HTTP to HTTPS redirection
-
I have installed XO in Ubuntu and have setup https. But I want http to redirect to https so to make life easier but I have no idea how to configure this. Below is my current configuration. The redirectToHTTPs doesn't appear to work.
# It may be necessary to run XO-Server as a privileged user (e.g. `root`) for # instance to allow the HTTP server to listen on a # [privileged ports](http://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html). # # To avoid security issues, XO-Server can drop its privileges by changing the # user and the group is running with. # # Note: XO-Server will change them just after reading the configuration. # User to run XO-Server as. # # Note: The user can be specified using either its name or its numeric # identifier. # # Default: undefined #user = 'nobody' # Group to run XO-Server as. # # Note: The group can be specified using either its name or its numeric # identifier. # # Default: undefined # group = 'nogroup' # Configuration of the embedded HTTP server. [http] redirectToHttps = true [http.cookies] #sameSite = true #secure = true # Basic HTTP. #[[http.listen]] # Address on which the server is listening on. # # Sets it to 'localhost' for IP to listen only on the local host. # # Default: all IPv6 addresses if available, otherwise all IPv4 addresses. # hostname = 'localhost' # Port on which the server is listening on. # # Default: undefined #port = 80 # Instead of `host` and `port` a path to a UNIX socket may be specified # (overrides `host` and `port`). # # Default: undefined # socket = './http.sock' # # Basic HTTPS. # # # # You can find the list of possible options there # # https://nodejs.org/docs/latest/api/tls.html#tls.createServer # # # # The only difference is the presence of the certificate and the key. [[http.listen]] port = 443 # # # File containing the certificate (PEM format). # # # # If a chain of certificates authorities is needed, you may bundle them # # directly in the certificate. # # # # Note: the order of certificates does matter, your certificate should come # # first followed by the certificate of the above # # certificate authority up to the root. # # # # Default: undefined cert = '/opt/xen-orchestra/ssl/xosystem.pem' # # # File containing the private key (PEM format). # # # # If the key is encrypted, the passphrase will be asked at # # server startup. # # # # Default: undefined key = '/opt/xen-orchestra/ssl/xosystem.key' # List of files/directories which will be served. [http.mounts] #'/any/url' = '/path/to/directory' # List of proxied URLs (HTTP & WebSockets). [http.proxies] #'/any/url' = 'http://localhost:54722' #===================================================================== # Connection to the Redis server. [redis] # Unix sockets can be used # # Default: undefined #socket = '/var/run/redis/redis.sock' # Syntax: redis://[db[:password]@]hostname[:port][/db-number] # # Default: redis://localhost:6379/0 #uri = 'redis://redis.company.lan/42' # List of aliased commands. # # See http://redis.io/topics/security#disabling-of-specific-commands #renameCommands: # del = '3dda29ad-3015-44f9-b13b-fa570de92489' # srem = '3fd758c9-5610-4e9d-a058-dbf4cb6d8bf0' #===================================================================== # Configuration for remotes [remoteOptions] # Directory used to mount remotes # # Default: '/run/xo-server/mounts' #mountsDir = '/run/xo-server/mounts' # Use sudo for mount with non-root user # # Default: false #useSudo = false -
Hi @declan-marks,
I've been in the same situation as you and I will share my configuration which is working:
root@xoa:~# cat /opt/xen-orchestra/packages/xo-server/.xo-server.yaml # BE *VERY* CAREFUL WHEN EDITING! # YAML FILES ARE SUPER SUPER SENSITIVE TO MISTAKES IN WHITESPACE OR ALIGNMENT! # visit http://www.yamllint.com/ to validate this file as needed #===================================================================== # Example XO-Server configuration. # # This file is automatically looking for at the following places: # - `$HOME/.config/xo-server/config.yaml` # - `/etc/xo-server/config.yaml` # # The first entries have priority. # # Note: paths are relative to the configuration file. #===================================================================== # It may be necessary to run XO-Server as a privileged user (e.g. # `root`) for instance to allow the HTTP server to listen on a # [privileged ports](http://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html). # # To avoid security issues, XO-Server can drop its privileges by # changing the user and the group is running with. # # Note: XO-Server will change them just after reading the # configuration. # User to run XO-Server as. # # Note: The user can be specified using either its name or its numeric # identifier. # # Default: undefined #user: 'nobody' # Group to run XO-Server as. # # Note: The group can be specified using either its name or its # numeric identifier. # # Default: undefined #group: 'nogroup' #===================================================================== # Configuration of the embedded HTTP server. http: # Hosts & ports on which to listen. # # By default, the server listens on [::]:80. listen: # Basic HTTP. - # Address on which the server is listening on. # # Sets it to 'localhost' for IP to listen only on the local host. # # Default: all IPv6 addresses if available, otherwise all IPv4 # addresses. #hostname: 'localhost' # Port on which the server is listening on. # # Default: undefined port: 80 # Instead of `host` and `port` a path to a UNIX socket may be # specified (overrides `host` and `port`). # # Default: undefined #socket: './http.sock' # Basic HTTPS. # # You can find the list of possible options there https://nodejs.org/docs/latest/api/tls.html#tls.createServer - # # The only difference is the presence of the certificate and the # # key. # # # #hostname: '127.0.0.1' port: 443 # # File containing the certificate (PEM format). # # # If a chain of certificates authorities is needed, you may bundle # # them directly in the certificate. # # # # Note: the order of certificates does matter, your certificate # # should come first followed by the certificate of the above # # certificate authority up to the root. # # # # Default: undefined cert: '/etc/ssl/private/xoa.cert' # # File containing the private key (PEM format). # # # # If the key is encrypted, the passphrase will be asked at # # server startup. # # # # Default: undefined key: '/etc/ssl/private/xoa.key' # If set to true, all HTTP traffic will be redirected to the first # HTTPs configuration. redirectToHttps: true # List of files/directories which will be served. mounts: '/': '/opt/xen-orchestra/packages/xo-web/dist' # List of proxied URLs (HTTP & WebSockets). proxies: # '/any/url': 'http://localhost:54722' # HTTP proxy configuration used by xo-server to fetch resources on the # Internet. # # See: https://github.com/TooTallNate/node-proxy-agent#maps-proxy-protocols-to-httpagent-implementations #httpProxy: 'http://jsmith:qwerty@proxy.lan:3128' #===================================================================== # Connection to the Redis server. redis: # Unix sockets can be used # # Default: undefined #socket: /var/run/redis/redis.sock # Syntax: redis://[db[:password]@]hostname[:port][/db-number] # # Default: redis://localhost:6379/0 #uri: redis://redis.company.lan/42 # List of aliased commands. # # See http://redis.io/topics/security#disabling-of-specific-commands #renameCommands: # del: '3dda29ad-3015-44f9-b13b-fa570de92489' # srem: '3fd758c9-5610-4e9d-a058-dbf4cb6d8bf0' # Directory containing the database of XO. # Currently used for logs. # # Default: '/var/lib/xo-server/data' #datadir: '/var/lib/xo-server/data' -
I'm just curious on using this --- do you have a SSL cert with the server name and are you accessing XO through an address like: https://xoserver.example.com? I'm just curious since my XO server is located at 10.0.1.11 and Chrome states cert is invalid -- since I believe SSL needs to resolve to hostnames and not IP addresses.
-
@kevdog said in HTTP to HTTPS redirection:
I'm just curious on using this --- do you have a SSL cert with the server name and are you accessing XO through an address like: https://xoserver.example.com? I'm just curious since my XO server is located at 10.0.1.11 and Chrome states cert is invalid -- since I believe SSL needs to resolve to hostnames and not IP addresses.
I have generated a self-signed certificate which I am using to reach my XOA. You can do this very easily by using the "openssl"-tool.
https://www.linux.com/tutorials/creating-self-signed-ssl-certificates-apache-linux/ explains how to create both they cert and key-files that you need. -
@nikade Hey thanks for for the link. I ended up just using a LetsEncrypt cert rather than self signed. I think had to add a DNS host override on my router to associate the Local LAN address of the xo server with the domain name of the server contained in the certificate -- Like 10.0.1.50 ---> xo.example.com. Thanks for pointing me in the right direction on this one.
-
@kevdog said in HTTP to HTTPS redirection:
@nikade Hey thanks for for the link. I ended up just using a LetsEncrypt cert rather than self signed. I think had to add a DNS host override on my router to associate the Local LAN address of the xo server with the domain name of the server contained in the certificate -- Like 10.0.1.50 ---> xo.example.com. Thanks for pointing me in the right direction on this one.
Yeah that is a good solution as well, I hope this helps others in the future who wants to secure their XO with https
