Project

General

Profile

Actions

Feature #24763

open

Force SSL when Setting.protocol is "https"

Added by Aleksandar Pavic almost 8 years ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Administration
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:

Description

Forcing SSL is important, and some enterprise environment can't be used if they aren't forcing the SSL due to security standards and best practices.

Redmine's Administration | Settings offers HTTPS as an option, but choosing it does nothing.

Editing the config/settings.yml and changing protocol from default: http
to https does nothing also

However placing the

config.force_ssl = true

in config/application.rb do work and do force SSL

So I'm not sure is it a defect or a feature request, but I'm posting it as a defect.

My Redmine info:

Environment:
  Redmine version                3.3.1.stable
  Ruby version                   2.1.4-p265 (2014-10-27) [x86_64-linux]
  Rails version                  4.2.7.1
  Environment                    production
  Database adapter               Mysql2


Files

redminessl.png (9.56 KB) redminessl.png Aleksandar Pavic, 2017-01-05 08:52
redmine_https.png (24.7 KB) redmine_https.png Aleksandar Pavic, 2020-04-18 09:08
https_always.png (14.8 KB) https_always.png Aleksandar Pavic, 2020-04-18 09:10
clipboard-202308221333-re9zw.png (7.88 KB) clipboard-202308221333-re9zw.png Redmine Version Information Sheng Ze Fan, 2023-08-22 07:33
clipboard-202308221336-rlpbe.png (6.43 KB) clipboard-202308221336-rlpbe.png config/settings.yml Sheng Ze Fan, 2023-08-22 07:36
clipboard-202308221338-bjris.png (65.5 KB) clipboard-202308221338-bjris.png config/application.rb Sheng Ze Fan, 2023-08-22 07:38

Related issues

Related to Redmine - Feature #2579: Configure SSL schema for "private" actions.Closed2009-01-25

Actions
Related to Redmine - Feature #3804: Authentication over HTTPSClosedGo MAEDA2009-09-02

Actions
Related to Redmine - Patch #41011: Add more configuration examples to config/additional_environment.rb.exampleClosedGo MAEDA

Actions
Actions #1

Updated by Go MAEDA almost 8 years ago

  • Priority changed from High to Normal

Aleksandar Pavic wrote:

Redmine's Administration | Settings offers HTTPS as an option, but choosing it does nothing.

It is used to generate URL of issues in email notification.

Actions #2

Updated by Go MAEDA almost 8 years ago

  • Tracker changed from Defect to Feature
  • Subject changed from Settings protocol HTTPS does nothing to Force SSL when Setting.protocol is "https"
  • Category changed from Accounts / authentication to Administration
Actions #3

Updated by Go MAEDA almost 8 years ago

  • Related to Feature #2579: Configure SSL schema for "private" actions. added
Actions #4

Updated by Go MAEDA almost 8 years ago

Actions #5

Updated by Fernando Hartmann over 7 years ago

+1

Actions #6

Updated by Aleksandar Pavic almost 6 years ago

Confirmed in 3.4.6

placing config.force_ssl = true anywhere in config/application.rb

makes it work the rails way...

As I have explained back in 2017 [[http://www.redminecookbook.com/blog-29-Forcing-Redmine-to-use-SSL-on-Apache]]

Actions #7

Updated by Aleksandar Pavic almost 5 years ago

I can confirm this issues still prevails on

Redmine version                4.1.0.stable.19444
Ruby version                   2.6.5-p114 (2019-10-01) [x86_64-linux]
Rails version                  5.2.4.1


fixing with force_ssl = true works.
Actions #8

Updated by Marius BĂLTEANU over 4 years ago

  • Target version set to Candidate for next major release

I agree that Redmine default settings should contain better security settings. For now, I propose to enforce SSL on production environment. Let's Encrypt it's a good option for those who don't want to buy a certificate.

diff --git a/config/environments/production.rb b/config/environments/production.rb
index 16d9fc2f7..99632ca26 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -24,4 +24,7 @@ Rails.application.configure do

   # Print deprecation notices to the Rails logger.
   config.active_support.deprecation = :log
+
+  # Enforce secure HTTP requests
+  config.force_ssl = true
 end
Actions #9

Updated by Aleksandar Pavic over 4 years ago

Marius Ionescu

that code enforces SSL always, what I'm alluding is that if you choose in settings to use HTTPS,
then force_ssl = true should be set...

Unfortunately I can't write code and test, at the moment...

