meeb
Problem while behind Reverse Proxy [NGINX]
I have both TubeSync and NGINX as containers [as well as other apss - plex, sonarr, etc.], and everything works except for TubeSync where I get "Bad Request Contradictory scheme headers"
With some research I found out [https://github.com/benoitc/gunicorn/issues/1857] that when the header X-Forwarded-Protocol for gunicorn [a component of TubeSync] are set to 'https' it will error out and it needs to be set to 'ssl' [https://panel.djangoeurope.com/support/doc/http2https].
Here, https://github.com/benoitc/gunicorn/issues/1857#issuecomment-673925947, They mention that this can be fixed i nthe gunicorn config - is this something that can be fixed in the TubeSync docker?
If you can get a change working for you that doesn't disrupt anyone else's deployments I'm happy to tweak any required settings to get this to work properly for you. You will likely need to test this yourself as I can't easily replicate your setup. Can you please drop into the container shell:
docker exec -ti tubesync bash
Then install your shell editor of choice, for example:
apt update && apt install nano
Then you can edit the gunicorn config file in your container:
nano /app/tubesync/gunicorn.py
From the gunicorn issue you linked above, try appending the discussed line to the gunicorn config file:
secure_scheme_headers = {'X-FORWARDED-PROTOCOL': 'https', 'X-FORWARDED-PROTO': 'https', 'X-FORWARDED-SSL': 'on'}
Then restarting the TubeSync container and see if that fixes it for you. If it does, I'll give the change a wider test to see if it breaks anything before committing.
I added that line and restarted the container and I get the same message in the browser, and the log from the container shows:
XXX.YYY.0.ZZZ - - [07/Oct/2022:13:44:57 -0300] "GET /favicon.ico HTTP/1.1" 400 149 "https://tubesync.DOMAIN.TLD/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.37"
Any other thoughts on making this work or do I need to modify the container for NGINX?
You can use the same commands above and then edit the embedded nginx config as well:
nano /etc/nginx/nginx.conf
You can modify all the nginx proxy commands there including where the x-forwarded-proto etc. are set. Try tweaking those.
@microSCOPED
IDK if this is your exact problem, but I know I had a lot of issues getting TubeSync to work behind NGINX awhile back. Assuming you're using SWAG and our configs are similar, I had to comment out this line in my location
include /config/nginx/proxy.conf;
and replace it with this version where I commented out the "X-Forwarded-Ssl" line
# include /config/nginx/proxy.conf;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Proxy Connection Settings
proxy_buffers 32 4k;
proxy_connect_timeout 240;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_http_version 1.1;
proxy_read_timeout 240;
proxy_redirect http:// $scheme://;
proxy_send_timeout 240;
# Proxy Cache and Cookie Settings
proxy_cache_bypass $cookie_session;
#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
proxy_no_cache $cookie_session;
# Proxy Header Settings
proxy_set_header Connection $connection_upgrade;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
# proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Real-IP $remote_addr;
Besides that change, it looks exactly like all my other configs. Haven't had problems since.
@microSCOPED
IDK if this is your exact problem, but I know I had a lot of issues getting TubeSync to work behind NGINX awhile back. Assuming you're using SWAG and our configs are similar, I had to comment out this line in my location
include /config/nginx/proxy.conf;and replace it with this version where I commented out the "X-Forwarded-Ssl" line
# include /config/nginx/proxy.conf; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Proxy Connection Settings proxy_buffers 32 4k; proxy_connect_timeout 240; proxy_headers_hash_bucket_size 128; proxy_headers_hash_max_size 1024; proxy_http_version 1.1; proxy_read_timeout 240; proxy_redirect http:// $scheme://; proxy_send_timeout 240; # Proxy Cache and Cookie Settings proxy_cache_bypass $cookie_session; #proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps proxy_no_cache $cookie_session; # Proxy Header Settings proxy_set_header Connection $connection_upgrade; proxy_set_header Early-Data $ssl_early_data; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto https; # proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Real-IP $remote_addr;Besides that change, it looks exactly like all my other configs. Haven't had problems since.
My GOD I have spent days trying to fix this - THANK you.
Just to confirm this fix is for an upstream nginx reverse proxy, correct? To mention again if anyone does tweak TubeSync to work with their specific reverse proxy setup (that doesn't break anything else) I'm happy to edit the embeded nginx config in TubeSync to include it.
Thanks @ngInit for the issue support, most appreciated.
Amazing! I used @wtfreely 's proposed change on a NGINX proxy using linuxserver/nginx and it worked perfectly.
Does it still work for you? I couldn't copy everything due to the way my NGINX is set up, but pasting # Proxy Cache and Cookie Settings and # Proxy Header Settings results in 400 error for me with the following log from tubesync:
172.20.0.34 - - [29/Jun/2024:20:02:28 +0200] "GET / HTTP/1.1" 400 150 "-" "-"
Does it still work for you? I couldn't copy everything due to the way my NGINX is set up, but pasting
# Proxy Cache and Cookie Settingsand# Proxy Header Settingsresults in 400 error for me with the following log fromtubesync:172.20.0.34 - - [29/Jun/2024:20:02:28 +0200] "GET / HTTP/1.1" 400 150 "-" "-"
Yes, it still works. I do have this behind a local-only nginx reverse proxy using linuxserver/nginx with the mod linuxserver/mods:nginx-proxy-confs. I don't need to access tubesync outside home, but like all things behind SSL.
Local-only nginx reverse proxy
networks:
default:
name: linuxserver
external: true
services:
swag-local:
restart: unless-stopped
container_name: swag-local
environment:
- UMASK=022
- TZ=$TZ
- DOCKER_MODS=linuxserver/mods:swag-auto-reload|linuxserver/mods:nginx-proxy-confs
- PUID=$PUID
- PGID=$PGID
ports:
- 443:443
- 80:80
image: lscr.io/linuxserver/nginx:latest # https://github.com/linuxserver/docker-nginx/releases
volumes:
- ./data-swag-local:/config
- ./data-swag/:/swag-ssl
This is my proxy config (just removed the comments added to the template by linuxserver.io that they add to all SWAG/nginx mod proxy-confs).
Current proxy-conf for tubesync
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name tubesync.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Proxy Connection Settings
proxy_buffers 32 4k;
proxy_connect_timeout 240;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_http_version 1.1;
proxy_read_timeout 240;
proxy_redirect http:// $scheme://;
proxy_send_timeout 240;
# Proxy Cache and Cookie Settings
proxy_cache_bypass $cookie_session;
#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
proxy_no_cache $cookie_session;
# Proxy Header Settings
proxy_set_header Connection $connection_upgrade;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
# proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Real-IP $remote_addr;
include /config/nginx/resolver.conf;
set $upstream_app tubesync;
set $upstream_port 4848;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
As this seems generally resolved I'll close the issue for now. Free free to create a new issue and reference this one if you still experience this problem.