mirror/TimeTracker
1
0
Fork 0
mirror of https://github.com/DRYTRIX/TimeTracker.git synced 2025-12-18 01:14:39 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
TimeTracker/start-https.sh
Dries Peeters 94e8e49439 feat: Add HTTPS support with mkcert and automatic SSL configuration 
Add comprehensive HTTPS support with two deployment options:
- mkcert for local development with trusted certificates
- Automatic SSL with Let's Encrypt for production

HTTPS Implementation:
- Add docker-compose.https-mkcert.yml for local HTTPS development
- Add docker-compose.https-auto.yml for automatic SSL certificates
- Create Dockerfile.mkcert for certificate generation
- Add setup scripts (setup-https-mkcert.sh/bat)
- Add startup scripts (start-https.sh/bat)
- Add certificate generation script (generate-mkcert-certs.sh)

CSRF and IP Access Fixes:
- Fix CSRF token validation for IP-based access
- Add CSRF troubleshooting documentation
- Update configuration to handle various access patterns

Documentation:
- Add HTTPS_MKCERT_GUIDE.md with setup instructions
- Add README_HTTPS.md with general HTTPS documentation
- Add README_HTTPS_AUTO.md for automatic SSL setup
- Add AUTOMATIC_HTTPS_SUMMARY.md
- Add CSRF_IP_ACCESS_FIX.md and CSRF_IP_FIX_SUMMARY.md
- Add docs/CSRF_IP_ACCESS_GUIDE.md
- Update main README.md with HTTPS information

Configuration:
- Update .gitignore for SSL certificates and nginx configs
- Update env.example with new HTTPS-related variables
- Update docker-compose.yml with SSL configuration options

This enables secure HTTPS access in both development and production
environments while maintaining compatibility with existing deployments.
2025-10-13 18:32:45 +02:00

147 lines
4.4 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
# Start TimeTracker with automatic HTTPS
# Automatically generates certificates and starts all services
set -e
echo "=========================================="
echo "TimeTracker HTTPS Startup"
echo "=========================================="
echo ""
# Detect local IP
if [[ "$OSTYPE" == "darwin"* ]]; then
LOCAL_IP=$(ipconfig getifaddr en0 || ipconfig getifaddr en1 || echo "192.168.1.100")
elif [[ "$OSTYPE" == "linux-gnu"* ]]; then
LOCAL_IP=$(hostname -I | awk '{print $1}' || echo "192.168.1.100")
else
LOCAL_IP="192.168.1.100"
fi
echo "🌐 Local IP detected: $LOCAL_IP"
echo ""
# Create nginx config if it doesn't exist
if [ ! -f nginx/conf.d/https.conf ]; then
echo "📝 Creating nginx HTTPS configuration..."
mkdir -p nginx/conf.d
cat > nginx/conf.d/https.conf << 'NGINX_EOF'
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
location / {
proxy_pass http://app:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
NGINX_EOF
echo "✅ nginx configuration created"
echo ""
fi
# Update .env with HTTPS settings if it exists
if [ -f .env ]; then
echo "🔧 Updating .env with HTTPS settings..."
# Backup .env
cp .env .env.backup 2>/dev/null || true
# Update settings
sed -i.bak 's/^WTF_CSRF_SSL_STRICT=.*/WTF_CSRF_SSL_STRICT=true/' .env 2>/dev/null || echo "WTF_CSRF_SSL_STRICT=true" >> .env
sed -i.bak 's/^SESSION_COOKIE_SECURE=.*/SESSION_COOKIE_SECURE=true/' .env 2>/dev/null || echo "SESSION_COOKIE_SECURE=true" >> .env
sed -i.bak 's/^CSRF_COOKIE_SECURE=.*/CSRF_COOKIE_SECURE=true/' .env 2>/dev/null || echo "CSRF_COOKIE_SECURE=true" >> .env
# Clean up
rm -f .env.bak
echo "✅ .env updated"
echo ""
fi
# Export IP for docker-compose
export HOST_IP=$LOCAL_IP
# Choose certificate method
echo "Select certificate method:"
echo " 1) Self-signed (works immediately, shows browser warning)"
echo " 2) mkcert (trusted certificates, requires one-time CA install)"
echo ""
read -p "Choice [1]: " CERT_METHOD
CERT_METHOD=${CERT_METHOD:-1}
echo ""
if [ "$CERT_METHOD" = "2" ]; then
# Check if mkcert is available
if command -v mkcert >/dev/null 2>&1; then
echo "🔐 Using mkcert for trusted certificates..."
docker-compose -f docker-compose.yml -f docker-compose.https-mkcert.yml up -d
else
echo "⚠️ mkcert not found on host. Using self-signed certificates instead."
echo " Install mkcert for trusted certificates: brew install mkcert (Mac) or choco install mkcert (Windows)"
echo ""
docker-compose -f docker-compose.yml -f docker-compose.https-auto.yml up -d
fi
else
echo "🔐 Using self-signed certificates..."
docker-compose -f docker-compose.yml -f docker-compose.https-auto.yml up -d
fi
echo ""
echo "=========================================="
echo "✅ TimeTracker is starting with HTTPS!"
echo "=========================================="
echo ""
echo "Access your application at:"
echo " https://localhost"
echo " https://$LOCAL_IP"
echo ""
if [ "$CERT_METHOD" = "1" ] || ! command -v mkcert >/dev/null 2>&1; then
echo "⚠️ Browser Warning Expected:"
echo " Self-signed certificates will show a security warning."
echo " Click 'Advanced' → 'Proceed to localhost (unsafe)' to continue."
echo ""
echo " For no warnings, run: bash setup-https-mkcert.sh"
else
echo "📋 To avoid browser warnings:"
echo " Install the CA certificate from: nginx/ssl/rootCA.pem"
echo " See instructions above or in HTTPS_MKCERT_GUIDE.md"
fi
echo ""
echo "View logs:"
echo " docker-compose logs -f"
echo ""
echo "Stop services:"
echo " docker-compose down"
echo ""
Reference in New Issue View Git Blame Copy Permalink