tusd on https

[kevin-netsrik]

sorry for so much questions and poor English.

I am running the binary on my server and I have a problem on implementing tusd on https. If I set the endpoint as https://localhost:1080/files/, an error occurred

Mixed Content: The page at 'https://localhost/path' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'https://localhost:1080/files/'. This request has been blocked; the content must be served over HTTPS.

but if I change the endpoint to https, another error occurred.

OPTIONS https://localhost:1080/files/ net::ERR_SSL_PROTOCOL_ERROR

as I cannot modify the server config, I have to use https as the web protocol

I have no idea how to allow a https website to use tusd.
Thanks for your great help!

[Acconut]

Intentionally, tusd serves its content only over HTTP and not HTTPS in order to reduce the project's complexity. This explains the ERR_SSL_PROTOCOL_ERROR error which you are seeing: The browser tries to talk to tusd using HTTPS but the server does not understand this protocol.
What you basically have to do is to setup a reverse proxy, such as Nginx or Apache, which will accept HTTPS connections and forward them as HTTP to tusd, basically acting as a translator between the two parties. You can find plenty of tutorials and explanations about this topic online, such as https://www.cyberciti.biz/faq/howto-linux-unix-setup-nginx-ssl-proxy/.

[kvz]

More on this in
#64 (comment)
tus/tus-node-server#22 (comment)
tus/tus-node-server#13 (comment)

[kvz]

Perhaps it's time to add a FAQ with How can I run tus over HTTPS and outlining our thinking on this

[kevin-netsrik]

Dear All,
thanks for all your great help, I am so appreciate on this. I have set the reverse proxy in apache and works great! thanks all!

[tameribrahim]

@kevin-openc Can you post the configuration of the reverse proxy here?

[kevin-netsrik]

sure, i am using apache instead of nginx, add lines in apache conf

<VirtualHost *:443>
        ServerAdmin XXXXXXXXXX
        ServerName XXXXXXXXXX
        ServerAlias XXXXXXXXXX
        DocumentRoot XXXXXXXXXX

        CustomLog logs/access_log combined
        ErrorLog logs/error_log

        SSLEngine on
        SSLCertificateFile XXXXXXXXXX
        SSLCertificateKeyFile XXXXXXXXXX
        SSLCACertificateFile XXXXXXXXXX

        ProxyPass /files https://localhost:1080/files
        ProxyPassReverse /files https://localhost:1080/files
</VirtualHost>

the most important lines are below, to redirect https to http internally, so you can call https://localhost/files as endpoint

        ProxyPass /files https://localhost:1080/files
        ProxyPassReverse /files https://localhost:1080/files

[tameribrahim]

Thank you!
And here is the Nginx equivalent and it worked with me yesterday

server {
        listen   80;
        listen  443 ssl;

        root /var/www/project/public_html;
        index index.html index.php index.htm;
        server_name  project.com;
        location /files {
                proxy_pass  https://localhost:8002;  # https://127.0.0.1:8002 is fine too
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
        }
        ...
}

[Acconut]

Thank you, @tameribrahim and @kevin-openc, for posting your configurations here. They will be very helpful for future users. I added a few sentences about this topic to the README (https://github.com/tus/tusd/blob/master/README.md#how-can-i-access-tusd-using-https), as @kvz suggested, so I hope it will be easier to get an answer to this question from now on.

[johnypowaa]

Hi all,

To all, and especially to kevin-openc:

As recommended by the docs, i am using tusd with the option -behind-proxy
It seems it is only properly working since I added RequestHeader set X-Forwarded-Proto "https" to the configuration posted by kevin-openc (see above).

[Acconut]

@johnypowaa Thank you for this information. I added an example configuration for Apache to the repository (https://github.com/tus/tusd/blob/master/.infra/files/apache2.conf) and added a link to it from the FAQ.

[johnypowaa]

Thank you, that's great.

However, I don't know if this is valid for recent versions of Apache; My version of Apache is really old (2.2.9)

[Acconut]

I actually tested the configuration for myself today and it works, yet I added some comments to the file :)

[krampampuli]

Dear All,

Previously tusd was working well with https after disabling the mixed active content block, but now I cannot make it functional again.

The demo page (https://192.168.111.101:8000/) works well with its endpoint (https://192.168.111.101:8000/files), but if I move the page into a https virtual host (https://192.168.111.101/tus/) with the same endpoint, xhr.send(null); drops the error failed to upload chunk at offset 0, caused by [object ProgressEvent], originated from request (response code: 0, response text: ) and the console gives no further info. Interestingly, the empty file is still created on the server.

