Can't update PluginSettings.ConnectionSecurity

Summary
I want to set PluginSettings.ConnectionSecurity to TLS. The CLI tells me “Value changed successfully” or “Config updated successfully” depending on how I do this, but the changes do not actually get written.

Steps to reproduce
We have v7.9.1 installed.

mattermost@ip-*-*-*-*:~$ mmctl config set --local ServiceSettings.ConnectionSecurity TLS
Value changed successfully
mattermost@ip-*-*-*-*:~$ mmctl config get --local ServiceSettings.ConnectionSecurity
""

I also tried

mattermost@ip-*-*-*-*:~$ mmctl config edit --local
Config updated successfully
mattermost@ip-*-*-*-*:~$ mmctl config get --local ServiceSettings.ConnectionSecurity
""

As a side note, in /etc/mattermost/mmomni.yml we have https: true, but this doesn’t seem to change ConnectionSecurity to TLS, which leads me to believe these are two different settings.

Expected behavior
If the config is updated successfully, the value should actually change.

Observed behavior
It says it is updated, but changes are not stored.

Hi @ffdhork ,

there is no PluginSettings.ConnectionSecurity AFAIK and you tried to change ServiceSettings.ConnectionSecurity, so I assume we’re not talking about PluginSettings, right?

The omnibus setup defaults to running on port 8065 locally and brings an nginx reverse proxy in front of it which does all the SSL handling (which is the preferred solution for having SSL on Mattermost), so you do not need to change the integrated webserver’s connection security to TLS.

Also, whatever you do to the connection security, it gets overwritten by the environment variable MM_SERVICESETTINGS_CONNECTIONSECURITY in /etc/mattermost/mmomni.mattermost.env.

Changing these settings in there will break some things with regards to the preconfigured omnibus setup - is there a specific reason you want to have the Mattermost application server running with TLS enabled?

Yeah, sorry. When I made the topic, somehow I had the wrong thing on my clipboard, and didn’t notice there was both PluginSettings and ServiceSettings once I fixed the part to the right of the dot.

is there a specific reason you want to have the Mattermost application server running with TLS enabled?

The way the docs are written, it says that if ServiceSettings.ConnectionSecurity is not set, “mattermost will connect over an insecure connection.”

If this is NOT the case with the nginx proxy, then the docs really need updating. This is going to look like a red flag to anyone in the system console:

Well, technically, it’s still correct. The connection between nginx and Mattermost is insecure as in “not encrypted”, but that’s OK, because they two are running on the same server.

Stealing this picture from the internet, that’s what the architecture looks like:

The grey box to the right says “Datacenter”, but in your case, it’s your Mattermost server which has all these three components running, that is nginx (the green hexagon in the scheme), your Mattermost application (the app servers in the scheme) and the PostgreSQL database (the DB in the scheme).
The only accessible part for your clients is the nginx reverse proxy and the connections from it to the users (on the left) are encrypted, everything to the right on nginx is unencrypted and since the connections do not leave the same system, it’s also not necessary to re-encrypt them before forwarding to the Mattermost application server f.ex.