umbrel
umbrel copied to clipboard
getumbrel
Umbrel v0.5 (getumbrel/app-proxy) doesn't forward SSL headers
Hi,
I'm the author of the guide: https://jorijn.com/installing-nginx-reverse-proxy-with-ssl-certificate-umbrel-btcpayserver/
Right now, for people that upgraded to v0.5 the setup is broken. I looked into it and it seems BTCPayServer no longer runs directly on 127.0.0.1:3003 but is being proxied through a Docker image called getumbrel/app-proxy. This app poxy doesn't appear to be forwarding headers like X-Forwarded-Proto etc.
I'd be more than happy to help fix this issue if you can point me in the right direction, however, I was unable to find the code for this app-proxy anywhere on your GitHub account.
Thanks, Jorijn.
Hi @Jorijn,
Your tutorial looks nice! I can see why people are using it :)
The code for the app-proxy lives within this repo. Located at: deps/app-proxy. I'm the creator of the app-proxy, so I am going to priortise this issue and work on a fix ASAP. If you also see the solution (could just be a one-liner), feel free to drop it here or send us a PR as I have few other tasks first
Steve
I'm having the same issue with BTCPay after the last update.
I tried the fix explained by https://twitter.com/_Honza_Dvorak/status/1534274310390571012
But it didn't work.
have not confirmed but I suspect this issue is why my setup is now broken as well
@Jorijn I've root caused the issue to be technically a bug in BTC Pay Server where it does not accept/handle multiple values for x-forwarded headers. Because in this setup we have a proxy talking to the app proxy (2 proxies) which talks to BTC Pay Server, there are a chain of values for the x-forward headers... As an example, in your case, x-forwarded-proto would be https,http.
However, I think it's better that the app proxy doesn't add to the chain for these kinds of applications, so I'll work on a PR.
Hey @nevets963
Thanks for looking into it!
If I understand the spec correctly, the header should hold only one value instead of multiple, for instance in a chain of proxies.
In this specific case, I would choose that if a x-forwarded-proto header is already present in the request (from a trusted source) this value would supersede that of my own (in the context of app-proxy.
Let me know if I can still help out, though my NodeJS was quite some time ago.. 😅
Jorijn.
@Jorijn I've root caused the issue to be technically a bug in BTC Pay Server where it does not accept/handle multiple values for x-forwarded headers. Because in this setup we have a proxy talking to the app proxy (2 proxies) which talks to BTC Pay Server, there are a chain of values for the x-forward headers... As an example, in your case,
x-forwarded-protowould behttps,http.However, I think it's better that the app proxy doesn't add to the chain for these kinds of applications, so I'll work on a PR.
still on it guys ?
@mccolister1017 I have a PR ready to address this, it needs to be reviewed and tested.
@mccolister1017 I have a PR ready to address this, it needs to be reviewed and tested.
oh nice thank you
@mccolister1017 I have a PR ready to address this, it needs to be reviewed and tested.
Ping me when I can help test it 👍
@mccolister1017 I have a PR ready to address this, it needs to be reviewed and tested.
Hello, did you find a solution ? I am also very interested about it. Thx a lot.
This bug broke my LightningStamp service (https://lightningstamp.bitcoinproof.org/). Looking forward for a quick fix.
My BTCPay store page is broken due to this bug, any improvement done? Can we test a solution somehow?
Hey folks!
Umbrel v0.5.1 just went live that will help solve this issue! You should now see v0.5.1 available - please go ahead and update your Umbrels :)
** Note ** After you've updated to v0.5.1, you will need to add a small configuration.
Please follow:
ssh [email protected] (or the IP of your Umbrel server) Password is the same as Umbrel Web UI
nano ~/umbrel/app-data/btcpay-server/.env.app_proxy
Type:
PROXY_TRUST_UPSTREAM=true
Then save using: Control + X, then: Y, then: <enter>
Finally, run this command to restart BTCPay Server:
~/umbrel/scripts/app restart btcpay-server
The error You cannot login over an insecure connection. Please use HTTPS or Tor. should be now resolved.
Hey folks!
Umbrel v0.5.1 just went live that will help solve this issue! You should now see v0.5.1 available - please go ahead and update your Umbrels :)
** Note ** After you've updated to v0.5.1, you will need to add a small configuration.
Please follow:
ssh [email protected] (or the IP of your Umbrel server) Password is the same as Umbrel Web UI nano ~/umbrel/app-data/btcpay-server/.env.app_proxyType:
PROXY_TRUST_UPSTREAM=trueThen save using: Control + X, then: Y, then:
Finally, run this command to restart BTCPay Server:
~/umbrel/scripts/app restart btcpay-serverThe error
You cannot login over an insecure connection. Please use HTTPS or Tor.should be now resolved.
Cool, man! I think it really works now. Thank you very much for the effort.
Beautiful! Thank you! Thank you! Thank you!
Worked like a charm!
Bravo!
