General Reverse Proxy Issues

geoff · February 1, 2019, 2:31pm

When I try to add a new role, or group, I get the following in the Cells log:

|2019-02-01T14:26:59.775Z|ERROR|pydio.rest.role|Ladon blocked POST request at /role. Ladon Response: DefaultDeny:true ,|
|---|---|---|---|
|2019-02-01T14:26:59.772Z|ERROR|pydio.rest.role|Ladon blocked POST request at /role. Ladon Response: DefaultDeny:true ,|
|2019-02-01T14:26:59.770Z|ERROR|pydio.rest.role|Ladon blocked POST request at /role. Ladon Response: DefaultDeny:true ,|
|2019-02-01T14:26:59.771Z|ERROR|pydio.rest.role|Ladon blocked POST request at /role. Ladon Response: DefaultDeny:true ,|
|2019-02-01T14:26:59.770Z|ERROR|pydio.rest.user|Ladon blocked PUT request at /user/standard. Ladon Response: DefaultDeny:true ,|
|2019-02-01T14:26:59.767Z|ERROR|pydio.rest.user|Ladon blocked PUT request at /user/standard. Ladon Response: DefaultDeny:true ,|
|2019-02-01T14:26:59.759Z|ERROR|pydio.rest.user|Ladon blocked PUT request at /user/standard. Ladon Response: DefaultDeny:true ,|
|2019-02-01T14:26:59.763Z|ERROR|pydio.rest.user|Ladon blocked PUT request at /user/standard. Ladon Response: DefaultDeny:true ,|
|2019-02-01T14:26:59.765Z|ERROR|pydio.rest.user|Ladon blocked PUT request at /user/standard. Ladon Response: DefaultDeny:true ,|
|2019-02-01T14:26:59.769Z|ERROR|pydio.rest.user|Ladon blocked PUT request at /user/standard. Ladon Response: DefaultDeny:true|

Then, it logs me out forcibly, possibly these are the relevant lines when that happened:

2019-02-01T14:29:17.832Z	ERROR	pydio.rest.frontend	Rest Error 401	{"error": "Post https://files.example.com/auth/dex/token: dial tcp 71.136.153.141:443: connect: connection timed out"},
2019-02-01T14:28:07.910Z	INFO	http: proxy error: context canceled

Then, I log back in and it lets me create the group this time.
Is there something I need to configure somewhere for this?

zayn · February 6, 2019, 10:50am

Hi,
i think it’s related to the fact that you are running behind a reverse-proxy,
using a reverse-proxy is for the moment tricky, we are going to publish a article addressing this in depth.

geoff · February 19, 2019, 2:07am

Hi Zayn - is there any update on this article? Are there any rough notes you can give me in the meantime? I’m pretty much stuck, and unable to get Cells to work at all, but I really like where you guys are going with the architecture.

Thanks,
Geoff

zayn · February 19, 2019, 9:03am

Hi,
my guess would be that the reverse proxy might be missing a rule,
are you forwarding everything, headers, websockets?
may i take a look at the config?

geoff · February 20, 2019, 2:31am

Hi Zayn,

Thanks for offering to take a look. My config is summarised below, but also in this thread: Issues Running Behind Traefik

When trying to connect from outside the network, I get the login screen, enter credentials, then get a blank screen. In the docker container log, I get:

2019-02-20T02:25:16.269Z	INFO	pydio.web.auth	Login	{"identity": {"UserID":"b1cde705-c271-4da4-9bc0-dca04f360682","Username":"geoff","Email":"","EmailVerified":true,"Groups":[],"AuthSource":"pydioapi","DisplayName":"","Profile":"admin","Roles":["ROOT_GROUP","ADMINS","ADMINS","b1cde705-c271-4da4-9bc0-dca04f360682"],"GroupPath":"/","ConnectorData":null}}
2019-02-20T02:25:24.758Z	ERROR	pydio.rest.frontend	cannot init oidc provider	{"error": "Get https://files.wanderingcarbon.com/auth/dex/.well-known/openid-configuration: dial tcp 71.136.153.141:443: connect: connection timed out"}
2019-02-20T02:26:56.918Z	ERROR	pydio.rest.frontend	Rest Error 401	{"error": "Post https://files.wanderingcarbon.com/auth/dex/token: dial tcp 71.136.153.141:443: connect: connection timed out"}

