overleaf-toolkit/doc/tls-proxy.md

## TLS Proxy for Overleaf Toolkit environment

An optional TLS proxy for terminating https connections, based on NGINX.

Run `bin/init --tls` to initialise local configuration with NGINX proxy configuration, or to add NGINX proxy configuration to an existing local configuration. A sample private key is created in `config/nginx/certs/overleaf_key.pem` and a dummy certificate in `config/nginx/certs/overleaf_certificate.pem`. Either replace these with your actual private key and certificate, or set the values of the `TLS_PRIVATE_KEY_PATH` and `TLS_CERTIFICATE_PATH` variables to the paths of your actual private key and certificate respectively.

A default config for NGINX is provided in `config/nginx/nginx.conf` which may be customised to your requirements. The path to the config file can be changed with the `NGINX_CONFIG_PATH` variable.

In order for Overleaf to run correctly behind the proxy, the following variables should be uncommented in `config/variables.env`

Since Overleaf CE/Server Pro `5.x`:

```
OVERLEAF_BEHIND_PROXY=true
OVERLEAF_SECURE_COOKIE=true
```

For Overleaf CE/Server Pro `4.x` and older versions:

```
SHARELATEX_BEHIND_PROXY=true
SHARELATEX_SECURE_COOKIE=true
```

Add the following section to your `config/overleaf.rc` file if it is not there already:
```
# TLS proxy configuration (optional)
# See documentation in doc/tls-proxy.md
NGINX_ENABLED=false
NGINX_CONFIG_PATH=config/nginx/nginx.conf
NGINX_HTTP_PORT=80
# Replace these IP addresses with the external IP address of your host
NGINX_HTTP_LISTEN_IP=127.0.1.1 
NGINX_TLS_LISTEN_IP=127.0.1.1
TLS_PRIVATE_KEY_PATH=config/nginx/certs/overleaf_key.pem
TLS_CERTIFICATE_PATH=config/nginx/certs/overleaf_certificate.pem
TLS_PORT=443
```
 In order to run the proxy, change the value of the `NGINX_ENABLED` variable in `config/overleaf.rc` from `false` to `true` and re-run `bin/up`.

By default the https web interface will be available on `https://127.0.1.1:443`. Connections to `http://127.0.1.1:80` will be redirected to `https://127.0.1.1:443`. To change the IP address that NGINX listens on, set the `NGINX_HTTP_LISTEN_IP` and `NGINX_TLS_LISTEN_IP` variables. The ports can be changed via the `NGINX_HTTP_PORT` and `TLS_PORT` variables.

If NGINX fails to start with the error message `Error starting userland proxy: listen tcp4 ... bind: address already in use` ensure that `OVERLEAF_LISTEN_IP:OVERLEAF_PORT` does not overlap with `NGINX_HTTP_LISTEN_IP:NGINX_HTTP_PORT`.

```mermaid
sequenceDiagram
    participant user as User
    participant external as Host External
    participant internal as Host Internal
    participant nginx as nginx
    participant sharelatex as sharelatex
    %% User connects to external host HTTP
    user->>+ external: HTTP
    note over external: NGINX_HTTP_LISTEN_IP:NGINX_HTTP_PORT
    external->>+ nginx: HTTP
    note over nginx: nginx:80
    nginx-->>-external: 301
    %% User connects to external host HTTPS
    user->>+ external: HTTPS 
    note over external: NGINX_TLS_LISTEN_IP:TLS_PORT
    external->>+ nginx: HTTPS
    note over nginx: nginx:443
    nginx->>+ sharelatex: HTTP
    note over sharelatex: sharlatex:80
    %% User connects to localhost HTTP
    user->>+ internal: HTTP
    note over internal: OVERLEAF_LISTEN_IP:OVERLEAF_PORT
    internal->>+sharelatex: HTTP
    note over sharelatex: sharlatex:80
```
Add a TLS proxy option to the Toolkit 2021-04-08 11:56:10 +01:00			`## TLS Proxy for Overleaf Toolkit environment`

