ownfoil doesn't work with reverse proxy

[Seruschl]

Hi and at first thanks for this great docker container :D

It is working so far on my LAN but i want to set it up via dyndns with nginx as reverse proxy but with this the data won't load at all in tinfoil.

When i open up the dyndns like https://switch.my.dyndns.name with the login credentials i see the .nsp and all like it should be but when i add it to tinfoil with https and host and all nothing happend. . .

Does anyone has set up something similar with an reverse proxy?

[datapush3r]

I have a very similar experience using Nginx Proxy Manager. I can see all the files via browser but the shop is blank in Tinfoil. More troubleshooting is needed.

[mobihen]

It's working fine for me. I have NginX in docker and I can see the shop locally and even from remote (also cloudflare), I'll try to upload a pic later for the config

[rwbxd]

Had this same issue - I have NPM on a VPS pointing to my server with Traefik. Browser worked, Tinfoil didn't. Removed my authentication from Ownfoil (the reverse proxy only accepts requests from my home IP), and it worked. Obviously not a perfect solution, but a reasonable workaround and hopefully can help diagnose the issue.

EDIT: actually, it still doesn't work - I get failed to open NSP when I try to download a game.

[Seruschl]

so without the reverse proxy on http only with port forwarding it is working. Not the best solution but it works

[pxdl]

It's working fine for me. I have NginX in docker and I can see the shop locally and even from remote (also cloudflare), I'll try to upload a pic later for the config

Same here. Haven't tried authentication yet though.

[BaerHub]

any update on this? its not working when using nginx https proxy, only http.

[kevincali]

Reverse proxying with Caddy didn't work for me either.

I used a Cloudflare Tunnel instead.

[FoUStep]

Tried it with docker-compose, I could confirm this should work with curl on the laptop (curl https://myurl:8000 -v).

version: "3"

services:
  ownfoil:
    container_name: ownfoil
    image: a1ex4/ownfoil
    environment:
      # For write permission in /games directory
      - PUID=1000
      - PGID=1000
    volumes:
      - /home/foustep/games:/games
  nginx-proxy:
    container_name: nginx-proxy-for-ownfoil
    image: nginx
    volumes:
      - ./nginx-proxy/nginx.conf:/etc/nginx/conf.d/default.conf
      - ./nginx-proxy/key.pem:/root/ssl/key.pem
      - ./nginx-proxy/cert.pem:/root/ssl/cert.pem
    ports:
      - "8000:443"
    depends_on:
      - ownfoil

Unfortunately, this doesn't work on the switch. The certificate is valid. Does v2 work?

[a1ex4]

If you use the latest image tag then there is already an nginx instance running in the container, so adding another nginx container on top wouldn't work.

In the v2 version (currently in development) reverse proxies should work, though I have yet to test it.

[FoUStep]

I'm very sorry,perhaps I do not fully understand either nginx or docker-compose, but how to I add the ssl configuration without touching ownfoils port 80 configuration in nginx (as a different site, or .conf)? I tried another container with a reverse proxy and that works for curl but not for the switch itself.

If I try to add another server with 443 ssl, it says the directive server is not allowed and if I use another http, it says it is a duplicate in the original nginx.conf.

I want to add additional (ssl) configuration, without touching the docker(-compose) default configuration of the ownfoil setup. Can someone send me in the right direction with this? I've tried several combinations.

[safety1g]

I can't get reverse proxy working, even on v2.0.

I can access the admin panel fine using http://tinfoil.'mydomain'.com but when i enter the details in tinfoil it's not working. Working fine with local IP. Working fine with public IP and port opened up.

Not sure if I'm entering something wrong in tinfoil. Currently I have:

Protocol: http Host: tinfoil.'mydomain'.com Port: 80 (also tried leaving this blank) Path: / Username: (blank - shop is set to public for testing purposes) Password: (blank - shop is set to public for testing purposes) Title: My Shop Enabled: Yes

Any other troubleshooting steps I can could take?

EDIT: Seems like it's actually working in some form. I can access the games through file manager, but I don't get the welcome message when I start tinfoil, and the search doesn't work.

