worklenz icon indicating copy to clipboard operation
worklenz copied to clipboard
verified publisher icon Worklenz

Reverse Proxy support

Open gkazanci opened this issue 10 months ago • 6 comments

Hello, is there no reverse proxy support? I couldn't find any documentation for this. can you help?

gkazanci avatar Feb 05 '25 09:02 gkazanci

@chamikaJ

kalinga777 avatar Feb 20 '25 06:02 kalinga777

@gkazanci Currently, we do not have built-in reverse proxy support.

However, you can configure a reverse proxy using Nginx. One issue to be aware of when using Nginx is that Worklenz uses cron jobs to handle email notifications. If you have multiple Worklenz instances running (e.g., 3 instances), the cron jobs will be executed multiple times, resulting in users receiving multiple email notifications (3 instances mean 3 cron jobs).

We are aware of this and are planning to address it in future updates to improve the handling of cron jobs across multiple instances.

chamikaJ avatar Feb 20 '25 06:02 chamikaJ

When attempting to run Worklenz behind Traefik in Docker reverse proxy, I ran into an issue where the page would constantly refresh itself on the login screen. I think this is caused by the Worklenz server redirecting to HTTP and Traefik redirecting to HTTPS constantly. Currently the only way to run this locally in Docker is accessing it via a local IP address.

adamzachyang avatar Feb 21 '25 23:02 adamzachyang

@danushkak

kalinga777 avatar Feb 22 '25 01:02 kalinga777

Hi,

I also tried to use worklenz behind Traefik but failed to do so. I configured Traefik labels for the frontend service in docker-compose.yml to have Traefik generate a Let's Encrypt certificate for a specific FQDN to use with worklenz. Then, used the update-docker-env.sh script to set the FQDN but it is not clear to me how to do that. There are some open points/questions:

  1. When Traefik fronts worklenz, the client (browser) connects to the FQDN by https://fqdn on port 443. Traefik then routes this to port 5000 unsing HTTP (not HTTPS). The port 5000 is then only accessible in insde the docker network, it is not published on the host anymore. The update-docker-env.sh script adds :5000 to every URL entry it generates in ENV files, so I had to remove those ports but was unsure on what entries in thise ENV files I head to remove this.

  2. When using update-docker-env.sh script, one specifies also whether or not SSL is to be used. This results in the script generating URLs in the ENV files that either start by http (no SSL) or https (SSL). When using Traefik, I do have HTTPS from the client (browser) to Traefik which is the SSL entpoint. From there to tbe backend and between services of the backend, I do have HTTP. I didn't fully understand which of the generated URLs in the ENV files should in the end be HTTPS or HTTP URLs. I would say, URLs that are used to generate links that will be clickable in the web frontend of the client would have to start with HTTPS but I don't know about other URLs like the following in .env.production (frontend service):

    # API Connection
VITE_API_URL=http://fqdn:3000
VITE_SOCKET_URL=ws://fqdn:3000

    These lines contain port 3000 and I assume that they 1) require still this port number and 2) should remain with HTTP even if other URLs like SOCKET_IO_CORS=https://fqdn or FRONTEND_URL=https://fqdn in .env (backend) should have port (5000) removed and use HTTPS since they would be then go via Traefik

I tried various configurations and I could successfully connect to the frontend web portal via traefik and HTTPS, but when I try to sign up, I get the same error as discussed here: https://github.com/Worklenz/worklenz/issues/81

Up to now, I could not make it work.

+++ Update on this +++

When I use the server IP in all URLs and remove Traefik, then I can successfuly sign up. Means, problem https://github.com/Worklenz/worklenz/issues/81 does not occur. Whenever I try to set the FRONTEND_URL to a FQDN (leaving all other URLs untouched), I get the sign up error.

Changing the FRONTEND_URL after succussfull sign up and adding Traefik then, does also not work. The login page loads but login fails.

It seems, that currently, the FRONTEND_URL needs to be the same as other URLs and match the server's IP. It would be good to allow multiple FRONTEND_URLs or something like "TRUSTED PROXIES".

phxyz12 avatar May 03 '25 05:05 phxyz12

i had the same problem as phxyz12. I found a "solution" for me which now works.

First think to mention is that I am using nginx proxy manager so I can't give an exact explanation for traefik.

In the first step I created a second dns entry for the backend service. I then added a route in nginx so that the client can reach the backend.

Then I changed the URLs in worklenz-frontend/.env to the new created backend url with port 443. The last step was to add the frontend url to cors. So I edited the worklenz-backend/src/app.ts. It starts at line 53. I added the frontend url to the allowed_origin const. After that I was able to sign in and login. Everything seems to work now.

Maybe it would be possible to add an .env settings and add the entries to this variable?

julienrudolph avatar Jun 27 '25 05:06 julienrudolph