I've also tried to use proxypass as described above, but the endpoint (https://192.168.111.101/files) gives the same error for both the demo and https pages. The endpoint itself should work, because using it in a browser gives Not found as expected:

[7:33:03 PM] tus server listening at https://192.168.111.101:8000 using FileStore
[TusServer] handle: GET /files

Do I miss something?

192.168.111.101 is a linux virtual machine.

[Acconut]

@krampampuli Are you sure you are using tusd? The output snippet you provided is generated by tusd, it has a bit different log format. To me it looks like you might be using tus-node-server instead.

[krampampuli]

Right, sorry, I'm actually playing around with both.

After some googling I've included the line

ProxyPreserveHost On

in my Apache config, and with this the https page works with the https endpoint. I guess it is needed because I have to use the IP address instead of localhost for the proxypass.

Maybe you could include this line with a note in the example configuration.

[Acconut]

@krampampuli Thanks for the tip, I added it to the apache2 example 👍

[djsg]

Is there any working sample for .htaccess configuration?
I want to run tus-node-server in a web site, which is put in a web hosting site. In my server environment I can only edit .htacess.

[pdiveris]

Do you intend to map an alias to it, i.e. somesite/tus or will you run it under top level i.e. /=>tus?

[djsg]

alias, I guess.
When Apache sees HTTPS request for www.example.com/files, it will pass traffic to port 9001, which is served by tus server.
In my lab test server, my apache2.conf is like
ProxyPass /files https://localhost:9001/files
ProxyPassReverse /files https://localhost:9001/files
It is working well.

[Acconut]

@djsg Setting up SSL only using .htaccess is apparently not possible: https://stackoverflow.com/a/38054124. I am not sure what your current configuration looks like, maybe you want to provide more details about that.

[djsg]

I have a web app, which has a file upload page/function. I embed tus node client inside that page, and in the server I run tus node server.

In my lab setting, I use Apache2 to redirect HTTPS traffic to my web server (80); and for a particular URL, it redirects to tus node sever (9001). The apache2.conf is almost same as (https://github.com/tus/tusd/blob/master/docs/apache2.conf), and it is working well.

However, as I move my app to a web hosting site, I don't have the control of Apache2 setting. The only setting I can do is in .htaccess.
Maybe there are other ways, since I have seen cases whereby tusd is used in a cloud environment, which is similar to my objective.

So far for my web app in the hosting site, redirection from HTTP to HTTP is working. It is configured in .htaccess like
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com [R,L]

What I need is redirection to local port 9001 if URL is like https://www.example.com/tus_upload

[Acconut]

Thanks for describing your problem in detail but I don't think I can help you there. Personally, I haven't used Apache2 enough to be able to answer your questions. Unless someone else can, I would recommend you to reach out to the Apache httpd community (https://httpd.apache.org/support.html) as your problem has less to do with tusd but is a general question about httpd proxy configuration.

[djsg]

@Acconut Thx for your advice.

[Deck8]

Hi, I am trying to use this as described with reverse proxy. I have setup the reverse proxy which seems to be working as expected.

I have 2 virtual host config files (one for http and other for https) in the https one...

ProxyPass /files https://localhost:1080/files
ProxyPassReverse /files https://localhost:1080/files

I have changed the endpoint to match the reverse proxy which starts but then gives upload failed (mixed content errors showing in console) as it seems to reply with a non https file...

[tusd] 2019/09/02 11:54:24 event="UploadCreated" id="e2a56e75046c9cd517b215068344aadd" size="792063" url="https://tusd.[domain].net/files/e2a56e75046c9cd517b215068344aadd"

There is a catch all redirect on http vhost to https however this seems to ignore it. (or errors out without even trying).

RewriteEngine on
RewriteCond %{SERVER_NAME} =tusd.[domain].net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

If i manually try accessing https://tusd.[domain].net/files it correctly redirects to https and shows the "Method not supported" error from tusd which shows the reverse proxy is working fine.

Using uppy javascript to upload, do not believe the problem is with this as default demo uses master.tus.io over https and this works fine. If I make no other changes but endpoint master.tus.io works fine and mine gives mixed content error.

[Acconut]

@Deck8 Please open a new issue for this question.