Thank you works well!
ssh [email protected] (or the IP of your Umbrel server) Password is the same as Umbrel Web UI nano ~/umbrel/app-data/btcpay-server/.env.app_proxy
Any idea if the file that must be created will presist updates?
Thx so much !
All is working well now, good job guy !!!!
Best regards
Peter
July 14, 2022 5:46:16 PM CEST marioCV @.***> wrote:
Hey folks! Umbrel v0.5.1 just went live that will help solve this issue! You should now see v0.5.1 available - please go ahead and update your Umbrels :) ** Note ** After you've updated to v0.5.1, you will need to add a small configuration. Please follow:ssh @.*** (or the IP of your Umbrel server) Password is the same as Umbrel Web UInano ~/umbrel/app-data/btcpay-server/.env.app_proxy Type:PROXY_TRUST_UPSTREAM=true Then save using: Control + X, then: Y, then: Finally, run this command to restart BTCPay Server:~/umbrel/scripts/app restart btcpay-server The error You cannot login over an insecure connection. Please use HTTPS or Tor. should be now resolved. Cool, man! I think it really works now. Thank you very much for the effort. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.***>
-- Sent with https://mailfence.com Secure and private email -- Sent with https://mailfence.com Secure and private email
Hey @Jorijn just pinging you to let you know this is resolved now so you can update your guide if you like.
Hey @lukechilds
Very much appreciated. I'm a bit pressed for time at the moment but will update the guide at my earliest convenience.
Hey folks!
Umbrel v0.5.1 just went live that will help solve this issue! You should now see v0.5.1 available - please go ahead and update your Umbrels :)
** Note ** After you've updated to v0.5.1, you will need to add a small configuration.
Please follow:
ssh [email protected] (or the IP of your Umbrel server) Password is the same as Umbrel Web UI nano ~/umbrel/app-data/btcpay-server/.env.app_proxyType:
PROXY_TRUST_UPSTREAM=trueThen save using: Control + X, then: Y, then:
Finally, run this command to restart BTCPay Server:
~/umbrel/scripts/app restart btcpay-serverThe error
You cannot login over an insecure connection. Please use HTTPS or Tor.should be now resolved.
Hey, I get now :
root@ubuntu-8gb-nbg1-1:~/umbrel# nano ~/umbrel/app-data/btcpay-server/.env.app_proxy
root@ubuntu-8gb-nbg1-1:~/umbrel# ~/umbrel/scripts/app restart btcpay-server
Stopping app btcpay-server...
Stopping btcpay-server_web_1 ... done
Stopping btcpay-server_nbxplorer_1 ... done
Stopping btcpay-server_postgres_1 ... done
Stopping btcpay-server_tor_server_1 ... done
Stopping btcpay-server_app_proxy_1 ... done
Going to remove btcpay-server_web_1, btcpay-server_nbxplorer_1, btcpay-server_postgres_1, btcpay-server_tor_server_1, btcpay-server_app_proxy_1
Removing btcpay-server_web_1 ... done
Removing btcpay-server_nbxplorer_1 ... done
Removing btcpay-server_postgres_1 ... done
Removing btcpay-server_tor_server_1 ... done
Removing btcpay-server_app_proxy_1 ... done
Starting app btcpay-server...
Creating btcpay-server_app_proxy_1 ... done
Creating btcpay-server_tor_server_1 ... done
Creating btcpay-server_postgres_1 ... done
Creating btcpay-server_nbxplorer_1 ... done
Creating btcpay-server_web_1 ... done
And how can I install umbrel directly with domain and secure SSL on my VPS ?
In recent versions it seems you need to add PROXY_TRUST_UPSTREAM: "true" to /home/umbrel/umbrel/app-data/btcpay-server/docker-compose.yml in the app_proxy block! Then do ~/umbrel/scripts/app restart btcpay-server.
@AbelLykens I would not recommend this because the next update for BTCPay Server will overwrite this change. Instead, I would follow the instructions here: https://github.com/getumbrel/umbrel/issues/1428#issuecomment-1184584190
Hi folks,
Maybe I'm doing something wrong.
My port 15443 is still closed https://ping.eu/port-chk/
My port 15080 is open.
On my router both ports are redirecting to my umbrel and open.
I have tried install the ufw and open both ports but I get myself out of shh, I had to re-flash umbrel to get in once again.
I'm on Umbrel V0.5.3
On SSH I'm getting this:
` Domain: xxxxxx.ignorelist.com Type: connection Detail: xx.xx.xx.xx: Fetching http://xxxxx.ignorelist.com/.well-known/acme-challenge/YNmfeg2rdOi1aSAlYC X-HPIFIj4fJRb74mNHc3kx1_M: Error getting validation data
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. `
any ideas?
I ran the commands and still got the error, do you know what it could be?
ssh [email protected] (or the IP of your Umbrel server) Password is the same as Umbrel Web UI nano ~/umbrel/app-data/btcpay-server/.env.app_proxy
PROXY_TRUST_UPSTREAM=true ~/umbrel/scripts/app restart btcpay-server
But I still have an error
