Be able to set / use https in baseurl when running behind a reverse proxy about komga HOT 11 CLOSED

I don't understand what's not working, can you explain more?

from komga.

When running Komga via docker, the webserver is using http. I am running Komga behind an Apache reverse proxy that uses https, and does not allow http connections at all.

When using OAUTH2, the redirect url generated for the client is using http, and because of this the authentication process never completes.

The redirect-url placeholders "{baseUrl}/{action}/oauth2/code/{registrationId}" are expanded into

"http://domain.tld/login/oauth2/code/keycloak" where in my case it should be "https://domain.tld/login/oauth2/code/keycloak"

I could fix it locally by just not using placeholders in the application.yml file, but it would be nice to just be able to configure the https scheme in the configuration for example.

Or, at least mention that this might be an issue when using keycloak or another idp running privately. (I'm guessing most people who run one are able to solve this problem themselves :)

from komga.

You need to configure keycloak to hit your public https domain, and let your reverse proxy do the redirection to Komga.

from komga.

You are also probably missing some setup in your reverse proxy, like x-forwarded-for

from komga.

Keycloak is configured correctly, valid redirect URIs is set to the https domain, but the redirect URL komga creates is http based and will not work.

Reverse proxy is configured correctly as well, I don't serve anything on http, so it will never work until Komga generates a https redirect URL.

As mentioned, I got it to work by hardcoding the redirect URL in application.yml, and as this is a set-it-and-forget-it parameter its not really an issue for me any longer.

But for future users I think it would be nice if they were able to configure the baseurl in Komga to be https, and not just that it assumes it to be http.

from komga.

My RP works well, caddy sets proper forward headers. Do you set forward headers in your RP?

You say it's properly configured but you haven't shared any configuration of anything.

from komga.

The problem isn't in the reverse proxy at all, Keycloak rejects the authentication request because the redirect_url supplied by Komga does not match the valid redirect URL configured in the client in Keycloak.

from komga.

You don't listen. Spring will interpret your reverse proxy forward headers to determine what is the actual origin.

It is most likely a reverse proxy mis-configuration. If the forward headers are not set, the server can't know where the request actually came from, whether it was http or https.

You mentioned you are using apache, which doesn't do anything out of the box for that. I asked you to share your config, but you still don't.

If you don't have forward headers, the server will consider localhost and http as the origin of the request, which obsiouvly won't work for oauth2.

That's how servers can serve the same content on multiple domain names for instance.

from komga.

My apache RP config is as follows, Komga is published to localhost on my server

  RemoteIPHeader X-Forwarded-For

  ProxyPreserveHost on
  ProxyRequests off
  AllowEncodedSlashes NoDecode

  ProxyPass / http://127.0.0.1:15012/ nocanon
  ProxyPassReverse / http://127.0.0.1:15012/

Note: Komga doesn't use localhost in the redirect URL, it uses the correct URL, just http instead of https, so it does get information about the proxying in front

from komga.

You probably miss x-forwarded-proto then

from komga.

That was it! Thank you :)

Relevant working Apache configuration

  RemoteIPHeader X-Forwarded-For
  RequestHeader set X-Forwarded-Proto "https"

  ProxyPreserveHost on
  ProxyRequests off
  AllowEncodedSlashes NoDecode

  ProxyPass / http://127.0.0.1:15012/ nocanon
  ProxyPassReverse / http://127.0.0.1:15012/

A small note, this is in the https VirtualHost, so RequestHeader is hardcoded as https, if it is set in a http VirtualHost, just remove or omit it.

from komga.