mirror of
https://github.com/DRYTRIX/TimeTracker.git
synced 2025-12-31 08:19:45 -06:00
94e8e49439
Add comprehensive HTTPS support with two deployment options: - mkcert for local development with trusted certificates - Automatic SSL with Let's Encrypt for production HTTPS Implementation: - Add docker-compose.https-mkcert.yml for local HTTPS development - Add docker-compose.https-auto.yml for automatic SSL certificates - Create Dockerfile.mkcert for certificate generation - Add setup scripts (setup-https-mkcert.sh/bat) - Add startup scripts (start-https.sh/bat) - Add certificate generation script (generate-mkcert-certs.sh) CSRF and IP Access Fixes: - Fix CSRF token validation for IP-based access - Add CSRF troubleshooting documentation - Update configuration to handle various access patterns Documentation: - Add HTTPS_MKCERT_GUIDE.md with setup instructions - Add README_HTTPS.md with general HTTPS documentation - Add README_HTTPS_AUTO.md for automatic SSL setup - Add AUTOMATIC_HTTPS_SUMMARY.md - Add CSRF_IP_ACCESS_FIX.md and CSRF_IP_FIX_SUMMARY.md - Add docs/CSRF_IP_ACCESS_GUIDE.md - Update main README.md with HTTPS information Configuration: - Update .gitignore for SSL certificates and nginx configs - Update env.example with new HTTPS-related variables - Update docker-compose.yml with SSL configuration options This enables secure HTTPS access in both development and production environments while maintaining compatibility with existing deployments.
134 lines
4.4 KiB
Batchfile
134 lines
4.4 KiB
Batchfile
@echo off
|
|
REM Start TimeTracker with automatic HTTPS
|
|
REM Automatically generates certificates and starts all services
|
|
|
|
echo ==========================================
|
|
echo TimeTracker HTTPS Startup
|
|
echo ==========================================
|
|
echo.
|
|
|
|
REM Get local IP
|
|
for /f "tokens=2 delims=:" %%a in ('ipconfig ^| findstr /c:"IPv4 Address"') do (
|
|
set LOCAL_IP=%%a
|
|
goto :found_ip
|
|
)
|
|
:found_ip
|
|
set LOCAL_IP=%LOCAL_IP: =%
|
|
if "%LOCAL_IP%"=="" set LOCAL_IP=192.168.1.100
|
|
|
|
echo [INFO] Local IP detected: %LOCAL_IP%
|
|
echo.
|
|
|
|
REM Create nginx config if it doesn't exist
|
|
if not exist nginx\conf.d\https.conf (
|
|
echo [INFO] Creating nginx HTTPS configuration...
|
|
if not exist nginx\conf.d mkdir nginx\conf.d
|
|
|
|
(
|
|
echo server {
|
|
echo listen 80;
|
|
echo server_name _;
|
|
echo return 301 https://$host$request_uri;
|
|
echo }
|
|
echo.
|
|
echo server {
|
|
echo listen 443 ssl http2;
|
|
echo server_name _;
|
|
echo.
|
|
echo ssl_certificate /etc/nginx/ssl/cert.pem;
|
|
echo ssl_certificate_key /etc/nginx/ssl/key.pem;
|
|
echo.
|
|
echo ssl_protocols TLSv1.2 TLSv1.3;
|
|
echo ssl_ciphers HIGH:!aNULL:!MD5;
|
|
echo ssl_prefer_server_ciphers on;
|
|
echo.
|
|
echo add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
echo add_header X-Frame-Options "DENY" always;
|
|
echo add_header X-Content-Type-Options "nosniff" always;
|
|
echo.
|
|
echo location / {
|
|
echo proxy_pass http://app:8080;
|
|
echo proxy_set_header Host $host;
|
|
echo proxy_set_header X-Real-IP $remote_addr;
|
|
echo proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
echo proxy_set_header X-Forwarded-Proto $scheme;
|
|
echo
|
|
echo proxy_http_version 1.1;
|
|
echo proxy_set_header Upgrade $http_upgrade;
|
|
echo proxy_set_header Connection "upgrade";
|
|
echo }
|
|
echo }
|
|
) > nginx\conf.d\https.conf
|
|
|
|
echo [OK] nginx configuration created
|
|
echo.
|
|
)
|
|
|
|
REM Update .env with HTTPS settings
|
|
if exist .env (
|
|
echo [INFO] Updating .env with HTTPS settings...
|
|
copy .env .env.backup >nul 2>&1
|
|
|
|
powershell -Command "$content = Get-Content .env; if ($content -match '^WTF_CSRF_SSL_STRICT=') { $content = $content -replace '^WTF_CSRF_SSL_STRICT=.*', 'WTF_CSRF_SSL_STRICT=true' } else { $content += 'WTF_CSRF_SSL_STRICT=true' }; if ($content -match '^SESSION_COOKIE_SECURE=') { $content = $content -replace '^SESSION_COOKIE_SECURE=.*', 'SESSION_COOKIE_SECURE=true' } else { $content += 'SESSION_COOKIE_SECURE=true' }; if ($content -match '^CSRF_COOKIE_SECURE=') { $content = $content -replace '^CSRF_COOKIE_SECURE=.*', 'CSRF_COOKIE_SECURE=true' } else { $content += 'CSRF_COOKIE_SECURE=true' }; $content | Set-Content .env"
|
|
|
|
echo [OK] .env updated
|
|
echo.
|
|
)
|
|
|
|
REM Set environment variable for docker-compose
|
|
set HOST_IP=%LOCAL_IP%
|
|
|
|
REM Choose certificate method
|
|
echo Select certificate method:
|
|
echo 1^) Self-signed (works immediately, shows browser warning^)
|
|
echo 2^) mkcert (trusted certificates, requires mkcert installed^)
|
|
echo.
|
|
set /p CERT_METHOD="Choice [1]: "
|
|
if "%CERT_METHOD%"=="" set CERT_METHOD=1
|
|
|
|
echo.
|
|
|
|
if "%CERT_METHOD%"=="2" (
|
|
where mkcert >nul 2>&1
|
|
if %errorlevel% equ 0 (
|
|
echo [INFO] Using mkcert for trusted certificates...
|
|
docker-compose -f docker-compose.yml -f docker-compose.https-mkcert.yml up -d
|
|
) else (
|
|
echo [WARNING] mkcert not found. Using self-signed certificates instead.
|
|
echo Install mkcert: choco install mkcert
|
|
echo.
|
|
docker-compose -f docker-compose.yml -f docker-compose.https-auto.yml up -d
|
|
)
|
|
) else (
|
|
echo [INFO] Using self-signed certificates...
|
|
docker-compose -f docker-compose.yml -f docker-compose.https-auto.yml up -d
|
|
)
|
|
|
|
echo.
|
|
echo ==========================================
|
|
echo [OK] TimeTracker is starting with HTTPS!
|
|
echo ==========================================
|
|
echo.
|
|
echo Access your application at:
|
|
echo https://localhost
|
|
echo https://%LOCAL_IP%
|
|
echo.
|
|
|
|
if "%CERT_METHOD%"=="1" (
|
|
echo [WARNING] Browser Warning Expected:
|
|
echo Self-signed certificates will show a security warning.
|
|
echo Click 'Advanced' - 'Proceed to localhost (unsafe^)' to continue.
|
|
echo.
|
|
echo For no warnings, run: setup-https-mkcert.bat
|
|
)
|
|
|
|
echo.
|
|
echo View logs:
|
|
echo docker-compose logs -f
|
|
echo.
|
|
echo Stop services:
|
|
echo docker-compose down
|
|
echo.
|
|
pause
|
|
|