Dockerized Cells GRPC configuration with NGINX as reverse proxy

Hello everyone,

I followed the documentation to get Cells working. I can get access to webpages, WS, perfect. However, from the client, I always switch between an 408 GRPC error or a context deadline error.

The /a/config/discovery returns the correct GPRC port.

My reverse proxy configuration is as follow :

# Global SSL configuration is already set
server {
    listen 443 ssl http2;

    server_name pydio;

    location / {
        proxy_pass http://pydio:8080;
        #grpc_pass grpcs://pydio:8080;
    }

    location /ws/ {
        proxy_pass http://pydio:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }
}

server {
    listen 33060 http2; # I tried with and without ssl

    location / {
        grpc_pass grpcs://pydio:33060;
    }
}

My docker compose is as follow :

  proxy:
    build: ./proxy/
    ports:
        - 80:80
        - 443:443
        - 33060:33060
    links:
        - pydio:pydio
    container_name: proxy
    restart: always

  pydio:
    image: pydio/cells
    expose:
      - 8080
      - 33060
    container_name: pydio
    environment:
      - CELLS_LOG_LEVEL=production
      - CELLS_EXTERNAL=https://xxxxx.com
      - CELLS_NO_TLS=1
      - CELLS_GRPC_EXTERNAL=33060
    links:
      - mysql
    volumes:
      - /root/pydio:/var/cells
    depends_on:
      - mysql
    restart: always

Do you have any idea ?

Thanks !

Hello, @Draewil

From my understanding of your configuration, you do not have TLS enabled on Cells,

on Cells grpc requires TLS to be enabled, you can either set the value to 0 or remove it (by default TLS is enabled).

If you already have installed and configured Cells, you might have to run cells configure sites command and put enable the setting, mind that you are inside a container so you will have to expose ports and such.

Indeed, I stop SSL at my reverse proxy, then do a regular proxy pass.

Does Pydio Cells can manage automatically its own certificate with Let’s encrypt or whatsoever or should I do it?

For more details, I went to check TLS configuration again and the documentation states :

You can finally fully disable TLS and let Cells serve connections over HTTP. This is not recommended but is good enough for testing or development. In that case, just beware that the gRPC gateway (required for CellsSync) will be exposed on a separate port that must be opened in the firewall, if any.

In this case, it should still be working with my current configuration.

Today, I tried with generated self-signed certificates and with custom certificates managed by me to no avail.

With these configuration, it seems that I do not need the GRPC_EXTERNAL and it chooses a random port automatically. Still, I now get a “Forbidden” error and nothing else, whatever the log I’m searching for.

Any idea @zayn ? Thanks !

Hello @Draewil

When you have TLS on cells, you can omit the GRPC_EXTERNAL env and just proxy the grpc traffic to location / with grpcs://yourcells;,.

It could be confusing I would have to admit, but to try to describe it simply
if you have TLS on cells, you just need to proxy the grpc with the grpcs directive, without using GRPC_EXTERNAL and such.

But in the case that you want to have your cells running with no TLS then you have to use the GRPC_EXTERNAL to set a fixed port for grpc and then proxy the grpc traffic to that port.

If your setup does not require you to have http, then I would advise you to have tls with (self-signed) it will make it easier otherwise we can look together on how to configure it.

Thanks for your support @zayn .

However, I’m still stuck with the error “Forbidden”.

I use custom self signed certificates, I have access to the web interface, I see Pydio preparing its full chain :

{“level”:“info”,“ts”:“2021-08-31T04:16:08Z”,“logger”:“pydio.gateway.grpc”,“msg”:“Activating self-signed configuration for gRPC gateway to allow full TLS chain.”}

When the client starts, I see the request to :

141.101.69.109 - - [31/Aug/2021:04:20:42 +0000] “GET /a/config/discovery HTTP/2.0” 200 180 “-” “Go-http-client/2.0”

Which now doesn’t contain the GRPC port.

This is my updated NGINX configuration :

server {
    listen 443 ssl http2;

    server_name pydio;

    location / {
        proxy_ssl_verify off;
        proxy_pass https://pydio:8080;
        grpc_pass grpcs://pydio:8080;
    }

    location /ws/ {
        proxy_pass https://pydio:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }
}

I also tried with additional for http redirect :

if ($host = my-cells-server.com) {
        return 301 https://$host$request_uri;
        }


        listen 80;
        listen [::]:80;
        server_name my-cells-server.com;
        return 404;

I remove NO_TLS and GRPC_EXTERNAL from my docker.

To no avail. Any idea left ?

Hello @Draewil ,

I apologize for the delay, i’m setting up a docker install that looks like your to try to reproduce and understand what is happening, I will keep you updated (in an hour or two).

Hello @Draewil ,

I believe I found the miracle (i hope so),

could you try with the following configuration

    location / {
        if ($http_content_type = "application/grpc") {
            grpc_pass grpcs://cells:8080;
        }
        proxy_pass https://cells:8080;
    }

the important part is

    if ($http_content_type = "application/grpc") {
            grpc_pass grpcs://cells:8080;
        }

the grpc requests have this header therefore it should use the correct pass instruction depending on the type of request.

Unfortunately, I added the corresponding configuration and redeployed my reverse proxy to no avail.

The only change is from “Forbidden” to “transport is closing” error.

Thanks for your support still, @zayn !

For information, same error with Docker without reverse proxy using -my- LetsEncrypt certs (not using Pydio ones).

I install the MSI from the website. However, the installer ends without any message and I need to go to %appdata%…\Local\CellsSync to find an .exe and try to use it. Maybe it is the root of all our problems ?

From others topics, it seems that nobody got to get Sync working with the docker installation. Any news since ?