Update the TLS proxy documentation to cover bring your own cert 2021-04-22 09:12:06 +01:00			`An optional TLS proxy for terminating https connections, based on NGINX.`
Add a TLS proxy option to the Toolkit 2021-04-08 11:56:10 +01:00
Make TLS config optional 2021-04-27 10:14:29 +01:00			Run `bin/init --tls` to initialise local configuration with NGINX proxy configuration, or to add NGINX proxy configuration to an existing local configuration. A sample private key is created in `config/nginx/certs/overleaf_key.pem` and a dummy certificate in `config/nginx/certs/overleaf_certificate.pem`. Either replace these with your actual private key and certificate, or set the values of the `TLS_PRIVATE_KEY_PATH` and `TLS_CERTIFICATE_PATH` variables to the paths of your actual private key and certificate respectively.
Add a TLS proxy option to the Toolkit 2021-04-08 11:56:10 +01:00
Update the TLS proxy documentation to cover bring your own cert 2021-04-22 09:12:06 +01:00			A default config for NGINX is provided in `config/nginx/nginx.conf` which may be customised to your requirements. The path to the config file can be changed with the `NGINX_CONFIG_PATH` variable.
Add a TLS proxy option to the Toolkit 2021-04-08 11:56:10 +01:00
Variables for running Overleaf behind a proxy 2021-04-27 10:47:39 +01:00			In order for Overleaf to run correctly behind the proxy, the following variables should be uncommented in `config/variables.env`
Scripts to update config/overleaf.rc and config-seed rebrand (#217) * Add scripts to rebrand variables.env and overleaf.rc * Update bin/upgrade to prompt for config file rebrand * Update bin/up to check for correct variable prefix Ensures SHARELATEX_ is in place for version <= 4.x, and OVERLEAF_ for version >= 5.x * Rebrand variables for bin/docker-compose Updates docker-compose.base.yml and sibling containers base file with the changes in the script * Update bin/doctor to support OVERLEAF_ prefix * Update documentation with the OVERLEAF_ prefix * Rebrand variables.env and overleaf.rc in config-seed * Prepare config/version and CHANGELOG for release (WIP) * Fix script documentation Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> * Fix doctor logs Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> * Remove unnecessary fallbacks to SHARELATEX_ vars * SEt OVERLEAF_DATA_PATH to data/overleaf * Remove duplicated environment entries * Moved prefix brand checs from bin/up to bin/docker-compose * Move set +o pipefail into subshell commands * Use separate legacy compose files for required SHARELATEX_ vars * Handle overleaf.rc rebranding before version upgrade * Group output from rebranding process * Move prompt for rebranding into helper function * Refuse to start with mismatching ShareLaTeX vs Overleaf branded configs * Print expected prefix when checking variables.env * Print number of mismatching variables in overleaf.rc * Check on variable rebranding from bin/doctor * Cleanup bin/doctor lookup for ShareLaTeX branded overleaf.rc * Update filesystem paths in bin/logs and docs * Flag old TEXMFVAR entry in config/variables.env REF: 1829e7ee2aa2c523a44cb1ea1f9639fcbd53caa1 * Update config-seed version to 5.0.1 and changelog --------- Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> 2024-04-02 16:43:08 +02:00
			Since Overleaf CE/Server Pro `5.x`:

			```
			`OVERLEAF_BEHIND_PROXY=true`
			`OVERLEAF_SECURE_COOKIE=true`
			```

			For Overleaf CE/Server Pro `4.x` and older versions:

