I have a Pydio Cells test server to evaluate the product. Debian 9.4 up to date, nothing special.
This server is on the local network. Its IP address is 10.0.0.123.
It has to be reached from the inside (http://10.0.0.123) and from the outside (http://cells.example.com).
For the preliminary tests I don’t use HTTPS.
Seems impossible to let Cells accept connections to 10.0.0.123 and to cells.example.com because it discard whatever do not exactly match the external binding (external host). Thus the external host can not be 2 different values at the same time.
One ugly solution is to use a split-brain DNS. Another ugly solution is to modify the hosts file of every local computers (tested: it works).
So I tried to use a proxy. But whatever I do I always get the loading screen and nothing else:
Nothing into the logs, no errors on the console, nothing.
If I don’t use a proxy, everything is fine except I can’t reach Cells either local either externaly.
The proxy correctly rewrite the host HTTP header to present it to Cells (else the loading screen will not show up).
I used Apache2 as a reverse proxy. I also tested the corresponding setup written in the online documentation.
I used nginx.
I used HAproxy.
All of them work perfectly fine for everyday needs, but Cells refuse get pass the loading screen.
Even an iptable NAT from port 80 to port 8080 give the same result!
I don’t understand what is the problem. So I don’t know what can I do.
how can I configure Cells to ignore the host HTTP header?
No better result.
As I’m not the only one with the same problem, and as nobody has a working solution for other similar questions, I think Pydio Cells is incompatible with proxies. I don’t understand how it’s possible, but the facts are there.
Can you point to a working example of a so simple setup? (accessing Pydio from internal and external network). I found none. I only found people stuck with the same problem.
Help me to help you
Everything already had been described in the first message.
I don’t know what to add.
For example with HAproxy, just to redirect port 80 to 8080 I used:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# end of default configuration file
frontend http-in
bind *:80
default_backend pydio-http
backend pydio-http
http-request set-header Host 10.0.0.123:8080
server pydio-cells 10.0.0.123:8080
While Cell’s internal and external bindind are both 10.0.0.123:8080
This work for similar need I encoutered. For the tests I just added my configuration after “end of default configuration file”.
Before having a doc, you should have a working example
I’m digging into the communication between the browser and the app. Seems there is a problem with cookies which lead to the freeze.
And at least you should provide a way to ignore the filter on the requested host because there is a lot of situations where this will be a pain in the ass for administrators.
You mean the cookie domain?
Sorry but when I re-read your thread, I don’t see the actual config of your pydio.json => bind / urlExternal ?
So, sorry again if this is a repeat
From the docs :
CELLS_BIND : address where the application http server is bound to. It MUST contain a server name and a port.
CELLS_EXTERNAL : url the end user will use to connect to the application.
Example:
If you want your application to run on the localhost at port 8080 and use the url mycells.mypydio.com, then set CELLS_BIND to localhost:8080 and CELLS_EXTERNAL to mycells.mypydio.com
Yes if we use it without using a reverse proxy. But then we can not reach it from the local network.
And yes or no when using a reverse proxy. We can use 127.0.0.1, or 10.0.0.123 or cells.example.com (require to change /etc/hosts on the proxy), or whatever.
As stated in the first message, the problem is to reach Pydio Cells from the internet and from the local network at the same time.
Ok that’s totally clear. I think currently it’s not possible. Not because we “refuse” connections, but this is how the JS currently works along with rewrite rules on public links. We’ll have to see how to handle that case, it should not be over-complicated, but you’ll probably have to wait for a (near) future release.
I’ll change the title of your thread to make it clearer.
i was going to use mod_substitute when running apache as a reverse proxy, as its docs says
"A common use scenario for mod_substitute is the situation in which a front-end server proxies requests to a back-end server which returns HTML with hard-coded embedded URLs that refer to the back-end server. These URLs don’t work for the end-user, since the back-end server is unreachable.
In this case, mod_substitute can be used to rewrite those URLs into something that will work from the front end:"
which describes this situation perfectly (i think)
Ive just tried this on my own network. I created a reverse proxy using apache that all internal requests went to and just for shiggles i didnt use https on the internal connection. I was able to access pydio via the public internet using the domain name and also on the internal network using a different IP. Here is my vhost;
