[BUG] API on Docker container not working properly

[HarimbolaSantatra]

Description

Using the docker container, API is working correctly when using TLS_SETUP_ENABLE=true and accessing it on bare IP address or localhost. However, I cannot make it work behind an reverse proxy. There's no mention of API in the docker documentation.
From what I understand, we should use the PROXY_HTTP_BIND environment variable and put the certificate in the client, then the container should read the certificate from the SSL_CLIENT_CERT header. However, that doesn't seems to work.

To reproduce

1. Launch the container behind an Nginx reverse proxy:

docker run -it -d --rm \
    --name $container_name \
    -e DATABASE_JDBC_URL="jdbc:mariadb://<DB_IP>:3306/ejbca?characterEncoding=UTF-8" \
    -e DATABASE_USER="ejbca" \
    -e DATABASE_PASSWORD="securepass" \
    -e LOG_LEVEL_APP="INFO" \
    -e LOG_LEVEL_SERVER="INFO" \
    -e TLS_SETUP_ENABLED="later" \
    -e PASSWORD_ENCRYPTION_KEY="securepass" \
    -e CA_KEYSTOREPASS="securepass" \
    -e EJBCA_CLI_DEFAULTPASSWORD="ejbca" \
    -e PROXY_HTTP_BIND="0.0.0.0" \
    keyfactor/ejbca-ce

2. Configure the nginx reverse proxy:

server {
    server_name <URL>;
    location / {
        proxy_pass https://<CONTAINER_IP>:8082;
        proxy_set_header Host $host;
        proxy_set_header X-Real_IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header SSL_CLIENT_CERT $ssl_client_cert;
    }
}

3. Create a client certificate
4. Edit Access Rules
5. Test one API endpoint (for example, https://<URL>/ejbca/ejbca-rest-api/v2/certificate/count?isActive=), using the certificate.

Expected behavior

Screenshot of a successfull request made with postman:

Product Deployement

• Deployement: Latest version of Docker

Desktop

• OS: Ubuntu 22.04
• Browser/Client:
  • Firefox 126.0.1
  • Postman 10.24.26

[HarimbolaSantatra]

Also, for TLS_SETUP_ENABLED=later, there's no Superadmin enrollement password on the console (This was present for TLS_SETUP_ENABLED=true)

[HarimbolaSantatra]

Some related discussion: #604, #420, #362, #633, #302, #157

[HarimbolaSantatra]

For future reference for those who needs it, I managed to successfully use the API with the docker container and a Nginx reverse proxy. The directive that made all the difference was ssl_verify_client.
Here's a sample of the nginx configuration:

server {
    server_name server.example.com;
    ssl_verify_client optional_no_ca;
    location / {
        proxy_pass http://<EJBCA_IP>:8082;
        proxy_set_header Host $host;
        proxy_set_header X-Real_IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header SSL_CLIENT_CERT $ssl_client_cert;
    }
}

This works for API authentication but for the web ui, the client can still refuse to send the certificate and access the UI.

[primetomas]

We have some new container documentation, including Helm charts to deploy EJBCA to kubenteres, with optional ingress.
Take a look: https://docs.keyfactor.com/container/latest/ejbca/deployment