Hello I am running this using docker compose and traefik as reverse proxy

docker-compose.yaml:

version: '3.5'

services:
  server:
    container_name: crm1
    image: cortezaproject/corteza-server:2021.3
    restart: always
    volumes:
      - site-data:/data
    environment:
      DOMAIN : ${DOMAIN}
      DB_DSN : dbuser:dbpass@tcp(db:3306)/dbname?collation=utf8mb4_general_ci
      LOG_DEBUG : "true"
      LOG_LEVEL : "DEBUG"
      HTTP_WEBAPP_ENABLED : "true"
      AUTH_JWT_SECRET : secret
    depends_on: [ db ]
    networks:
      - crmnet
      - traefik-public
    deploy:
      labels:
        - traefik.enable=true
        - traefik.docker.network=traefik-public
        - traefik.constraint-label=traefik-public
        - traefik.http.routers.crm-app.entrypoints=http
        - traefik.http.routers.crm-app.rule=Host(`${DOMAIN}`,`www.${DOMAIN}`)  
        - traefik.http.routers.crm-app.middlewares=https-redirect
        - traefik.http.routers.crm-app-secure.entrypoints=https
        - traefik.http.routers.crm-app-secure.rule=Host(`${DOMAIN}`,`www.${DOMAIN}`) 
        - traefik.http.routers.crm-app-secure.tls=true
        - traefik.http.routers.crm-app-secure.tls.certresolver=le
        - traefik.http.routers.crm-app-secure.service=crm1
        - traefik.http.services.crm1.loadbalancer.server.port=80

  db:
    image: percona:8.0
    volumes:
      - db-data:/var/lib/mysql
    environment:
      MYSQL_ROOT_PASSWORD: dbpass
      MYSQL_DATABASE: dbname
      MYSQL_USER: dbuser
      MYSQL_PASSWORD: dbpass
    restart: always
    networks:
      - crmnet
    healthcheck: { test: ["CMD", "mysqladmin" ,"ping", "-h", "localhost"], timeout: 20s, retries: 10 }
    
networks:
  traefik-public:
    external: true
  crmnet:

  
volumes:
  db-data:
  site-data:

and after login firefox throws this error:
Blocked loading mixed active content “http://domain.tld/auth/oauth2/default-client”

and a stuck login process with a blank page

in the config.js which is shown in the firefox debugger this is listed:
window.CortezaAuth = 'http://domain.tld/auth';

this should be https

is there a way to force https in this url?

i already tried auth_base_url but that didn’t change anything

Hi

Try adding HTTP_SSL_TERMINATED=true to your env vars.

Apologies @scientes I’ve referenced an option that is part of the next release.

What you can do here is set LETSENCRYPT_HOST variable (any kind of value). This tells corteza server that some software in front of it will handle SSL and it needs to use HTTPS URL schema.

Why this name? Because we are (usually) relying on Docker Hub to manage SSL certificates and we can control that with LETSENCRYPT_HOST.

We recognised this approach as a bit too narrow-minded and prepared HTTP_SSL_TERMINATED to be supported (in Septembers release - 2021.9).

Hi there,

as my error fits well to this rather old thread I hope its okay to post it here.

I’ve installed Corteza 2022.9.1 with Docker using Traefik as a reverse proxy.

My docker-compose.yml looks like the following:

version: '3.5'

services:
  server:
    image: cortezaproject/corteza:${VERSION}
    networks: [ traefik, local ]
    restart: unless-stopped
    env_file: [ .env ]
    depends_on: [ db ]
    volumes:
      - "./corteza:/data"
    environment:
      VIRTUAL_HOST: ${DOMAIN}
      LETSENCRYPT_HOST: ${DOMAIN}
      TZ: Europe/Berlin
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.corteza.entrypoints=websecure"
      - "traefik.http.routers.corteza.rule=Host(`${DOMAIN}`)"
      - "traefik.http.routers.corteza.tls=true"
      - "traefik.http.routers.corteza.tls.certresolver=letsencrypt"
      - "traefik.http.services.corteza.loadbalancer.server.port=80"
      - "traefik.docker.network=traefik"
  db:
    image: postgres:13
    networks: [ local ]
    restart: unless-stopped
    volumes:
      - "./postgres:/var/lib/postgresql/data"
    healthcheck: { test: ["CMD-SHELL", "pg_isready -U corteza"], interval: 10s, timeout: 5s, retries: 5 }
    environment:
      POSTGRES_USER:     corteza
      POSTGRES_PASSWORD: corteza

networks:
  local: {}
  traefik: { external: true }

My .env looks as follows:

DOMAIN=corteza.domain.tld
VERSION=2022.9.1
DB_DSN=postgres://corteza:corteza@db:5432/corteza?sslmode=disable
HTTP_WEBAPP_ENABLED=true
HTTP_SSL_TERMINATED=true
ACTIONLOG_DEBUG=true
# LOG_LEVEL=debug
LOG_DEBUG=true
AUTH_JWT_SECRET=SECRET :)
AUTH_BASE_URL='https://corteza.domain.tld/auth'
AUTH_SESSION_COOKIE_SECURE=true

Starting Corteza and registering a new (admin) user works perfectly well via the reverse proxy via https. The log files show no errors. But when I try to access https://corteza.domain.tld I only get a blank white screen. The JavaScript console shows the following errors in index.es.js in line 1027:

XmlHttpRequest cannot load http://corteza.domain.tld/auth/oauth2/default-client due to access control checks.

