Login does nothing; guest note: invalid cookie

mustafa0x · June 14, 2024, 12:42pm

docker-compose

services:
  database:
    image: postgres:13.4-alpine
    environment:
      - POSTGRES_USER=hedgedoc
      - POSTGRES_PASSWORD=password
      - POSTGRES_DB=hedgedoc
    volumes:
      - database:/var/lib/postgresql/data
    restart: always
  app:
    # Make sure to use the latest release from https://hedgedoc.org/latest-release
    image: quay.io/hedgedoc/hedgedoc:1.9.9
    environment:
      - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc

      - CMD_DOMAIN=hedgedoc.example.com
      - CMD_ALLOW_ORIGIN=['hedgedoc.example.com', 'localhost']

      - CMD_PROTOCOL_USESSL=true
      - CMD_SESSION_SECRET=foobar99

      - CMD_EMAIL=true
      - CMD_ALLOW_EMAIL_REGISTER=false
    volumes:
      - uploads:/hedgedoc/public/uploads
    ports:
      - "3000:3000"
    restart: always
    depends_on:
      - database

volumes:
  database:
  uploads:

hedgedoc.caddy

http://hedgedoc.example.com {
	reverse_proxy localhost:3000 {
		header_up X-Forwarded-Proto {scheme}
	}
}

Related issues (that didn’t help):

I’m afraid the issue is that I only apply SSL between the user and cloudflare (flexible ssl). However, there is no SSL between cloudflare and the user.

mustafa0x · June 14, 2024, 1:05pm

Ok, confirmed, disabling flexible ssl resolves. I wish the docs had mentioned this. Or the app was made compatible with flexible ssl.

ErikMichelson · June 27, 2024, 12:16pm

Hi @mustafa0x, welcome to the HedgeDoc community!

It’s great to hear that you already found the culprit. The problem is that the instance needs to be configured for HTTPS URLs (you’ve done correctly so by using CMD_PROTOCOL_USESSL), otherwise the app wouldn’t work. But on the other side your connection between Cloudflare and your server is unencrypted when using “flexible SSL”, so there’s a mismatch.

In terms of security: I strongly wouldn’t recommend using “flexible SSL” at all, as it provides no protection of your user’s data since everything between Cloudflare and your server is unencrypted and can be intercepted.

There’s already a warning in our docs about the incompatible optimization feature from Cloudflare, we should probably extend that with the information about “flexible SSL”.