Booksonic-LegacyServer
Booksonic-LegacyServer copied to clipboard
popeen
Booksonic and reverse proxy
I have Booksonic running in Docker. All services go through Traefik (reverse proxy) using the following Docker Compose;
version: '3'
services:
booksonic:
image: linuxserver/booksonic:latest
container_name: booksonic
hostname: booksonic
ports:
- "4040:4040"
environment:
- PUID
- PGID
- TZ
volumes:
- ${CONFIG}/booksonic:/config
- ${DATA}/audiobooks:/books
- ${DATA}/podcasts:/podcasts
labels:
traefik.enable: "true"
traefik.port: "4040"
traefik.frontend.rule: "Host:booksonic.${DOMAIN}"
com.centurylinklabs.watchtower.enable: "true"
restart: unless-stopped
I can access Booksonic on localhost:4040 but not through the reverse proxy using booksonic.domain.com. I get the normal basicauth username and password prompt from traefik but when I enter the correct details it just loops back and shows the username and password prompt again. I never actually get to the Booksonic interface where it asks for the Booksonic username and password.
I have about 20 other services all working through traefik without problems. I know this isn't strictly a Booksonic issue but I thought I'd ask anyway to see if anyone can offer any advice. Thanks.
Also having this problem, anyone find a solution?
I am also using the linuxserver/booksonic docker build. I tried setting an environment variable: CONTEXT_PATH=
My docker-compose log for booksonic indicates the webserver can't respond to https traffic:
booksonic | 2018-06-07T07:12:25.896600024Z 2018-06-07 07:12:25.896:WARN:oejh.HttpParser:qtp931919113-15: bad HTTP parsed: 400 Illegal character 0x16 for HttpChannelOverHttp@6e8b5719{r=0,c=false,a=IDLE,uri=null}
Hello I am facing an issue that seems very similar, where Subsonic works fine when accessed directly but not via a reverse proxy (I'm using Caddy). I found out what happens but not sure how to solve it:
- I call
https://mydomain.com/booksonic - Booksonic receives the request properly and sends back an HTTP 302 redirect with
Location: http://mydomain.com/booksonic/- notice the trailing/(as expected) AND the httP scheme. In my case, and for this flow it still goes through since I'm also serving Booksonic on plain http, but for other pages, such a redirection is blocked by the browser due to security policy (error logged in the browser console:loading mixed active content “http://mydomain.com/booksonic/musicFolderSettings.view”)
So the problem is really that Booksonic does not respect the original scheme when sending its HTTP redirections. This is usually achieved by honoring the X-Scheme header, but I tried adding this to my proxy settings to no avail.
I think this needs a code fix, I could not find a workaround at proxy level, except rewriting the downstream Location header to replace http with https, but in my case that's not an option since my proxy (Caddy) does not support this.
In any case, I firmly believe that such redirections should be relative and not absolute, to avoid such issues...
Here are some screenshots of the http flow:
Here's my proxy configuration (Caddy):
proxy /booksonic http://booksonic {
header_upstream X-Forwarded-Ssl on
header_upstream X-Scheme {scheme}
header_upstream X-Forwarded-Proto {scheme}
transparent
websocket
}
Might be related to #17 as well as https://www.reddit.com/r/Booksonic/comments/66znm0/nginx_location_entry/
So it looks like spring boot needs to be configured to allow those headers https://docs.spring.io/spring-boot/docs/current/reference/html/howto-security.html https://stackoverflow.com/a/34273656
I don't know how to create an applications.properties. I assume it has to be added to the war file, and not something you can create runtime right?
I spend way too much time on this. For Treafik, set the removeheader field to true: https://docs.traefik.io/v2.0/middlewares/basicauth/#removeheader
Otherwise it will forward the authentication, and if your proxy and booksonic users are different, booksonic will throw a 401.