Any idea what I’m missing and why Corteza is still referencing http? Thanks in advance for your help.

Kind regards, Fabian

If you changed your HTTP/HTTPS setup AFTER you installed Corteza please check auth, redirection and other URLs in your settings. There might be some pointing to invalid schema.

Thank you for your quick response. I’ve reinstalled Corteza several times; every time I changed settings in .env I’ve reinstalled the entire system. Just to be sure!

After several restarts and some hours leaving the system alone the configuration posted above ist running well. Maybe some wired caching problems led to the problem.

Regards, Fabian

Low temperature these days… maybe it needed to warm up

Hello from me!

I have this similar problem with mixed content (don’t know if I should open up a new thread). I unfortunately can’t get to the admin panel

My setup is the following: NGINX Proxy Manager (GUI) + Cloudflare Flexible SSL + Corteza with Percona (Docker containers).

I have successfully created the containers and the Corteza instance is available through my domain (with SSL). I have sucessfully registered my first account, however, after confirming the email, I get this error message for mixed content:

Mixed Content: The page at 'https://corteza.my_domain.tld/admin/auth/callback?code=<some code>' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://corteza.my_domain.tld/auth/oauth2/default-client'. This request has been blocked; the content must be served over HTTPS.

The part: corteza.my_domain.tld is replaced with my real domain. I could DM you the real domain if needed.

docker-compose.yaml (ommited the part for the percona DB container):

version: '3.5'

services:
  server:
    image: cortezaproject/corteza:${VERSION}
    restart: always
    env_file: [ .env ]
    depends_on: [ db ]
    networks: [ nginxproxymanager_default, internal ]
    ports: [ "10015:80", "10415:443" ]
    # Uncomment to use local fs for data persistence
    volumes: [ "./data/server:/data" ]
    environment:
      # This two are needed only if you are using NginX Lets-Encrypt companion
      # (see docs.cortezaproject.org for details)
      # VIRTUAL_HOST helps NginX proxy route traffic for specific virtual host to this container
     VIRTUAL_HOST:     ${DOMAIN}
      # LETSENCRYPT_HOST helps NginX LE companion pull and configure SSL certificates for your domain
     LETSENCRYPT_HOST: ${DOMAIN}

.env file (I ommited the SMTP info)

########################################################################################################################
# General settings
DOMAIN=corteza.my_domain.tld
VERSION=2022.9

########################################################################################################################
# Database connection

DB_DSN=some_user:some_pass@tcp(db:3306)/some_db?collation=utf8mb4_general_ci
########################################################################################################################
# Server settings

# Serve Corteza webapps alongside API
HTTP_WEBAPP_ENABLED=true
HTTP_SSL_TERMINATED=true

# Send action log to container logs as well
# ACTIONLOG_DEBUG=true

# Uncomment for extra debug info if something goes wrong
LOG_LEVEL=debug

# Use nicer and colorful log instead of JSON
LOG_DEBUG=true

########################################################################################################################
# Authentication

# Secret to use for JWT token
# Make sure you change it (>30 random characters) if
# you expose your deployment to outside traffic
AUTH_JWT_SECRET=some_secret_key
AUTH_BASE_URL='https://corteza.my_domain.tld/auth'

I have read and googled almost everything I could find. I have reinstalled Corteza several times (just in case something didn’t propagate when I changed the container variables), and this is my only hope for help - so any suggestions are much appreciated

Additional info: the SSL is forced through Cloudflare.

Hello guys, please contact me through DM if someone has a sollution, I’m willing to pay for support if needed.

Hi Petar,

I had the exact same issue and could solve it by changing the SSL certificate. At first I requested a LetsEncrypt certificate where I also opted for HSTS Enabled. HSTS is a mechanism to prevent MIM attacks.
After getting a new certificate without HSTS enabled it worked.

I hope this can help you (even after more that a year)

I have literally the same problem…

HTTP_SSL_TERMINATED, and LETSENCRYPT_HOST set. I reinstalled an app several times, no result.

Hi @dszmaj ,

do you have any more info on that one? Nginx logs, letsencrypt logs?
Certificate is definitely valid?

Most of the time letsencrypt does not generate the certificate is when the domain is not resolvable to a host, so checking the DNS settings on the domain should help.