The Web page is wrong about stirling-pdf HOT 35 CLOSED

All fixed now.
HTTP/HTTPS both working fine now.

Thanks @Frooodle .

from stirling-pdf.

Give us more information, a log entry would be desirable

from stirling-pdf.

Until these calls are resolved, you can add this line to your domain-ssl.conf :

# Add Content-Security-Policy to force use of HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests;"

Then reload your apache2 configuration.

from stirling-pdf.

@Frooodle that one also works fine for me

from stirling-pdf.

After cache clear? :P

hah yep cleared cache this time!

from stirling-pdf.

alright just made a 0.24.5 lets see if it works

from stirling-pdf.

Yes, this is exactly what happened to me.

from stirling-pdf.

Give us more information, a log entry would be desirable

from stirling-pdf.

I have the same issue, though only when I go through a reverse proxy with SSL.

Something about resources being requested in HTTP and not HTTPS

from stirling-pdf.

Another saw this issue and mentioned it was resolved by changing their reverse proxy from direct docker connection to IP:port

We are looking into this issue but also not sure of the cause at the moment

from stirling-pdf.

我也遇到了这样的问题，通过nginx反代后，就出现了

from stirling-pdf.

I have the same issue, though only when I go through a reverse proxy with SSL.

Something about resources being requested in HTTP and not HTTPS

I also noticed this problem when I tried to use OIDC. the redirect_url is http

from stirling-pdf.

I've tested both with HTTP/HTTPS.
Still the same problem.
Please check both URL:

https://pdf.shinetechpro.com
http://154.12.224.81:8001

from stirling-pdf.

I've tested both with HTTP/HTTPS.
Still the same problem.
Please check both URL:

https://pdf.shinetechpro.com
http://154.12.224.81:8001

Http loads fine for me here and I think any direct IP would too as well

It seems to be issue with reverse proxy when combined with it not connecting via IP from what I have seen people reporting

from stirling-pdf.

what reverse proxy are you all using, can any share their configs?

from stirling-pdf.

what reverse proxy are you all using, can any share their configs?

what reverse proxy are you all using, can any share their configs?

I use apache2

<VirtualHost *:443>
    ServerName example.com

    SSLEngine on
  # configure for ssl, this is global configuration.
  SSLCertificateFile example.com.pem
  SSLCertificateKeyFile  example.com.pem.key

    ProxyPreserveHost On
    ProxyRequests Off
    RewriteEngine On

    RewriteCond %{HTTP:Connection} Upgrade [NC]
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteRule ^/?(.*) ws://stirling-pdf:8080/$1  [P,L]

    <Location />
        RequestHeader set X_FORWARDED_PROTO 'https'
        RequestHeader set X-Forwarded-Ssl on
        RequestHeader set X-Forwarded-Port "443"
        ProxyPass http://stirling-pdf:8080/
        ProxyPassReverse http://stirling-pdf:8080/
    </Location>   
    ErrorLog ${APACHE_LOG_DIR}/pdf_error.log
	# CustomLog ${APACHE_LOG_DIR}/pdf_access.log combined
        
</VirtualHost>

from stirling-pdf.

what reverse proxy are you all using, can any share their configs?

Note: I also have HAProxy running on Opnsense in front of this handling the TLS termination, but I've never run into issues with it

  traefik:
    # The official v2 Traefik docker image
    image: traefik:latest
    ports:
      - 80:80
      - 8282:8080
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock:ro'
    # Enables the web UI and tells Traefik to listen to docker
    command:
      - --api.insecure=true
      - --providers.docker=true
      - --entryPoints.http.address=:80
      - --providers.docker.exposedByDefault=false
      - --entryPoints.http.forwardedHeaders.insecure
      - --entryPoints.http.proxyProtocol.insecure
    restart: 'always'

  stirling-pdf:
    container_name: Stirling-PDF-Security
    image: frooodle/s-pdf:latest
    deploy:
      resources:
        limits:
          memory: 4G
    healthcheck:
      test:
        [
          "CMD-SHELL",
          "curl -f http://localhost:8080/api/v1/info/status | grep -q 'UP' && curl -fL http://localhost:8080/ | grep -q 'Please sign in'"
        ]
      interval: 5s
      timeout: 10s
      retries: 16
    ports:
      - 8080:8080
    volumes:
      - ./data:/usr/share/tessdata:rw
      - ./config:/configs:rw
      - ./logs:/logs:rw
    labels:
      traefik.enable: true
      traefik.http.routers.stirling-pdf.rule: Host(`pdf.[REDACTED].com`)
    environment:
      DOCKER_ENABLE_SECURITY: true
      SECURITY_ENABLELOGIN: true
      SECURITY_OAUTH2_ENABLED: true
      SECURITY_OAUTH2_AUTOCREATEUSER: true # This is set to true to allow auto-creation of non-existing users in Striling-PDF
      SECURITY_OAUTH2_ISSUER: "https://auth.[REDACTED].com/application/o/stirling-pdf/" # Change with any other provider that supports OpenID Connect Discovery (/.well-known/openid-configuration) end-point
      SECURITY_OAUTH2_CLIENTID: "[REDACTED]" # Client ID from your provider
      SECURITY_OAUTH2_CLIENTSECRET: "[REDACTED]" # Client Secret from your provider
      PUID: 1002
      PGID: 1002
      UMASK: "022"
      SYSTEM_DEFAULTLOCALE: en-US
      UI_APPNAME: Stirling-PDF
      UI_HOMEDESCRIPTION: Demo site for Stirling-PDF Latest with Security
      UI_APPNAMENAVBAR: Stirling-PDF Latest
      SYSTEM_MAXFILESIZE: "100"
      METRICS_ENABLED: "true"
      SYSTEM_GOOGLEVISIBILITY: "false"
    restart: on-failure:5

from stirling-pdf.

