photonix icon indicating copy to clipboard operation
photonix copied to clipboard

Published 20 hours ago verified publisher icon photonixapp

Can't pass login screen through nginx-proxy

Open phirestalker opened this issue 2 years ago • 8 comments

Describe the bug I am unable to get past the login screen when accessing photonix through my nginx-proxy. Both photonix and nginx-proxy are docker containers. I have set up multiple other containers for other services that work. I guess photonix might need some extra parameters for the proxy.

To Reproduce Set up new photonix docker container. Do setup on local address and port. Create new subdomain certificate set up nginx-proxy for new container visit the public address of the new photonix container and try to log in. Login screen stays with a "loading" message indefinitely

Expected behavior I expect it to log in sucessfully as it does on the local address and port.

Screenshots Screen Shot 2021-08-02 at 5 26 31 PM

Server (please complete the following information):

  • Device: Mac Pro 2010
  • OS: Ubuntu Linux 20.04
  • Architecture: x86/64

Desktop (please complete the following information):

  • OS: MacOS 11.5.1
  • Browser Chrome
  • Version 92.0.4515.107 (Official Build) (arm64)

phirestalker avatar Aug 03 '21 00:08 phirestalker

I noticed in the logs for the nginx-proxy that it is requesting with http 2.0. In the nginx-prd.conf file for the photonix container it has proxy_http_version set at http 1.1 for the admin, graphql, and thumbnailer endpoints Would this possibly be the issue? If so, short of mounting the conf file as a volume and editing it, what are my other options?

EDIT: I could swear there was nothing in the logs before, but here is an excerpt from the photonix container logs.

2021/08/12 07:46:15 [warn] 52#52: *31 upstream server temporarily disabled while connecting to upstream, client: 192.168.208.2, server: , request: "POST /graphql HTTP/1.1", upstream: "http://127.0.0.1:8000/graphql", host: "photonix.computeraccess.icu", referrer: "https://photonix.mydomain.com/login"
2021/08/12 07:46:15 [error] 52#52: *31 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.208.2, server: , request: "POST /graphql HTTP/1.1", upstream: "http://127.0.0.1:8000/graphql", host: "photonix.computeraccess.icu", referrer: "https://photonix.mydomain.com/login"
2021/08/12 07:46:15 [warn] 52#52: *31 upstream server temporarily disabled while connecting to upstream, client: 192.168.208.2, server: , request: "POST /graphql HTTP/1.1", upstream: "http://127.0.0.1:8000/graphql", host: "photonix.computeraccess.icu", referrer: "https://photonix.mydomain.com/login"

EDIT (again): No this is a new problem in the logs because I can no longer bring up the site through its local IP address and port.

phirestalker avatar Aug 12 '21 14:08 phirestalker

OK, redis was down, so now I am back to the original problem. There are some juicy bits in the log this time after all though.

2021-08-12 15:02:46,683 ERROR    Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/promise/promise.py", line 489, in _resolve_from_executor
    executor(resolve, reject)
  File "/usr/local/lib/python3.8/site-packages/promise/promise.py", line 756, in executor
    return resolve(f(*args, **kwargs))
  File "/usr/local/lib/python3.8/site-packages/graphql/execution/middleware.py", line 75, in make_it_promise
    return next(*args, **kwargs)
  File "/srv/photonix/photos/schema.py", line 258, in resolve_all_libraries
    return Library.objects.filter(users__user=user)
  File "/usr/local/lib/python3.8/site-packages/django/db/models/manager.py", line 85, in manager_method
    return getattr(self.get_queryset(), name)(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/db/models/query.py", line 941, in filter
    return self._filter_or_exclude(False, args, kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/db/models/query.py", line 961, in _filter_or_exclude
    clone._filter_or_exclude_inplace(negate, args, kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/db/models/query.py", line 968, in _filter_or_exclude_inplace
    self._query.add_q(Q(*args, **kwargs))
  File "/usr/local/lib/python3.8/site-packages/django/db/models/sql/query.py", line 1391, in add_q
    clause, _ = self._add_q(q_object, self.used_aliases)
  File "/usr/local/lib/python3.8/site-packages/django/db/models/sql/query.py", line 1410, in _add_q
    child_clause, needed_inner = self.build_filter(
  File "/usr/local/lib/python3.8/site-packages/django/db/models/sql/query.py", line 1318, in build_filter
    self.check_related_objects(join_info.final_field, value, join_info.opts)
  File "/usr/local/lib/python3.8/site-packages/django/db/models/sql/query.py", line 1147, in check_related_objects
    for v in value:
  File "/usr/local/lib/python3.8/site-packages/django/utils/functional.py", line 247, in inner
    return func(self._wrapped, *args)
graphql.error.located_error.GraphQLLocatedError: 'AnonymousUser' object is not iterable

