTTPS problem described at the beginning, I'm happy, too! Maybe it's better to use keter although it's more packaging and configuration work then.
Michael Snoyman
Dec 23, 2020, 11:01:48 PM12/23/20
to yeso...@googlegroups.com
If the only reason you’re doing this is for generating URLs that start with https, you can override approot in the Yesod type class instance.
--
You received this message because you are subscribed to the Google Groups "Yesod Web Framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to yesodweb+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/yesodweb/69164c75-4838-45f3-9629-c166dbb70a80n%40googlegroups.com.
jsch...@gmail.com
Dec 24, 2020, 6:03:04 AM12/24/20
to Yesod Web Framework
Thank you Michael! Your hint lead me to the documentation linked in the scaffold at instance Yesod:
It's even simpler. I now basically use the nginx proxy config from Yesod Book "Deploying your Webapp". But I add these two lines:
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Proto https;
This way, Yesod approot is inferred from the request, i.e. https://my.domain.de
Michael Snoyman
Dec 24, 2020, 6:08:20 AM12/24/20
to yeso...@googlegroups.com
Awesome, glad it worked!
To view this discussion on the web visit https://groups.google.com/d/msgid/yesodweb/8d3e37d9-fdf7-491b-9996-983c3bbffe80n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages