Description
Using the docker container, API is working correctly when using TLS_SETUP_ENABLE=true and accessing it on bare IP address or localhost. However, I cannot make it work behind an reverse proxy. There's no mention of API in the docker documentation.
From what I understand, we should use the PROXY_HTTP_BIND environment variable and put the certificate in the client, then the container should read the certificate from the SSL_CLIENT_CERT header. However, that doesn't seems to work.
To reproduce
- Launch the container behind an Nginx reverse proxy:
docker run -it -d --rm \
--name $container_name \
-e DATABASE_JDBC_URL="jdbc:mariadb://<DB_IP>:3306/ejbca?characterEncoding=UTF-8" \
-e DATABASE_USER="ejbca" \
-e DATABASE_PASSWORD="securepass" \
-e LOG_LEVEL_APP="INFO" \
-e LOG_LEVEL_SERVER="INFO" \
-e TLS_SETUP_ENABLED="later" \
-e PASSWORD_ENCRYPTION_KEY="securepass" \
-e CA_KEYSTOREPASS="securepass" \
-e EJBCA_CLI_DEFAULTPASSWORD="ejbca" \
-e PROXY_HTTP_BIND="0.0.0.0" \
keyfactor/ejbca-ce
- Configure the nginx reverse proxy:
server {
server_name <URL>;
location / {
proxy_pass https://<CONTAINER_IP>:8082;
proxy_set_header Host $host;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header SSL_CLIENT_CERT $ssl_client_cert;
}
}
- Create a client certificate
- Edit Access Rules
- Test one API endpoint (for example,
https://<URL>/ejbca/ejbca-rest-api/v2/certificate/count?isActive=), using the certificate.
Expected behavior
Screenshot of a successfull request made with postman:
Product Deployement
- Deployement: Latest version of Docker
Desktop
- OS: Ubuntu 22.04
- Browser/Client:
- Firefox 126.0.1
- Postman 10.24.26
Description
Using the docker container, API is working correctly when using
TLS_SETUP_ENABLE=trueand accessing it on bare IP address or localhost. However, I cannot make it work behind an reverse proxy. There's no mention of API in the docker documentation.From what I understand, we should use the
PROXY_HTTP_BINDenvironment variable and put the certificate in the client, then the container should read the certificate from theSSL_CLIENT_CERTheader. However, that doesn't seems to work.To reproduce
https://<URL>/ejbca/ejbca-rest-api/v2/certificate/count?isActive=), using the certificate.Expected behavior
Screenshot of a successfull request made with postman:
Product Deployement
Desktop