How to configure vikunja to use https ssl for local install?

I am running ubuntu server 24.04 and have installed vikunja-0.23.0-amd64.deb via the Debian packages.
Now i want vikunja to use my selfsigned cert and use https for vikunja’s web gui https:\myvikunjasite.com

What do i need to edit in config.yml and nginx for ssl?

I’m using nginx with ssl no problem, I believe you just need CORS enabled as follows in the config:

VIKUNJA_CORS_ENABLE: true                   
VIKUNJA_CORS_ORIGINS: "*" 

I have nginx running with force ssl, HTTP2 support, and web socket support fyi.

Not sure what your setup looks like, but if you have issues feel free to share your config, the community is pretty good with troubleshooting here

I have a new vm install with ubuntu server 24.04 with vikunja-0.23.0-amd64.deb installed.
I have a selfsigned cert and a domain name (mysite.com).
I have enabled cors, However i cannot seem to find the configuration for nginx ssl in Docs | Vikunja.

I guess it would be something like

server {
    listen 3456 ssl;
    server_name your_domain_or_ip;

    ssl_certificate /etc/ssl/vikunja/vikunja.crt;
    ssl_certificate_key /etc/ssl/vikunja/vikunja.key;
}

Chatgpt suggest to try

server {
    listen 80;
    server_name your_domain_or_ip;

    location / {
        proxy_pass http://localhost:3456; # Assuming Vikunja is running on port 3456
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen 443 ssl;
    ssl_certificate /etc/ssl/vikunja/vikunja.crt;
    ssl_certificate_key /etc/ssl/vikunja/vikunja.key;

    location / {
        proxy_pass http://localhost:3456;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Any suggestions would be great.

I am still unsure on how to configure vikunja to use https ssl for a basic vikunja-amd64.deb install.
What steps do i need to follow?

You need to use a reverse proxy which handles the tls termination. Check out the docs for some example configurations.

Then, as a second step, you need to configure that reverse proxy with tls. You either need actual tls certificates or self-signed ones, or go with Let’s encrypt. If you’ve never done this before, I strongly suggest using Let’s Encrypt.
Let’s Encrypt needs an additional piece of software to handle the retrieval of tls certificates. Here’s a good overview on how to configure the whole thing with nginx.

Ok i have got it to work for my self signed cert, will also try settings up a Let’s Encrypt cert.

Here is how you do it.

Edit /etc/nginx/sites-available/yoursite.conf

Add the following

server {
    listen 3457 ssl http2; # Listen on port 3457 for SSL and HTTP/2 connections
    listen [::]:3457 ssl http2; # Listen on port 3457 for IPv6 SSL and HTTP/2 connections
    server_name yoursiteaddress; # Define the server name (e.g., example.com)

    ssl_certificate /link/to/your/exampleSiteCrt.crt; # Path to the SSL certificate
    ssl_certificate_key /link/to/your/exampleSiteCrt.key; # Path to the SSL certificate key

    ssl_protocols TLSv1.2 TLSv1.3; # Enable TLS protocols v1.2 and v1.3
    ssl_prefer_server_ciphers on; # Prefer the server's cipher preference order
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; # Specify strong SSL ciphers
    # Enable HTTP Strict Transport Security (HSTS) with a max age of 1 year and include subdomains
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Add security headers
    add_header X-Content-Type-Options nosniff; # Prevent MIME type sniffing
    add_header X-Frame-Options DENY; # Prevent the page from being framed
    add_header X-XSS-Protection "1; mode=block"; # Enable XSS protection in browsers
	#not working
	#add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; style-src 'self'; img-src 'self'; frame-ancestors 'none'"; # Define a Content Security Policy

    # Define log files for access and error logs
    # access_log /var/log/nginx/yoursite_access.log; # Access log path
    # error_log /var/log/nginx/yoursite_error.log; # Error log path

    location / 
	{ # Handle all requests to the root URL and proxy pass them to the Vikunja service running locally on port 3456
        proxy_pass http://127.0.0.1:3456; # Proxy pass to the Vikunja service running locally on port 3456
        client_max_body_size 20M; # Set maximum allowed size of client request body
        proxy_set_header Host $host; # Pass the host header
        proxy_set_header X-Real-IP $remote_addr; # Pass the real client IP address
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Pass the X-Forwarded-For header
        proxy_set_header X-Forwarded-Proto $scheme; # Pass the original scheme (http or https)
    } # end location /

    location ~* ^/(api|dav|\.well-known)/ 
	{ # Handle requests to specific paths (api, dav, .well-known) and proxy pass them to the Vikunja service running locally on port 3456
        proxy_pass http://127.0.0.1:3456; # Proxy pass to the Vikunja service running locally on port 3456
        client_max_body_size 20M; # Set maximum allowed size of client request body
        proxy_set_header Host $host; # Pass the host header
        proxy_set_header X-Real-IP $remote_addr; # Pass the real client IP address
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Pass the X-Forwarded-For header
        proxy_set_header X-Forwarded-Proto $scheme; # Pass the original scheme (http or https)
    } # end location ~* ^/(api|dav|\.well-known)/ 

    location /files/ 
	{
        alias /opt/vikunja/files/; # Set the file path for static files
        autoindex off; # Disable autoindexing of directories
        try_files $uri $uri/ =404; # Return 404 if the file is not found
    } # end location /files/ 
} # end server 3457

In your firewall create a NAT rule for 3457 traffic to go to your server address if you want to access it from the outside.

If you want to access yoursiteaddress both internally and externally you may need to create a Host Overrides in your firewall so that yoursiteaddress is your server ip address.

Notes: When i enabled add_header Content-Security-Policy it seems to break vikunja, while not necessary, it could be a nice to have.

If you see any improvement or errors let me know.

Looks good! If you want to use it in your browser as https://yoursite (without the 3456), change the listen value to 443 (plus the firewall rule).