Skip to content

Add sslHeaders and remove OPENC3_ALLOW_HTTP to ssl and letsencrypt#2929

Merged
jmthomas merged 1 commit into
mainfrom
traefik-ssl
Mar 5, 2026
Merged

Add sslHeaders and remove OPENC3_ALLOW_HTTP to ssl and letsencrypt#2929
jmthomas merged 1 commit into
mainfrom
traefik-ssl

Conversation

@jmthomas
Copy link
Copy Markdown
Member

@jmthomas jmthomas commented Mar 5, 2026

No description provided.

@jmthomas jmthomas requested review from clayandgen and ryanmelt March 5, 2026 00:18
jmthomas
jmthomas commented Mar 5, 2026
View reviewed changes
Comment thread openc3-traefik/traefik-letsencrypt.yaml
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Port: "443"
Copy link
Copy Markdown
Member Author

@jmthomas jmthomas Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was already part of the enterprise traefik configs so I assume it's needed here as well

Copy link
Copy Markdown
Member

@ryanmelt ryanmelt Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This won't hurt anything, but this was for Keycloak which doesn't exist in Core

jmthomas
jmthomas commented Mar 5, 2026
View reviewed changes
Comment thread openc3-traefik/traefik-letsencrypt.yaml
headers:
contentSecurityPolicy: >-
{{ if env "OPENC3_ALLOW_HTTP" }}default-src 'self' blob: data: http: https:; script-src 'unsafe-inline' 'unsafe-eval' http: https: blob:; connect-src blob: http: https: wss: ws:; style-src 'unsafe-inline' http: https:; object-src 'none';{{ else }}default-src 'self' blob: data: https: http://localhost:* http://host.docker.internal:* http://*.local:*; script-src 'unsafe-inline' 'unsafe-eval' https: blob: http://localhost:* http://host.docker.internal:* http://*.local:*; connect-src blob: https: wss: http://localhost:* http://host.docker.internal:* http://*.local:* ws://localhost:* ws://host.docker.internal:* ws://*.local:*; style-src 'unsafe-inline' https: http://localhost:* http://host.docker.internal:* http://*.local:*; object-src 'none';{{ end }}
default-src 'self' blob: data: https: http://localhost:* http://host.docker.internal:* http://*.local:*; script-src 'unsafe-inline' 'unsafe-eval' https: blob: http://localhost:* http://host.docker.internal:* http://*.local:*; connect-src blob: https: wss: http://localhost:* http://host.docker.internal:* http://*.local:* ws://localhost:* ws://host.docker.internal:* ws://*.local:*; style-src 'unsafe-inline' https: http://localhost:* http://host.docker.internal:* http://*.local:*; object-src 'none';
Copy link
Copy Markdown
Member Author

@jmthomas jmthomas Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't make sense to allow HTTP when you're doing encryption which is the whole point of this traefik config

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Mar 5, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

ryanmelt
ryanmelt approved these changes Mar 5, 2026
View reviewed changes
Comment thread openc3-traefik/traefik-letsencrypt.yaml
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Port: "443"
Copy link
Copy Markdown
Member

@ryanmelt ryanmelt Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This won't hurt anything, but this was for Keycloak which doesn't exist in Core

@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 5, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.27%. Comparing base (2594b2c) to head (8997bc0).
⚠️ Report is 43 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2929      +/-   ##
==========================================
+ Coverage   78.21%   78.27%   +0.05%     
==========================================
  Files         673      673              
  Lines       55204    55204              
  Branches      728      728              
==========================================
+ Hits        43180    43213      +33     
+ Misses      11946    11913      -33     
  Partials       78       78
Flag Coverage Δ
python 79.32% <ø> (-0.02%) ⬇️
ruby-api 80.07% <ø> (+0.77%) ⬆️
ruby-backend 82.16% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@jmthomas jmthomas merged commit a6f672e into main Mar 5, 2026
30 of 31 checks passed
@jmthomas jmthomas deleted the traefik-ssl branch March 5, 2026 01:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ryanmelt ryanmelt ryanmelt approved these changes

@clayandgen clayandgen Awaiting requested review from clayandgen

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jmthomas @ryanmelt