Using both http and https for Mattermost Site URL


#1

Hi all,

I have Mattermost setup in my Google Cloud Platform, with Letsencrypt SSL installed https://food.3lc.my:8065

I’m having some issues with connection from gitlab webhook to Mattermost with the SSL error messages, is it possible for me to change my Webhook URL from https 443 port https://food.3lc.my:8065/hooks/16axk8u3xfrwig53th5kxy7pzy to http 80 port http://food.3lc.my:8065/hooks/16axk8u3xfrwig53th5kxy7pzy ?

What I need to achieve is normal users can login and chat using https (secure), while gitlab webhook able to send notification to Mattermost using http.

Hope someone can help on this.


#2

Hi @kongyc,

Mattermost can’t serve both http and https at the same time on its own, but you can do it through a proxy. To do this you’d need:

  1. Mattermost serving http over some port other than 80 or 443 (we use 8065 by default)
  2. A proxy configured to forward the following to Mattermost:
    1. Any https connection on port 443
    2. Any http connection to /hooks/* on port 80

I’m not sure if our documentation is applicable to Google Cloud Platform, but we have instructions for setting up NGINX included in our setup guides which will get you through everything but allowing the webhook connections on port 80. That’ll require some additional work.


#3

Hi,

Thanks for the suggestion, the redirection in nginx seems working fine if a user key in http://food.3lc.my (Mattermost URL) and it will be redirected to https://food.3lc.my:8065.

Now seems like redirect from http to https are fine, but when I use the same method to apply in gitlab webhook to Mattermost, it didn’t work.

Let’s say I’ve Mattermost webhook URL generated like https://food.3lc.my:8065/hooks/xxxxxx , I copied this URL in my Gitlab and modified it become http://food.3lc.my/hooks/xxxxxx since the redirection works.
No error messages displayed in Gitlab, but the webhook just didn’t work.

To make it clear, I have the following settings in my environment:

Gitlab: http://192.168.x.x (local network)
Mattermost : https://food.3lc.my:8065 (Google Cloud Platform, with Letsencrypt SSL installed)
Mattermost Nginx Settings: https://pastebin.com/uHs6jhQC

When I start my mattermost service, there is some error message displayed:

Redirecting to /bin/systemctl status mattermost.service
● mattermost.service - Mattermost
** Loaded: loaded (/etc/systemd/system/mattermost.service; enabled; vendor preset: disabled)**
** Active: active (running) since Thu 2017-09-14 07:53:29 UTC; 1s ago**
** Main PID: 4394 (platform)**
** CGroup: /system.slice/mattermost.service**
** └─4394 /opt/mattermost/bin/platform**

Sep 14 07:53:30 haha platform[4394]: [2017/09/14 07:53:30 UTC] [INFO] Loaded config file from /opt/mattermost/config/config.json
Sep 14 07:53:30 haha platform[4394]: [2017/09/14 07:53:30 UTC] [INFO] Server is initializing…
Sep 14 07:53:30 haha platform[4394]: [2017/09/14 07:53:30 UTC] [INFO] Pinging SQL master database
Sep 14 07:53:31 haha platform[4394]: [2017/09/14 07:53:30 UTC] [INFO] Initializing job API routes
Sep 14 07:53:31 haha platform[4394]: [2017/09/14 07:53:30 UTC] [INFO] API version 3 is scheduled for deprecation. Please see https://api.mattermost.com for details.
Sep 14 07:53:31 haha platform[4394]: [2017/09/14 07:53:30 UTC] [INFO] Starting 2 websocket hubs
Sep 14 07:53:31 haha platform[4394]: [2017/09/14 07:53:31 UTC] [INFO] Starting Server…
Sep 14 07:53:31 haha platform[4394]: [2017/09/14 07:53:31 UTC] [INFO] Server is listening on :8065
Sep 14 07:53:31 haha platform[4394]: [2017/09/14 07:53:31 UTC] [EROR] Unable to setup forwarding
Sep 14 07:53:31 haha platform[4394]: [2017/09/14 07:53:31 UTC] [INFO] Starting jobs

My current settings works fine in Mattermost conversation level no issue, it just didn’t work for the webhook URL from Gitlab to Mattermost.

Hope someone able to point out what’s wrong with the configuration here.

Million of thanks.


#4

If you’re using NGINX, you’ll want to have Mattermost serving plain http with NGINX in front of it to receive and handle the https and non-https connections. Mattermost should only be accessible via NGINX, and NGINX can deal with which connections should be allowed. Your configuration should look something like

// Mattermost config.json
"ServiceSettings": {
    "ListenAddress": ":8065",
    "UseLetsEncrypt": false,
    "Forward80To443":false
}
# nginx config
upstream backend {
    server <internal_mattermost_address>:8065;
}

server {
    listen 80;
    server_name <external_address>;
    # don't include the 301 redirect here like you had previously
    
    location ~ /hooks/[a-z0-9]+$ {
        ...
        proxy_pass http://upstream; # allow webhook traffic to Mattermost over plain http
    }

    location / {
        ...
        return 301 https://$server_name$request_uri; # redirect all other https traffic to http
    }
}

server {
    listen 443;
    server_name <external_address>;
    # don't include the 301 redirect here like you had previously

    ssl on;
    ...

    location ~ /api/v[0-9]+/(users/)?websocket$ {
        ...
    }

    location / {
        ...
        proxy_pass http://upstream; # pass https traffic to Mattermost
    }
}

Note that I don’t have a ton of experience with setting up proxies so I may have missed something, but this general structure should probably work.