Variables for running Overleaf behind a proxy 2021-04-27 10:47:39 +01:00			```
			`SHARELATEX_BEHIND_PROXY=true`
			`SHARELATEX_SECURE_COOKIE=true`
			```
Scripts to update config/overleaf.rc and config-seed rebrand (#217) * Add scripts to rebrand variables.env and overleaf.rc * Update bin/upgrade to prompt for config file rebrand * Update bin/up to check for correct variable prefix Ensures SHARELATEX_ is in place for version <= 4.x, and OVERLEAF_ for version >= 5.x * Rebrand variables for bin/docker-compose Updates docker-compose.base.yml and sibling containers base file with the changes in the script * Update bin/doctor to support OVERLEAF_ prefix * Update documentation with the OVERLEAF_ prefix * Rebrand variables.env and overleaf.rc in config-seed * Prepare config/version and CHANGELOG for release (WIP) * Fix script documentation Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> * Fix doctor logs Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> * Remove unnecessary fallbacks to SHARELATEX_ vars * SEt OVERLEAF_DATA_PATH to data/overleaf * Remove duplicated environment entries * Moved prefix brand checs from bin/up to bin/docker-compose * Move set +o pipefail into subshell commands * Use separate legacy compose files for required SHARELATEX_ vars * Handle overleaf.rc rebranding before version upgrade * Group output from rebranding process * Move prompt for rebranding into helper function * Refuse to start with mismatching ShareLaTeX vs Overleaf branded configs * Print expected prefix when checking variables.env * Print number of mismatching variables in overleaf.rc * Check on variable rebranding from bin/doctor * Cleanup bin/doctor lookup for ShareLaTeX branded overleaf.rc * Update filesystem paths in bin/logs and docs * Flag old TEXMFVAR entry in config/variables.env REF: 1829e7ee2aa2c523a44cb1ea1f9639fcbd53caa1 * Update config-seed version to 5.0.1 and changelog --------- Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> 2024-04-02 16:43:08 +02:00
Cover enabling and starting TLS proxy in docs 2021-05-10 11:53:11 +01:00			Add the following section to your `config/overleaf.rc` file if it is not there already:
			```
			`# TLS proxy configuration (optional)`
			`# See documentation in doc/tls-proxy.md`
			`NGINX_ENABLED=false`
			`NGINX_CONFIG_PATH=config/nginx/nginx.conf`
Document LISTEN_IPs etc 2021-10-07 10:10:02 +01:00			`NGINX_HTTP_PORT=80`
			`# Replace these IP addresses with the external IP address of your host`
			`NGINX_HTTP_LISTEN_IP=127.0.1.1`
			`NGINX_TLS_LISTEN_IP=127.0.1.1`
Cover enabling and starting TLS proxy in docs 2021-05-10 11:53:11 +01:00			`TLS_PRIVATE_KEY_PATH=config/nginx/certs/overleaf_key.pem`
			`TLS_CERTIFICATE_PATH=config/nginx/certs/overleaf_certificate.pem`
			`TLS_PORT=443`
			```
			In order to run the proxy, change the value of the `NGINX_ENABLED` variable in `config/overleaf.rc` from `false` to `true` and re-run `bin/up`.

Document LISTEN_IPs etc 2021-10-07 10:10:02 +01:00			By default the https web interface will be available on `https://127.0.1.1:443`. Connections to `http://127.0.1.1:80` will be redirected to `https://127.0.1.1:443`. To change the IP address that NGINX listens on, set the `NGINX_HTTP_LISTEN_IP` and `NGINX_TLS_LISTEN_IP` variables. The ports can be changed via the `NGINX_HTTP_PORT` and `TLS_PORT` variables.

Scripts to update config/overleaf.rc and config-seed rebrand (#217) * Add scripts to rebrand variables.env and overleaf.rc * Update bin/upgrade to prompt for config file rebrand * Update bin/up to check for correct variable prefix Ensures SHARELATEX_ is in place for version <= 4.x, and OVERLEAF_ for version >= 5.x * Rebrand variables for bin/docker-compose Updates docker-compose.base.yml and sibling containers base file with the changes in the script * Update bin/doctor to support OVERLEAF_ prefix * Update documentation with the OVERLEAF_ prefix * Rebrand variables.env and overleaf.rc in config-seed * Prepare config/version and CHANGELOG for release (WIP) * Fix script documentation Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> * Fix doctor logs Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> * Remove