HTTP to HTTPS redirection



  • I have installed XO in Ubuntu and have setup https. But I want http to redirect to https so to make life easier but I have no idea how to configure this. Below is my current configuration. The redirectToHTTPs doesn't appear to work.

    # It may be necessary to run XO-Server as a privileged user (e.g. `root`) for
    # instance to allow the HTTP server to listen on a
    # [privileged ports](http://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html).
    #
    # To avoid security issues, XO-Server can drop its privileges by changing the
    # user and the group is running with.
    #
    # Note: XO-Server will change them just after reading the configuration.
    
    # User to run XO-Server as.
    #
    # Note: The user can be specified using either its name or its numeric
    # identifier.
    #
    # Default: undefined
    #user = 'nobody'
    
    # Group to run XO-Server as.
    #
    # Note: The group can be specified using either its name or its numeric
    # identifier.
    #
    # Default: undefined
    # group = 'nogroup'
    
    # Configuration of the embedded HTTP server.
    [http]
    redirectToHttps = true
    
    [http.cookies]
    #sameSite = true
    #secure = true
    
    # Basic HTTP.
    #[[http.listen]]
    # Address on which the server is listening on.
    #
    # Sets it to 'localhost' for IP to listen only on the local host.
    #
    # Default: all IPv6 addresses if available, otherwise all IPv4 addresses.
    # hostname = 'localhost'
    
    # Port on which the server is listening on.
    #
    # Default: undefined
    #port = 80
    
    # Instead of `host` and `port` a path to a UNIX socket may be specified
    # (overrides `host` and `port`).
    #
    # Default: undefined
    # socket = './http.sock'
    
    # # Basic HTTPS.
    # #
    # # You can find the list of possible options there
    # # https://nodejs.org/docs/latest/api/tls.html#tls.createServer
    # #
    # # The only difference is the presence of the certificate and the key.
    [[http.listen]]
    port = 443
    #
    # # File containing the certificate (PEM format).
    # #
    # # If a chain of certificates authorities is needed, you may bundle them
    # # directly in the certificate.
    # #
    # # Note: the order of certificates does matter, your certificate should come
    # # first followed by the certificate of the above
    # # certificate authority up to the root.
    # #
    # # Default: undefined
    cert = '/opt/xen-orchestra/ssl/xosystem.pem'
    #
    # # File containing the private key (PEM format).
    # #
    # # If the key is encrypted, the passphrase will be asked at
    # # server startup.
    # #
    # # Default: undefined
    key = '/opt/xen-orchestra/ssl/xosystem.key'
    
    # List of files/directories which will be served.
    [http.mounts]
    #'/any/url' = '/path/to/directory'
    
    # List of proxied URLs (HTTP & WebSockets).
    [http.proxies]
    #'/any/url' = 'http://localhost:54722'
    
    #=====================================================================
    
    # Connection to the Redis server.
    [redis]
    # Unix sockets can be used
    #
    # Default: undefined
    #socket = '/var/run/redis/redis.sock'
    
    # Syntax: redis://[db[:password]@]hostname[:port][/db-number]
    #
    # Default: redis://localhost:6379/0
    #uri = 'redis://redis.company.lan/42'
    
    # List of aliased commands.
    #
    # See http://redis.io/topics/security#disabling-of-specific-commands
    #renameCommands:
    #  del = '3dda29ad-3015-44f9-b13b-fa570de92489'
    #  srem = '3fd758c9-5610-4e9d-a058-dbf4cb6d8bf0'
    
    #=====================================================================
    
    # Configuration for remotes
    [remoteOptions]
    # Directory used to mount remotes
    #
    # Default: '/run/xo-server/mounts'
    #mountsDir = '/run/xo-server/mounts'
    
    # Use sudo for mount with non-root user
    #
    # Default: false
    #useSudo = false
    


  • Hi @declan-marks,

    I've been in the same situation as you and I will share my configuration which is working:

    root@xoa:~# cat /opt/xen-orchestra/packages/xo-server/.xo-server.yaml
    # BE *VERY* CAREFUL WHEN EDITING!
    # YAML FILES ARE SUPER SUPER SENSITIVE TO MISTAKES IN WHITESPACE OR ALIGNMENT!
    # visit http://www.yamllint.com/ to validate this file as needed
    
    #=====================================================================
    
    # Example XO-Server configuration.
    #
    # This file is automatically looking for at the following places:
    # - `$HOME/.config/xo-server/config.yaml`
    # - `/etc/xo-server/config.yaml`
    #
    # The first entries have priority.
    #
    # Note: paths are relative to the configuration file.
    
    #=====================================================================
    
    # It may be necessary to run XO-Server as a privileged user (e.g.
    # `root`) for instance to allow the HTTP server to listen on a
    # [privileged ports](http://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html).
    #
    # To avoid security issues, XO-Server can drop its privileges by
    # changing the user and the group is running with.
    #
    # Note: XO-Server will change them just after reading the
    # configuration.
    