Actions #10

Updated by Go MAEDA over 4 years ago

Marius BALTEANU wrote:

I agree that Redmine default settings should contain better security settings. For now, I propose to enforce SSL on production environment. Let's Encrypt it's a good option for those who don't want to buy a certificate.

I think it is overkill. There are many cases running Redmine in production mode as follows:

  • Using Redmine on intranet with an internal hostname such as http://192.168.1.1/ or http://redmine.test/
  • An environment that Redmine has been just installed and application for a certificate has not been completed
  • Developers who test Redmine in both development and production mode

Enforcing SSL for production mode complicates the installation process for those usecases may make admins spent a lot of time to troubleshoot.

Actions #11

Updated by Aleksandar Pavic over 4 years ago

My original post, is that changing from http to https in settings, does nothing, you don't get redirected to https...

We can either remove that setting, since it doesn't do anything...

Or make it work, by having it set force_ssl = true, since only then users get redirected to https...

Maybe there is some other way to make it work that I'm unaware of.

Actions #12

Updated by Marius BĂLTEANU over 4 years ago

Go MAEDA wrote:

Marius BALTEANU wrote:

I agree that Redmine default settings should contain better security settings. For now, I propose to enforce SSL on production environment. Let's Encrypt it's a good option for those who don't want to buy a certificate.

I think it is overkill. There are many cases running Redmine in production mode as follows:

  • Using Redmine on intranet with an internal hostname such as http://192.168.1.1/ or http://redmine.test/
  • An environment that Redmine has been just installed and application for a certificate has not been completed
  • Developers who test Redmine in both development and production mode

Enforcing SSL for production mode complicates the installation process for those usecases may make admins spent a lot of time to troubleshoot.

These are valid points, even if these type of tests should not be made on "production" mode and even in intranet they should use https. Some companies are using self signed certificates which are trusted in their internal network. I'll think to a better solution.

Aleksandar Pavic wrote:

My original post, is that changing from http to https in settings, does nothing, you don't get redirected to https...

We can either remove that setting, since it doesn't do anything...

Or make it work, by having it set force_ssl = true, since only then users get redirected to https...

Maybe there is some other way to make it work that I'm unaware of.

It does, please see #24763#note-1.

Actions #13

Updated by Go MAEDA over 4 years ago

I think the decision to use SSL or not should be made by a server admin. And enforcing SSL in the next version is a too drastic change.

I suggest modifying the patch in #24763#note-8 as follows.

diff --git a/config/environments/production.rb b/config/environments/production.rb
index 16d9fc2f7..3e16e42ad 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -24,4 +24,8 @@ Rails.application.configure do

   # Print deprecation notices to the Rails logger.
   config.active_support.deprecation = :log
+
+  # Enforce secure HTTP requests
+  # Uncommenting the following line is HIGHLY RECOMMENDED
+  # config.force_ssl = true
 end

I want a lot of people to try Redmine casually. So, I am opposed to complicating the installation process by forcing an ideal and perfect configuration.

Actions #14

Updated by Aleksandar Pavic over 4 years ago

Ok, so may I suggest adding a feature then, because most people aren't messing with anything except config.yml and database.yml

or

if

config.force_ssl = true

can be set programatically during runtime...

Actions #15

Updated by dm_red mine over 2 years ago

Hello, whenever I force HTTPS (config.force_ssl = true) and restart Redmine the browser displays the TOO_MANY_REDIRECTS message.

I have a signed certificate and manually browsing with https works fine, why is it redirecting onto itself?

Actions #16

Updated by Go MAEDA almost 2 years ago

FYR: You force SSL by adding the following line to config/additional_environments.rb.

config.force_ssl = true if Rails.env.production?
Actions #17

Updated by Sheng Ze Fan over 1 year ago

Redmine Version Information

not work for Redmine 4.2.6
Please help, thanks.

what I do
1. administration -> settings: http -> https
2. Editing the config/settings.yml and changing protocol from default: http
config/settings.yml
3. Editing config/application.rb at the end of file
config/application.rb

Actions #18

Updated by Aleksandar Pavic over 1 year ago

@Sheng_Zen_fan did you restart Redmine after changing that...?

Also try the code that Go Maeda wrote: #24763#note-16

Actions #19

Updated by Go MAEDA 5 months ago

Go MAEDA wrote in #note-16:

FYR: You force SSL by adding the following line to config/additional_environments.rb.

[...]

I added the configuration example to enforce the use of SSL in config/additional_environment.rb.example in r22945.

Actions #20

Updated by Go MAEDA 5 months ago

  • Related to Patch #41011: Add more configuration examples to config/additional_environment.rb.example added
Actions

Also available in: Atom PDF