[feature] Add support for non-default Nginx external ports

[c-gabri]

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• I have written new test cases for new code and/or updated existing tests for changes to existing code.
• I have updated the documentation.

Reference to Existing Issue

Closes #496.

Description of Changes

Let users set custom external HTTPS/HTTP ports for the nginx container, using new, documented .env variables NGINX_SSL_PORT and NGINX_PORT. Useful if e.g. OpenWISP is running behind a reverse proxy on the same host (quite common for Docker applications).

Screenshot

Please include any relevant screenshots.

[nemesifier]

Thanks for contributing @c-gabri, see my comments below.

[c-gabri]

@nemesifier My pleasure, thank you for this awesome software: gives me headaches sometimes and there's certainly room for improvement, but overall it is a huge help for managing my production network, could not live without it any more. Glad to help a little bit where I can.

[c-gabri]

@nemesifier Not sure if I should do something about Merge Tests/CI Build failing: I've managed to properly format changed files, but I see it's now complaining about commit messages, which I'm not sure if/how I can change. Sorry but I'm not a git pro and this is one of my first pull requests. Let me know if there's something I should do.

[nemesifier]

@nemesifier My pleasure, thank you for this awesome software: gives me headaches sometimes and there's certainly room for improvement, but overall it is a huge help for managing my production network, could not live without it any more. Glad to help a little bit where I can.

It's been improving, thanks also to feedback and contributions like yours.

@nemesifier Not sure if I should do something about Merge Tests/CI Build failing: I've managed to properly format changed files, but I see it's now complaining about commit messages, which I'm not sure if/how I can change. Sorry but I'm not a git pro and this is one of my first pull requests. Let me know if there's something I should do.

I'll try to build locally, alpine very often yanks packages which contain any known security vulnerability and for this reason very often our builds fail (most likely there's a new version of one of the system packages). Unfortunately dependabot cannot handle this automatically for us yet so it's a bit of a drag that we have to deal with.

[nemesifier]

Here's what I found in my round of testing.

After setting this in my .env:

NGINX_SSL_PORT=4443
NGINX_PORT=8080

Redirect from non SSL to SSL returns 404

Normally, if one opens the non SSL URL, it will redirect to the SSL URL:

docker-openwisp/images/openwisp_nginx/openwisp.ssl.80.template.conf

Line 12 in 9168f5f

return 301 https://${DOLLAR}host${DOLLAR}request_uri;

Due to the fact that SSL is now on port 4443, this won't work.

HTTP requests to the API container fail

The application is not aware that it should send requests to :4443.

Conclusions

Does it work for you? If the solution you shared here does, you can simply edit your docker-compose file or whatever other methodology you're using, without the need of sending a PR.

However, if you care about getting this included we need to make sure the rest of the application knows where to point to and will require more work.

[c-gabri]

@nemesifier

Does it work for you?

Works for me because I don't connect directly but through a reverse proxy (it is the main use case for this PR), which takes care of 80->443 redirects, manages certificates (SSL_CERT_MODE=External) and proxies 443 to NGINX_PORT. So OpenWISP doesn't need to be aware of anything.

we need to make sure the rest of the application knows where to point to and will require more work

But yes, if we want to make this feature more generic, i.e. make custom ports work regardless of the use with a reverse proxy, then more work is needed to make the application aware of the custom ports. I like the idea, if you do too I can convert this to a draft and look into this a little bit in my spare time. Or we can merge now and I create a new issue/PR for the more generic use case. Your choice.

[c-gabri]

@nemesifier Not sure if I've completely cracked this but I have definitely made progress.

• SSL_CERT_MODE=No
  • direct HTTP access with NGINX_PORT=80|8081: OK
• SSL_CERT_MODE=Yes
  • direct HTTP/HTTPS access with NGINX_PORT=80 and NGINX_SSL_PORT=443: OK (no point in testing custom ports as I think certbot needs the default ones)
• SSL_CERT_MODE=SelfSigned (actually using certs previously obtained with SSL_CERT_MODE=Yes)
  • direct HTTP/HTTPS access with NGINX_PORT=80|8081 and NGINX_SSL_PORT=443|4431: OK
  • HTTP access from reverse proxy with NGINX_PORT=8081 and NGINX_SSL_PORT=4431: OK
• SSL_CERT_MODE=External
  • direct HTTP access with NGINX_PORT=80|8081: login fails with error CSRF cookie not set (unrelated to this PR and maybe to be expected)
  • HTTP access from reverse proxy with NGINX_PORT=8081: OK

What I'm testing, while verifying no unusual errors appear in the web console and that things look as they should:

1. Visiting the DASHBOARD_DOMAIN with the appropriate scheme and port and logging in
2. Verifying if charts and notifications load properly
3. Visiting the Templates page

Not sure what more comprehensive tests should be run to check if the new code covers all possible cases. I've just made the bare minimum additions/edits to fix the errors that would appear in front of me during tests using a bit of common sense.

Take it for a spin and let me know how it goes ;)

[nemesifier]

Thanks for following up, I'll test asap.

PS: I added this to the 25.09 release board.

Help from anyone is welcome in testing/reviewing PRs on that board to speed up the next releas (not many blockers left to solve).

[nemesifier]

I tested this and it works. Thank you @c-gabri! 👏