This seems to be caused by Mixed Content.

from stirling-pdf.

what reverse proxy are you all using, can any share their configs?

aaPanel reverse proxy.

from stirling-pdf.

Until these calls are resolved, you can add this line to your domain-ssl.conf :

# Add Content-Security-Policy to force use of HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests;"

Then reload your apache2 configuration.

and for Nginx?

from stirling-pdf.

Using HAProxy on my OPNsense firewall and had the same issue when using it as a direct reverse proxy.

I solved it by using a nginx container as a reverse proxy directly before HAProxy.

So this is my file architecture for Docker :

./stirling-pdf/
|-- docker-compose.yaml
`-- nginx
    |-- default.conf
    |-- dockerfile
    `-- ssl
        |-- gen-ssl.sh
        |-- server.crt
        `-- server.key

docker-compose.yaml file :

version: '3.3'
services:
  stirling-pdf:
    image: frooodle/s-pdf:latest
    networks:
      - stirling-net
    volumes:
      - ./configs/trainingData:/usr/share/tessdata #Required for extra OCR languages
      - ./configs/extraConfigs:/configs
#      - /location/of/customFiles:/customFiles/
      - ./logs:/logs/
    environment:
      - DOCKER_ENABLE_SECURITY=true
      - INSTALL_BOOK_AND_ADVANCED_HTML_OPS=true
      - LANGS=fr-FR
    restart: unless-stopped

  nginx:
    networks:
      - stirling-net
    build:
        context: ./nginx
    volumes: 
      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf
      - ./nginx/ssl:/etc/nginx/ssl
    ports:
      - '1198:443'
    restart: unless-stopped

networks:
  stirling-net:

default.conf for nginx :

server {
  listen 443 ssl http2;

  ssl_certificate  /etc/nginx/ssl/server.crt;
  ssl_certificate_key /etc/nginx/ssl/server.key;

  # Allow large attachments
  client_max_body_size 128M;

  location / {
    proxy_pass http://stirling-pdf:8080;
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

}

dockerfile for nginx :

FROM nginx
COPY default.conf /etc/nginx/conf.d/default.conf

And for lazy people like me, an SSL generator script (gen-ssl.sh) :

#!/bin/bash

IP="stirling"
SUBJECT_NGINX="/C=FR/ST=France/L=Paris/O=btw/OU=CA/CN=${IP}"

function generate_nginx () {
    echo "$SUBJECT_NGINX"
    openssl req -x509 -nodes -days 3685 -newkey rsa:2048 -subj "$SUBJECT_NGINX" -keyout server.key -out server.crt
}

generate_nginx

Okay that solution is ugly because it uses 2 reverse proxy which is not the best, but it works and is really secure because nobody will be able to access your Stirling service with HTTP but only with HTTPS.

from stirling-pdf.

I am using NginX Proxy Manager and have no idea how to fix it with that.

What is strange is that it was working until I redployed the container.

from stirling-pdf.

I rolled back to frooodle/s-pdf:0.23.1 and all is well again.

from stirling-pdf.

I have the same problem in google chrome. In safari it works fine. Not so a restrictive Content-Security-Policy ckeck in Browser :-) Please replace the HTTP requests in your code.

from stirling-pdf.

Any update?
HTTP is working fine from http://154.12.224.81:8001
HTTPS is still not working https://pdf.shinetechpro.com

new container start with new image.

from stirling-pdf.

Can someone try the image
latest-test

and see if that produces any different result after clearing cache etc too

from stirling-pdf.

Pulled the latest image and restarted it under my reverse proxy (Apache) and it looks exactly as expected now (and I forgot to clear the cache) -so one of those changes seems to have done the trick!

from stirling-pdf.

did like 4 changes now to figure out which did it! haha

from stirling-pdf.

latest-test2 Can you test this, should let me know which change was cause

from stirling-pdf.

After cache clear? :P

from stirling-pdf.

Let me wait for one more user to test both these images latest-test2 first ideally
and then ill merge

from stirling-pdf.

I'm using 0.24.5, the login page now looks okay, but I'm still getting errors:

Plus, single sign on with Azure Entra is not working either, there still seems to be a problem with the https URL:

AADSTS50011: The redirect URI 'http://pdf.haarhoff.eu:443/login/oauth2/code/oidc' specified in the request does not match the redirect URIs configured for the application

from stirling-pdf.

I'm using 0.24.5, the login page now looks okay, but I'm still getting errors:

Plus, single sign on with Azure Entra is not working either, there still seems to be a problem with the https URL:

AADSTS50011: The redirect URI 'http://pdf.haarhoff.eu:443/login/oauth2/code/oidc' specified in the request does not match the redirect URIs configured for the application

That's another mistake.

from stirling-pdf.

Great it works now fine. The Bug is solved
App Version: 0.24.5
Enviroment: Container, Nginx Proxy Manager and https
I do not use the login page in pdf; i take the logon with nginx proxy manager
Thanks

from stirling-pdf.

Thanks for that, working like a dream :)

from stirling-pdf.