    # User to run XO-Server as.
    #
    # Note: The user can be specified using either its name or its numeric
    # identifier.
    #
    # Default: undefined
    #user: 'nobody'
    
    # Group to run XO-Server as.
    #
    # Note: The group can be specified using either its name or its
    # numeric identifier.
    #
    # Default: undefined
    #group: 'nogroup'
    
    #=====================================================================
    
    # Configuration of the embedded HTTP server.
    http:
    
      # Hosts & ports on which to listen.
      #
      # By default, the server listens on [::]:80.
      listen:
        # Basic HTTP.
        -
          # Address on which the server is listening on.
          #
          # Sets it to 'localhost' for IP to listen only on the local host.
          #
          # Default: all IPv6 addresses if available, otherwise all IPv4
          # addresses.
          #hostname: 'localhost'
    
          # Port on which the server is listening on.
          #
          # Default: undefined
          port: 80
    
          # Instead of `host` and `port` a path to a UNIX socket may be
          # specified (overrides `host` and `port`).
          #
          # Default: undefined
          #socket: './http.sock'
    
        # Basic HTTPS.
        #
        # You can find the list of possible options there https://nodejs.org/docs/latest/api/tls.html#tls.createServer
        -
        #   # The only difference is the presence of the certificate and the
        #   # key.
        #   #
        #   #hostname: '127.0.0.1'
            port: 443
    
        #   # File containing the certificate (PEM format).
        #
        #   # If a chain of certificates authorities is needed, you may bundle
        #   # them directly in the certificate.
        #   #
        #   # Note: the order of certificates does matter, your certificate
        #   # should come first followed by the certificate of the above
        #   # certificate authority up to the root.
        #   #
        #   # Default: undefined
            cert: '/etc/ssl/private/xoa.cert'
    
        #   # File containing the private key (PEM format).
        #   #
        #   # If the key is encrypted, the passphrase will be asked at
        #   # server startup.
        #   #
        #   # Default: undefined
            key: '/etc/ssl/private/xoa.key'
    
      # If set to true, all HTTP traffic will be redirected to the first
      # HTTPs configuration.
      redirectToHttps: true
    
      # List of files/directories which will be served.
      mounts:
        '/': '/opt/xen-orchestra/packages/xo-web/dist'
    
      # List of proxied URLs (HTTP & WebSockets).
      proxies:
        # '/any/url': 'http://localhost:54722'
    
    # HTTP proxy configuration used by xo-server to fetch resources on the
    # Internet.
    #
    # See: https://github.com/TooTallNate/node-proxy-agent#maps-proxy-protocols-to-httpagent-implementations
    #httpProxy: 'http://jsmith:qwerty@proxy.lan:3128'
    
    #=====================================================================
    
    # Connection to the Redis server.
    redis:
        # Unix sockets can be used
        #
        # Default: undefined
        #socket: /var/run/redis/redis.sock
    
        # Syntax: redis://[db[:password]@]hostname[:port][/db-number]
        #
        # Default: redis://localhost:6379/0
        #uri: redis://redis.company.lan/42
    
        # List of aliased commands.
        #
        # See http://redis.io/topics/security#disabling-of-specific-commands
        #renameCommands:
        #  del: '3dda29ad-3015-44f9-b13b-fa570de92489'
        #  srem: '3fd758c9-5610-4e9d-a058-dbf4cb6d8bf0'
    
    
    # Directory containing the database of XO.
    # Currently used for logs.
    #
    # Default: '/var/lib/xo-server/data'
    #datadir: '/var/lib/xo-server/data'
    
    


  • I'm just curious on using this --- do you have a SSL cert with the server name and are you accessing XO through an address like: https://xoserver.example.com? I'm just curious since my XO server is located at 10.0.1.11 and Chrome states cert is invalid -- since I believe SSL needs to resolve to hostnames and not IP addresses.



  • @kevdog said in HTTP to HTTPS redirection:

    I'm just curious on using this --- do you have a SSL cert with the server name and are you accessing XO through an address like: https://xoserver.example.com? I'm just curious since my XO server is located at 10.0.1.11 and Chrome states cert is invalid -- since I believe SSL needs to resolve to hostnames and not IP addresses.

    I have generated a self-signed certificate which I am using to reach my XOA. You can do this very easily by using the "openssl"-tool.
    https://www.linux.com/tutorials/creating-self-signed-ssl-certificates-apache-linux/ explains how to create both they cert and key-files that you need.



  • @nikade Hey thanks for for the link. I ended up just using a LetsEncrypt cert rather than self signed. I think had to add a DNS host override on my router to associate the Local LAN address of the xo server with the domain name of the server contained in the certificate -- Like 10.0.1.50 ---> xo.example.com. Thanks for pointing me in the right direction on this one.



  • @kevdog said in HTTP to HTTPS redirection:

    @nikade Hey thanks for for the link. I ended up just using a LetsEncrypt cert rather than self signed. I think had to add a DNS host override on my router to associate the Local LAN address of the xo server with the domain name of the server contained in the certificate -- Like 10.0.1.50 ---> xo.example.com. Thanks for pointing me in the right direction on this one.

    Yeah that is a good solution as well, I hope this helps others in the future who wants to secure their XO with https 🙂


Log in to reply
 

XCP-ng Pro Support