HTTP to HTTPS redirection
-
I have installed XO in Ubuntu and have setup https. But I want http to redirect to https so to make life easier but I have no idea how to configure this. Below is my current configuration. The redirectToHTTPs doesn't appear to work.
# It may be necessary to run XO-Server as a privileged user (e.g. `root`) for # instance to allow the HTTP server to listen on a # [privileged ports](http://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html). # # To avoid security issues, XO-Server can drop its privileges by changing the # user and the group is running with. # # Note: XO-Server will change them just after reading the configuration. # User to run XO-Server as. # # Note: The user can be specified using either its name or its numeric # identifier. # # Default: undefined #user = 'nobody' # Group to run XO-Server as. # # Note: The group can be specified using either its name or its numeric # identifier. # # Default: undefined # group = 'nogroup' # Configuration of the embedded HTTP server. [http] redirectToHttps = true [http.cookies] #sameSite = true #secure = true # Basic HTTP. #[[http.listen]] # Address on which the server is listening on. # # Sets it to 'localhost' for IP to listen only on the local host. # # Default: all IPv6 addresses if available, otherwise all IPv4 addresses. # hostname = 'localhost' # Port on which the server is listening on. # # Default: undefined #port = 80 # Instead of `host` and `port` a path to a UNIX socket may be specified # (overrides `host` and `port`). # # Default: undefined # socket = './http.sock' # # Basic HTTPS. # # # # You can find the list of possible options there # # https://nodejs.org/docs/latest/api/tls.html#tls.createServer # # # # The only difference is the presence of the certificate and the key. [[http.listen]] port = 443 # # # File containing the certificate (PEM format). # # # # If a chain of certificates authorities is needed, you may bundle them # # directly in the certificate. # # # # Note: the order of certificates does matter, your certificate should come # # first followed by the certificate of the above # # certificate authority up to the root. # # # # Default: undefined cert = '/opt/xen-orchestra/ssl/xosystem.pem' # # # File containing the private key (PEM format). # # # # If the key is encrypted, the passphrase will be asked at # # server startup. # # # # Default: undefined key = '/opt/xen-orchestra/ssl/xosystem.key' # List of files/directories which will be served. [http.mounts] #'/any/url' = '/path/to/directory' # List of proxied URLs (HTTP & WebSockets). [http.proxies] #'/any/url' = 'http://localhost:54722' #===================================================================== # Connection to the Redis server. [redis] # Unix sockets can be used # # Default: undefined #socket = '/var/run/redis/redis.sock' # Syntax: redis://[db[:password]@]hostname[:port][/db-number] # # Default: redis://localhost:6379/0 #uri = 'redis://redis.company.lan/42' # List of aliased commands. # # See http://redis.io/topics/security#disabling-of-specific-commands #renameCommands: # del = '3dda29ad-3015-44f9-b13b-fa570de92489' # srem = '3fd758c9-5610-4e9d-a058-dbf4cb6d8bf0' #===================================================================== # Configuration for remotes [remoteOptions] # Directory used to mount remotes # # Default: '/run/xo-server/mounts' #mountsDir = '/run/xo-server/mounts' # Use sudo for mount with non-root user # # Default: false #useSudo = false -
Hi @declan-marks,
I've been in the same situation as you and I will share my configuration which is working:
root@xoa:~# cat /opt/xen-orchestra/packages/xo-server/.xo-server.yaml # BE *VERY* CAREFUL WHEN EDITING! # YAML FILES ARE SUPER SUPER SENSITIVE TO MISTAKES IN WHITESPACE OR ALIGNMENT! # visit http://www.yamllint.com/ to validate this file as needed #===================================================================== # Example XO-Server configuration. # # This file is automatically looking for at the following places: # - `$HOME/.config/xo-server/config.yaml` # - `/etc/xo-server/config.yaml` # # The first entries have priority. # # Note: paths are relative to the configuration file. #===================================================================== # It may be necessary to run XO-Server as a privileged user (e.g. # `root`) for instance to allow the HTTP server to listen on a # [privileged ports](http://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html). # # To avoid security issues, XO-Server can drop its privileges by # changing the user and the group is running with. # # Note: XO-Server will change them just after reading the # configuration. # User to run XO-Server as. # # Note: The user can be specified using either its name or its numeric # identifier. # # Default: undefined #user: 'nobody' # Group