General Reverse Proxy Issues

#1

When I try to add a new role, or group, I get the following in the Cells log:

|2019-02-01T14:26:59.775Z|ERROR|pydio.rest.role|Ladon blocked POST request at /role. Ladon Response: DefaultDeny:true ,|
|---|---|---|---|
|2019-02-01T14:26:59.772Z|ERROR|pydio.rest.role|Ladon blocked POST request at /role. Ladon Response: DefaultDeny:true ,|
|2019-02-01T14:26:59.770Z|ERROR|pydio.rest.role|Ladon blocked POST request at /role. Ladon Response: DefaultDeny:true ,|
|2019-02-01T14:26:59.771Z|ERROR|pydio.rest.role|Ladon blocked POST request at /role. Ladon Response: DefaultDeny:true ,|
|2019-02-01T14:26:59.770Z|ERROR|pydio.rest.user|Ladon blocked PUT request at /user/standard. Ladon Response: DefaultDeny:true ,|
|2019-02-01T14:26:59.767Z|ERROR|pydio.rest.user|Ladon blocked PUT request at /user/standard. Ladon Response: DefaultDeny:true ,|
|2019-02-01T14:26:59.759Z|ERROR|pydio.rest.user|Ladon blocked PUT request at /user/standard. Ladon Response: DefaultDeny:true ,|
|2019-02-01T14:26:59.763Z|ERROR|pydio.rest.user|Ladon blocked PUT request at /user/standard. Ladon Response: DefaultDeny:true ,|
|2019-02-01T14:26:59.765Z|ERROR|pydio.rest.user|Ladon blocked PUT request at /user/standard. Ladon Response: DefaultDeny:true ,|
|2019-02-01T14:26:59.769Z|ERROR|pydio.rest.user|Ladon blocked PUT request at /user/standard. Ladon Response: DefaultDeny:true|

Then, it logs me out forcibly, possibly these are the relevant lines when that happened:

2019-02-01T14:29:17.832Z	ERROR	pydio.rest.frontend	Rest Error 401	{"error": "Post https://files.example.com/auth/dex/token: dial tcp 71.136.153.141:443: connect: connection timed out"},
2019-02-01T14:28:07.910Z	INFO	http: proxy error: context canceled

Then, I log back in and it lets me create the group this time.
Is there something I need to configure somewhere for this?

#2

Hi,
i think it’s related to the fact that you are running behind a reverse-proxy,
using a reverse-proxy is for the moment tricky, we are going to publish a article addressing this in depth.

#3

Hi Zayn - is there any update on this article? Are there any rough notes you can give me in the meantime? I’m pretty much stuck, and unable to get Cells to work at all, but I really like where you guys are going with the architecture.

Thanks,
Geoff

#4

Hi,
my guess would be that the reverse proxy might be missing a rule,
are you forwarding everything, headers, websockets?
may i take a look at the config?

#5

Hi Zayn,

Thanks for offering to take a look. My config is summarised below, but also in this thread: Issues Running Behind Traefik

When trying to connect from outside the network, I get the login screen, enter credentials, then get a blank screen. In the docker container log, I get:

2019-02-20T02:25:16.269Z	INFO	pydio.web.auth	Login	{"identity": {"UserID":"b1cde705-c271-4da4-9bc0-dca04f360682","Username":"geoff","Email":"","EmailVerified":true,"Groups":[],"AuthSource":"pydioapi","DisplayName":"","Profile":"admin","Roles":["ROOT_GROUP","ADMINS","ADMINS","b1cde705-c271-4da4-9bc0-dca04f360682"],"GroupPath":"/","ConnectorData":null}}
2019-02-20T02:25:24.758Z	ERROR	pydio.rest.frontend	cannot init oidc provider	{"error": "Get https://files.wanderingcarbon.com/auth/dex/.well-known/openid-configuration: dial tcp 71.136.153.141:443: connect: connection timed out"}
2019-02-20T02:26:56.918Z	ERROR	pydio.rest.frontend	Rest Error 401	{"error": "Post https://files.wanderingcarbon.com/auth/dex/token: dial tcp 71.136.153.141:443: connect: connection timed out"}

Summarising, Traefik itself is set up in Docker as so:

version: "3.7"
services:
  traefik:
    image: traefik:latest
    command:
      - "--logLevel=INFO"
      - "--accessLog"
      - "--api"
      - "--api.entryPoint=api"
      - "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
      - "--entrypoints=Name:https Address::443 TLS"
      - "--entrypoints=Name:api Address::8686"
      - "--defaultentrypoints=http,https"
      - "--acme"
      - "--acme.storage=/certificates/acme.json"
      - "--acme.entryPoint=https"
      - "--acme.tlsChallenge"
      - "--acme.onHostRule=true"
      - "--acme.onDemand=false"
      - "--acme.email=myemail@gmail.com"
      - "--docker"
      - "--docker.endpoint=tcp://docker-proxy:2375"
      - "--docker.swarmMode"
      - "--docker.domain=wanderingcarbon.com"
      - "--docker.watch"
      - "--docker.exposedbydefault=false"
    volumes:
      - /opt/traefik/acme.json:/etc/traefik/acme/acme.json
      - traefik-public-certificates:/certificates
    networks:
      - webgateway
    ports:
      - mode: ingress
        target: 80
        published: 80
      - mode: ingress
        target: 443
        published: 443
      - "8686:8686"
    secrets:
      - web_htpasswd
    deploy:
      placement:
        constraints:
          - node.role == manager
      update_config:
        parallelism: 1
        delay: 10s
      restart_policy:
        condition: on-failure

And Cells:

version: '3.7'
services:
  cells:
    image: pydio/cells:latest
    command: [ '/bin/sh', '-c', 'echo `tail -1 /etc/hosts | cut -f 1` > /home/ip.txt; sed -i "/PeerAddress/ s/: .*/: \"`cat /home/ip.txt`\",/g" /root/.config/pydio/cells/pydio.json; exec /bin/docker-entrypoint.sh cells start' ]
    volumes: 
      - cells-config:/root/.config
      - cells-nas-media:/home/media/nfs/video
    environment:
      CELLS_BIND: '0.0.0.0:8080'
      CELLS_EXTERNAL: 'files.wanderingcarbon.com'
      CELLS_NO_SSL: '1'
      PYDIO_LOGS_LEVEL: 'info'
    networks:
      - webgateway
    hostname: cells
    deploy:
        labels:
          traefik.enable: 'true'
          traefik.backend: 'cells'
          traefik.docker.network: 'webgateway'
          traefik.frontend.passHostHeader: 'true'
          traefik.frontend.rule: 'Host:files.wanderingcarbon.com'
          traefik.port: '8080'

Note that after initial setup I shell into the container and

vi /root/.config/pydio/cells/pydio.json

Then update the defaults section to replace the 0.0.0.0 with my FQDN:

  "defaults": {
    "database": "dcdc65c150dab541b4cd1ee18e35b446d78b2867",
    "datasource": "pydiods1",
    "url": "https://files.wanderingcarbon.com",
    "urlInternal": "http://files.wanderingcarbon.com:8080"
  },

Thanks for any suggestions!

#6

One small update; while I was searching for info on the dex error message, I found a thread on the Concourse project which seems to be dealing with the same issue. There’s a long thread about it, with relevant comments here and here. If it’s of any use, it seems like this is the changeset that fixed the issue.