2021-08-12 15:02:46,690 ERROR    Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/promise/promise.py", line 489, in _resolve_from_executor
    executor(resolve, reject)
  File "/usr/local/lib/python3.8/site-packages/promise/promise.py", line 756, in executor
    return resolve(f(*args, **kwargs))
  File "/usr/local/lib/python3.8/site-packages/graphql/execution/middleware.py", line 75, in make_it_promise
    return next(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/graphene_django/fields.py", line 171, in connection_resolver
    iterable = resolver(root, info, **args)
  File "/usr/local/lib/python3.8/site-packages/graphql_jwt/decorators.py", line 30, in wrapper
    return func(info.context, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/graphql_jwt/decorators.py", line 42, in wrapper
    raise exc
graphql.error.located_error.GraphQLLocatedError: You do not have permission to perform this action

2021-08-12 15:02:46,696 ERROR    Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/promise/promise.py", line 489, in _resolve_from_executor
    executor(resolve, reject)
  File "/usr/local/lib/python3.8/site-packages/promise/promise.py", line 756, in executor
    return resolve(f(*args, **kwargs))
  File "/usr/local/lib/python3.8/site-packages/graphql/execution/middleware.py", line 75, in make_it_promise
    return next(*args, **kwargs)
  File "/srv/photonix/accounts/schema.py", line 72, in resolve_profile
    raise GraphQLError('Not logged in')
graphql.error.located_error.GraphQLLocatedError: Not logged in

2021-08-12 15:02:46,705 ERROR    Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/promise/promise.py", line 489, in _resolve_from_executor
    executor(resolve, reject)
  File "/usr/local/lib/python3.8/site-packages/promise/promise.py", line 756, in executor
    return resolve(f(*args, **kwargs))
  File "/usr/local/lib/python3.8/site-packages/graphql/execution/middleware.py", line 75, in make_it_promise
    return next(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/graphene_django/fields.py", line 171, in connection_resolver
    iterable = resolver(root, info, **args)
  File "/usr/local/lib/python3.8/site-packages/graphql_jwt/decorators.py", line 30, in wrapper
    return func(info.context, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/graphql_jwt/decorators.py", line 42, in wrapper
    raise exc
graphql.error.located_error.GraphQLLocatedError: You do not have permission to perform this action

and now I am getting 400 errors only on the public address instead of those errors.

photonix.example.com 192.168.133.1 - - [12/Aug/2021:09:08:11 -0700] "POST /graphql HTTP/2.0" 400 149 "https://photonix.example.com/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36" "192.168.208.3:80"

phirestalker avatar Aug 12 '21 15:08 phirestalker

Hi @phirestalker. Thanks for reporting this and sorry to hear you've had problems getting it running under your reverse proxy.

If I understand correctly, you are using Nginx in front of this container. Could you attach the config file you are using please?

I have a page on reverse proxies at https://photonix.org/docs/reverse_proxies/ but unfortunately haven't added an Nginx example there yet (which I need to do). You could try the Traefik one though. I know Nginx works as I have this in front of the https://demo.photonix.org/ site.

Could you also confirm that you have ALLOWED_HOSTS: '*' environment variable set also please?

damianmoore avatar Aug 17 '21 18:08 damianmoore

Yes, I am using a docker image known as nginx-proxy. I have found the configuration that it generated for Photonix.

