cryptpad-docker icon indicating copy to clipboard operation
cryptpad-docker copied to clipboard
verified publisher icon xwiki-labs

502 Bad Gateway Error

Open fraschm1998 opened this issue 2 years ago • 1 comments

Getting a 502 Bad Gateway error while trying to access sandbox.example.com:

502 Bad Gateway https://sandbox.example.com/api/config?cb=18646ce6509

Error in console:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). utils.js:42:9
GET https://sandbox.example.com/api/config?cb=18646ce6509
[HTTP/2 502 Bad Gateway 204ms]

Some cookies are misusing the recommended “SameSite“ attribute 2
Loading failed for the <script> with source “https://sandbox.example.com/api/config?cb=18646ce6509”. sandbox.example.com:1:1
Uncaught Error: Script error for "/api/config?cb=18646ce6509", needed by: /common/boot.js?ver=1.0
http://requirejs.org/docs/errors.html#scripterror

docker-compose.yml:

version: '3.8'

services:
  cryptpad:
    image: "promasu/cryptpad:nginx"
    container_name: cryptpad
    hostname: cryptpad
    environment:
      - CPAD_TRUSTED_PROXY=192.168.30.10/8
      - CPAD_MAIN_DOMAIN=cryptpad.example.com
      - CPAD_SANDBOX_DOMAIN=sandbox.example.com
      # Traefik can't use HTTP2 to communicate with cryptpad_websocket
      # A workaround is to disable HTTP2 in Nginx
      - CPAD_HTTP2_DISABLE=true

    volumes:
      - ./data/blob:/cryptpad/blob
      - ./data/block:/cryptpad/block
      - ./customize:/cryptpad/customize
      - ./data/data:/cryptpad/data
      - ./data/files:/cryptpad/datastore
      - ./data/config:/cryptpad/config/config.js
      - ./data/logs:/cryptpad/data/logs

    ports:
      - "8088:80"
      - "3002:3000"
        #      - "443:443"

    expose:
      - "8088"
      - "3002"
        #      - "443"

    ulimits:
      nofile:
        soft: 1000000
        hard: 1000000

Nginx Reverse Proxy:

server {

    listen 80;
    server_name sandbox.example.com;
    return 301 https://$host$request_uri;
}

server {

    listen 443 ssl;
    server_name sandbox.example.com;
    # add Strict-Transport-Security to prevent man in the middle attacks
    #add_header Strict-Transport-Security "max-age=31536000" always;

    access_log /var/log/nginx/example/cryptpad/access.log;
    error_log /var/log/nginx/example/cryptpad/error.log;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot

    set $upstream 192.168.30.21;

    ssl_session_timeout 5m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA';
    ssl_prefer_server_ciphers on;
    
    location / {
        proxy_pass_header Authorization;
        proxy_pass http://$upstream:8088;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_buffering off;
        client_max_body_size 0;
        proxy_read_timeout 36000s;
        proxy_redirect off;
    }

    location ~ ^/api/(config|broadcast).*$ {
        proxy_pass http://$upstream:3002;

	# Timeout if the real server is dead
	proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
	
	# Proxy Connection Settings
	proxy_buffers 32 4k;
	proxy_connect_timeout 240;
	proxy_headers_hash_bucket_size 128;
	proxy_headers_hash_max_size 1024;
	proxy_http_version 1.1;
	proxy_read_timeout 240;
	#proxy_redirect  http://  $scheme://;
	proxy_send_timeout 240;
	
	# Proxy Cache and Cookie Settings
	proxy_cache_bypass $cookie_session;
	#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
	proxy_no_cache $cookie_session;
	
	# Proxy Header Settings
	proxy_set_header Early-Data $ssl_early_data;
	proxy_set_header Host $host;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Proto https;
	proxy_set_header X-Forwarded-Ssl on;
	proxy_set_header X-Real-IP $remote_addr;


        # These settings prevent both NGINX and the API server
        # from setting the same headers and creating duplicates
        proxy_hide_header Cross-Origin-Resource-Policy;
        add_header Cross-Origin-Resource-Policy cross-origin;
        proxy_hide_header Cross-Origin-Embedder-Policy;
        add_header Cross-Origin-Embedder-Policy require-corp;
    }

    location ^~ /block/ {
        add_header Cache-Control max-age=0;
    
        proxy_pass http://$upstream:3002;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_hide_header Cross-Origin-Resource-Policy;
        #add_header Cross-Origin-Resource-Policy cross-origin;
        proxy_hide_header Cross-Origin-Embedder-Policy;
        #add_header Cross-Origin-Embedder-Policy require-corp;
    }

    location = /cryptpad_websocket {
	proxy_redirect off;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	
	# WebSocket support (nginx 1.4)
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	
	proxy_pass http://$upstream:8088/cryptpad_websocket;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

fraschm1998 avatar Feb 12 '23 18:02 fraschm1998