Summarising, Traefik itself is set up in Docker as so:

version: "3.7"
services:
  traefik:
    image: traefik:latest
    command:
      - "--logLevel=INFO"
      - "--accessLog"
      - "--api"
      - "--api.entryPoint=api"
      - "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
      - "--entrypoints=Name:https Address::443 TLS"
      - "--entrypoints=Name:api Address::8686"
      - "--defaultentrypoints=http,https"
      - "--acme"
      - "--acme.storage=/certificates/acme.json"
      - "--acme.entryPoint=https"
      - "--acme.tlsChallenge"
      - "--acme.onHostRule=true"
      - "--acme.onDemand=false"
      - "--acme.email=myemail@gmail.com"
      - "--docker"
      - "--docker.endpoint=tcp://docker-proxy:2375"
      - "--docker.swarmMode"
      - "--docker.domain=wanderingcarbon.com"
      - "--docker.watch"
      - "--docker.exposedbydefault=false"
    volumes:
      - /opt/traefik/acme.json:/etc/traefik/acme/acme.json
      - traefik-public-certificates:/certificates
    networks:
      - webgateway
    ports:
      - mode: ingress
        target: 80
        published: 80
      - mode: ingress
        target: 443
        published: 443
      - "8686:8686"
    secrets:
      - web_htpasswd
    deploy:
      placement:
        constraints:
          - node.role == manager
      update_config:
        parallelism: 1
        delay: 10s
      restart_policy:
        condition: on-failure

And Cells:

version: '3.7'
services:
  cells:
    image: pydio/cells:latest
    command: [ '/bin/sh', '-c', 'echo `tail -1 /etc/hosts | cut -f 1` > /home/ip.txt; sed -i "/PeerAddress/ s/: .*/: \"`cat /home/ip.txt`\",/g" /root/.config/pydio/cells/pydio.json; exec /bin/docker-entrypoint.sh cells start' ]
    volumes: 
      - cells-config:/root/.config
      - cells-nas-media:/home/media/nfs/video
    environment:
      CELLS_BIND: '0.0.0.0:8080'
      CELLS_EXTERNAL: 'files.wanderingcarbon.com'
      CELLS_NO_SSL: '1'
      PYDIO_LOGS_LEVEL: 'info'
    networks:
      - webgateway
    hostname: cells
    deploy:
        labels:
          traefik.enable: 'true'
          traefik.backend: 'cells'
          traefik.docker.network: 'webgateway'
          traefik.frontend.passHostHeader: 'true'
          traefik.frontend.rule: 'Host:files.wanderingcarbon.com'
          traefik.port: '8080'

Note that after initial setup I shell into the container and

vi /root/.config/pydio/cells/pydio.json

Then update the defaults section to replace the 0.0.0.0 with my FQDN:

  "defaults": {
    "database": "dcdc65c150dab541b4cd1ee18e35b446d78b2867",
    "datasource": "pydiods1",
    "url": "https://files.wanderingcarbon.com",
    "urlInternal": "http://files.wanderingcarbon.com:8080"
  },

Thanks for any suggestions!

geoff · February 20, 2019, 3:10am

One small update; while I was searching for info on the dex error message, I found a thread on the Concourse project which seems to be dealing with the same issue. There’s a long thread about it, with relevant comments here and here. If it’s of any use, it seems like this is the changeset that fixed the issue.

Topic		Replies	Views
Ladon blocked POST request at /frontend/session. Ladon Response: DefaultDeny:true Pydio Cells	5	2355	May 16, 2023
Ladon Response: DefaultDeny:true Pydio Cells	9	938	November 14, 2020
Running Cells behind an Apache reverse proxy Pydio Cells	3	886	December 19, 2019
Page stuck on 'Loading' with 401 Unauthorized error, something to do with Ladon? Pydio Cells	4	1781	January 2, 2020
Domain does not work Pydio 8	7	636	November 20, 2018

General Reverse Proxy Issues

Related Topics