# photonix.example.com
upstream 6ea8a677d3d00e0406e4bc2391e2ff4c495316f5 {
	# Cannot connect to network 'photonix_default' of this container
	# Cannot connect to network 'postgres_net' of this container
	# Cannot connect to network 'redis_net' of this container
	# Cannot connect to network 'photonix_default' of this container
	# Cannot connect to network 'postgres_net' of this container
	# Cannot connect to network 'redis_net' of this container
	# Cannot connect to network 'photonix_default' of this container
	# Cannot connect to network 'postgres_net' of this container
	# Cannot connect to network 'redis_net' of this container
	# Cannot connect to network 'photonix_default' of this container
	# Cannot connect to network 'postgres_net' of this container
	# Cannot connect to network 'redis_net' of this container
	# Cannot connect to network 'photonix_default' of this container
	# Cannot connect to network 'postgres_net' of this container
	# Cannot connect to network 'redis_net' of this container
	## Can be connected with "photonix_default" network
	# photonix
	server 192.168.208.3:80;
	# Cannot connect to network 'postgres_net' of this container
	# Cannot connect to network 'redis_net' of this container
}
server {
	server_name photonix.example.com;
	listen 80 ;
	access_log /var/log/nginx/access.log vhost;
	# Do not HTTPS redirect Let'sEncrypt ACME challenge
	location ^~ /.well-known/acme-challenge/ {
		auth_basic off;
		auth_request off;
		allow all;
		root /usr/share/nginx/html;
		try_files $uri =404;
		break;
	}
	location / {
		return 301 https://$host$request_uri;
	}
}
server {
	server_name photonix.example.com;
	listen 443 ssl http2 ;
	access_log /var/log/nginx/access.log vhost;
	ssl_session_timeout 5m;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;
	ssl_certificate /etc/nginx/certs/photonix.example.com.crt;
	ssl_certificate_key /etc/nginx/certs/photonix.example.com.key;
	add_header Strict-Transport-Security "max-age=31536000" always;
	location / {
		proxy_pass http://6ea8a677d3d00e0406e4bc2391e2ff4c495316f5;
	}
}

I do have the allowed hosts line you mentioned in my docker-compose.yml file.

phirestalker avatar Aug 19 '21 20:08 phirestalker

I'm also seeing this issue. two things i've tried are:

  1. adding external URL to ALLOWED_HOSTS in settings.py
  2. added following lines to settings.py: SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') SECURE_SSL_REDIRECT = True USE_X_FORWARDED_HOST = True

So far im still not having any luck but feeling like this is a django issue with how its building full URLs or what URLs its allowing requests from.

Maybe this will help us crowdsource a solution a bit faster.... Thank you for the app

cnelson-pdx avatar Aug 24 '21 17:08 cnelson-pdx

I found out a lot about traefik while trying to search for settings that I could translate to Nginx. The features of traefik will make some of my future docker projects easier and have also automated my letsencypt certs which use DNS verification. I have switched to traefik and it works flawlessly now.

Thank you for looking into it.

phirestalker avatar Aug 24 '21 18:08 phirestalker

same issue here using nginx swag proxy from linuxserver.io - and not service http2 - and even if i did it's the proxy end so photonix being backend has no say in how i proxy the requests. the proxy works perfectly with piwigo, phpmyadmin and other stuff.

  • photonix is not using SSL, default port 80
  • yml is the default provided by you
  • few to no errors in the logs though, unless i enable DEBUG
  • tried DEMO MODE, dev mode, nothing works i would love to try out this product but i can't

audioscavenger avatar Nov 08 '21 23:11 audioscavenger

@audioscavenger this config worked for me:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name photonix.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    
    # enable for Authelia
    include /config/nginx/authelia-server.conf;

    location / {
        # enable for Authelia
        include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        set $upstream_app 192.168.10.10;
        set $upstream_port 8888;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location ~ /.+ {
        set $upstream_app 192.168.10.10;
        set $upstream_port 8888;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

the second location block removes any proxy headers for any other paths other than the root path.

anthonyma94 avatar Mar 21 '22 22:03 anthonyma94