[Terror-Gene]

If I use "Public Shop," it works for me through Nginx Proxy Manager (HTTPS). However, if I disable "Public Shop" and try to connect with a username and password, the shop doesn't load on Tinfoil startup, but I can browse the file browser (which then shows the success message) and see the content.

Here's what I tested: (Local = HTTP, Proxy = HTTPS)

Public Shop:

• Local: Yes (full function)
• Proxy: Yes (full function)

Non-Public Shop (with user/pass in Tinfoil):

• Local: Yes (full function)
• Proxy: Semi (only file browser access, no success message on Tinfoil start)
• Proxy (HTTP): Semi (only file browser access, no success message on Tinfoil start)

Non-Public Shop (without user/pass in Tinfoil):

• Local: "Shop requires authentication" message on start
• Proxy: "Shop requires authentication" message on start

Seems a bit of a strange behavior. (the more i play with this the more it feels like a tinfoil issue....)

I hope this helps in some way.

[a1ex4]

@Terror-Gene thanks for the detailed report, although I can't reproduce any issue with Tinfoil authentication, it works locally on the network with http, and remotely with https without any problem.

I personally use nginx-proxy/nginx-proxy which work without issue, let me know if you still have problems.

[Golumpa]

Hey so I seem to be getting this funny issue aswel when running ownfoil on my nginx reverse proxy.

The EXACT symptoms as @Terror-Gene here https://github.com/a1ex4/ownfoil/issues/26#issuecomment-2263164735

I use swag as my main servers reverse proxy setup. proxy.conf and resolver.conf is part of base swag the only thing I added is ownfoil.subdomain.conf. this same setup works on all 20 other containers I am running on my server

ownfoil.subdomain.conf

server {
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name ownfoil.*;

  include /config/nginx/ssl.conf;

  client_max_body_size 0;

  location / {
      include /config/nginx/proxy.conf;
      include /config/nginx/resolver.conf;
      set $upstream_app ownfoil;
      set $upstream_port 8465;
      set $upstream_proto http;
      proxy_pass $upstream_proto://$upstream_app:$upstream_port;

  }
}

resolver.conf

# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.

resolver  127.0.0.11 valid=30s;

proxy.conf

## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample

# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Proxy Connection Settings
proxy_buffers 32 4k;
proxy_connect_timeout 240;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_http_version 1.1;
proxy_read_timeout 240;
proxy_redirect http:// $scheme://;
proxy_send_timeout 240;

# Proxy Cache and Cookie Settings
proxy_cache_bypass $cookie_session;
#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
proxy_no_cache $cookie_session;

# Proxy Header Settings
proxy_set_header Connection $connection_upgrade;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header Host $host;
proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;

[notmayo]

I see this issue so I wanted to share my nginx reverse proxy config to see if it helps anyone. I use a subdomain (tinfoil.x.x) as my method of access using nginx in a VM.

# SSL-enabled server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name tinfoil.REDACTED.com;
    root /var/www/tinfoil.REDACTED.com;

    # SSL configuration
    ssl_certificate /etc/letsencrypt/live/tinfoil.REDACTED.X/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tinfoil.REDACTED.X/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/tinfoil.REDACTED.X/chain.pem;

    # Logging configuration
    access_log /var/log/nginx/access.log combined buffer=512k flush=1m;
    error_log /var/log/nginx/error.log warn;

    # Index file
    index index.php;

    # Reverse proxy configuration
    location / {
        proxy_pass http://192.168.XXX.XXX:8465;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# HTTP to HTTPS redirect
server {
    listen 80;
    listen [::]:80;
    server_name tinfoil.REDACTED.X;

    location / {
        return 301 https://tinfoil.REDACTED.X$request_uri;
    }
}

[dslatt]

I ran into a similar problem.

When running through caddy the only part of Tinfoil that worked was the file browser. New games/dlc weren't visible and the 'Install All DLC/Latest Update' options from Tinfoil didn't seem to work. No issues actually installing the files however.

Everything worked fine once I removed caddy.

Feels like a tinfoil problem but idk.