unnecessary fallbacks to SHARELATEX_ vars * SEt OVERLEAF_DATA_PATH to data/overleaf * Remove duplicated environment entries * Moved prefix brand checs from bin/up to bin/docker-compose * Move set +o pipefail into subshell commands * Use separate legacy compose files for required SHARELATEX_ vars * Handle overleaf.rc rebranding before version upgrade * Group output from rebranding process * Move prompt for rebranding into helper function * Refuse to start with mismatching ShareLaTeX vs Overleaf branded configs * Print expected prefix when checking variables.env * Print number of mismatching variables in overleaf.rc * Check on variable rebranding from bin/doctor * Cleanup bin/doctor lookup for ShareLaTeX branded overleaf.rc * Update filesystem paths in bin/logs and docs * Flag old TEXMFVAR entry in config/variables.env REF: 1829e7ee2aa2c523a44cb1ea1f9639fcbd53caa1 * Update config-seed version to 5.0.1 and changelog --------- Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> 2024-04-02 16:43:08 +02:00			If NGINX fails to start with the error message `Error starting userland proxy: listen tcp4 ... bind: address already in use` ensure that `OVERLEAF_LISTEN_IP:OVERLEAF_PORT` does not overlap with `NGINX_HTTP_LISTEN_IP:NGINX_HTTP_PORT`.
Add mermaid diagram for tls proxy 2022-10-13 11:57:17 +01:00
			```mermaid
			`sequenceDiagram`
			`participant user as User`
			`participant external as Host External`
			`participant internal as Host Internal`
			`participant nginx as nginx`
			`participant sharelatex as sharelatex`
			`%% User connects to external host HTTP`
			`user->>+ external: HTTP`
			`note over external: NGINX_HTTP_LISTEN_IP:NGINX_HTTP_PORT`
			`external->>+ nginx: HTTP`
			`note over nginx: nginx:80`
			`nginx-->>-external: 301`
			`%% User connects to external host HTTPS`
			`user->>+ external: HTTPS`
			`note over external: NGINX_TLS_LISTEN_IP:TLS_PORT`
			`external->>+ nginx: HTTPS`
			`note over nginx: nginx:443`
			`nginx->>+ sharelatex: HTTP`
			`note over sharelatex: sharlatex:80`
			`%% User connects to localhost HTTP`
			`user->>+ internal: HTTP`
Scripts to update config/overleaf.rc and config-seed rebrand (#217) * Add scripts to rebrand variables.env and overleaf.rc * Update bin/upgrade to prompt for config file rebrand * Update bin/up to check for correct variable prefix Ensures SHARELATEX_ is in place for version <= 4.x, and OVERLEAF_ for version >= 5.x * Rebrand variables for bin/docker-compose Updates docker-compose.base.yml and sibling containers base file with the changes in the script * Update bin/doctor to support OVERLEAF_ prefix * Update documentation with the OVERLEAF_ prefix * Rebrand variables.env and overleaf.rc in config-seed * Prepare config/version and CHANGELOG for release (WIP) * Fix script documentation Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> * Fix doctor logs Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> * Remove unnecessary fallbacks to SHARELATEX_ vars * SEt OVERLEAF_DATA_PATH to data/overleaf * Remove duplicated environment entries * Moved prefix brand checs from bin/up to bin/docker-compose * Move set +o pipefail into subshell commands * Use separate legacy compose files for required SHARELATEX_ vars * Handle overleaf.rc rebranding before version upgrade * Group output from rebranding process * Move prompt for rebranding into helper function * Refuse to start with mismatching ShareLaTeX vs Overleaf branded configs * Print expected prefix when checking variables.env * Print number of mismatching variables in overleaf.rc * Check on variable rebranding from bin/doctor * Cleanup bin/doctor lookup for ShareLaTeX branded overleaf.rc * Update filesystem paths in bin/logs and docs * Flag old TEXMFVAR entry in config/variables.env REF: 1829e7ee2aa2c523a44cb1ea1f9639fcbd53caa1 * Update config-seed version to 5.0.1 and changelog --------- Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> 2024-04-02 16:43:08 +02:00			`note over internal: OVERLEAF_LISTEN_IP:OVERLEAF_PORT`
Add mermaid diagram for tls proxy 2022-10-13 11:57:17 +01:00			`internal->>+sharelatex: HTTP`
			`note over sharelatex: sharlatex:80`
			```