to run XO-Server as. # # Note: The group can be specified using either its name or its # numeric identifier. # # Default: undefined #group: 'nogroup' #===================================================================== # Configuration of the embedded HTTP server. http: # Hosts & ports on which to listen. # # By default, the server listens on [::]:80. listen: # Basic HTTP. - # Address on which the server is listening on. # # Sets it to 'localhost' for IP to listen only on the local host. # # Default: all IPv6 addresses if available, otherwise all IPv4 # addresses. #hostname: 'localhost' # Port on which the server is listening on. # # Default: undefined port: 80 # Instead of `host` and `port` a path to a UNIX socket may be # specified (overrides `host` and `port`). # # Default: undefined #socket: './http.sock' # Basic HTTPS. # # You can find the list of possible options there https://nodejs.org/docs/latest/api/tls.html#tls.createServer - # # The only difference is the presence of the certificate and the # # key. # # # #hostname: '127.0.0.1' port: 443 # # File containing the certificate (PEM format). # # # If a chain of certificates authorities is needed, you may bundle # # them directly in the certificate. # # # # Note: the order of certificates does matter, your certificate # # should come first followed by the certificate of the above # # certificate authority up to the root. # # # # Default: undefined cert: '/etc/ssl/private/xoa.cert' # # File containing the private key (PEM format). # # # # If the key is encrypted, the passphrase will be asked at # # server startup. # # # # Default: undefined key: '/etc/ssl/private/xoa.key' # If set to true, all HTTP traffic will be redirected to the first # HTTPs configuration. redirectToHttps: true # List of files/directories which will be served. mounts: '/': '/opt/xen-orchestra/packages/xo-web/dist' # List of proxied URLs (HTTP & WebSockets). proxies: # '/any/url': 'http://localhost:54722' # HTTP proxy configuration used by xo-server to fetch resources on the # Internet. # # See: https://github.com/TooTallNate/node-proxy-agent#maps-proxy-protocols-to-httpagent-implementations #httpProxy: 'http://jsmith:qwerty@proxy.lan:3128' #===================================================================== # Connection to the Redis server. redis: # Unix sockets can be used # # Default: undefined #socket: /var/run/redis/redis.sock # Syntax: redis://[db[:password]@]hostname[:port][/db-number] # # Default: redis://localhost:6379/0 #uri: redis://redis.company.lan/42 # List of aliased commands. # # See http://redis.io/topics/security#disabling-of-specific-commands #renameCommands: # del: '3dda29ad-3015-44f9-b13b-fa570de92489' # srem: '3fd758c9-5610-4e9d-a058-dbf4cb6d8bf0' # Directory containing the database of XO. # Currently used for logs. # # Default: '/var/lib/xo-server/data' #datadir: '/var/lib/xo-server/data' -
I'm just curious on using this --- do you have a SSL cert with the server name and are you accessing XO through an address like: https://xoserver.example.com? I'm just curious since my XO server is located at 10.0.1.11 and Chrome states cert is invalid -- since I believe SSL needs to resolve to hostnames and not IP addresses.
-
@kevdog said in HTTP to HTTPS redirection:
I'm just curious on using this --- do you have a SSL cert with the server name and are you accessing XO through an address like: https://xoserver.example.com? I'm just curious since my XO server is located at 10.0.1.11 and Chrome states cert is invalid -- since I believe SSL needs to resolve to hostnames and not IP addresses.
I have generated a self-signed certificate which I am using to reach my XOA. You can do this very easily by using the "openssl"-tool.
https://www.linux.com/tutorials/creating-self-signed-ssl-certificates-apache-linux/ explains how to create both they cert and key-files that you need. -
@nikade Hey thanks for for the link. I ended up just using a LetsEncrypt cert rather than self signed. I think had to add a DNS host override on my router to associate the Local LAN address of the xo server with the domain name of the server contained in the certificate -- Like 10.0.1.50 ---> xo.example.com. Thanks for pointing me in the right direction on this one.
-
@kevdog said in HTTP to HTTPS redirection:
@nikade Hey thanks for for the link. I ended up just using a LetsEncrypt cert rather than self signed. I think had to add a DNS host override on my router to associate the Local LAN address of the xo server with the domain name of the server contained in the certificate -- Like 10.0.1.50 ---> xo.example.com. Thanks for pointing me in the right direction on this one.
Yeah that is a good solution as well, I hope this helps others in the future who wants to secure their XO with https
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login