Impossible to access Cells from two different addresses (e.g. local and external)


#1

Hi,

I have a Pydio Cells test server to evaluate the product. Debian 9.4 up to date, nothing special.

This server is on the local network. Its IP address is 10.0.0.123.
It has to be reached from the inside (http://10.0.0.123) and from the outside (http://cells.example.com).
For the preliminary tests I don’t use HTTPS.

Seems impossible to let Cells accept connections to 10.0.0.123 and to cells.example.com because it discard whatever do not exactly match the external binding (external host). Thus the external host can not be 2 different values at the same time.
One ugly solution is to use a split-brain DNS. Another ugly solution is to modify the hosts file of every local computers (tested: it works).

So I tried to use a proxy. But whatever I do I always get the loading screen and nothing else:
stuck
Nothing into the logs, no errors on the console, nothing.
If I don’t use a proxy, everything is fine except I can’t reach Cells either local either externaly.

The proxy correctly rewrite the host HTTP header to present it to Cells (else the loading screen will not show up).

I used Apache2 as a reverse proxy. I also tested the corresponding setup written in the online documentation.
I used nginx.
I used HAproxy.
All of them work perfectly fine for everyday needs, but Cells refuse get pass the loading screen.

Even an iptable NAT from port 80 to port 8080 give the same result!

I don’t understand what is the problem. So I don’t know what can I do.

  • how can I configure Cells to ignore the host HTTP header?
  • how can I use a working proxy?

#2

Could you post your apache conf?

I have similar issues but just ended up using the public address all the time.

If you manage the DNS on your own network you could register that IP as the public address.

I believe it should be possible with mod rewrite and most proxy etc to achieve what you want.


#3

Could you post your apache conf?

I did not kept it. I mainly use ngninx and HAproxy.

I believe it should be possible with mod rewrite and most proxy etc to achieve what you want.

When I see other comments here and on the bug tracker, I’m not sure this possible.


#4

This may do it

https://httpd.apache.org/docs/2.4/mod/mod_substitute.html

If you have one vhost for external and one vhost for internal with that mod enabled


#5

No better result.
As I’m not the only one with the same problem, and as nobody has a working solution for other similar questions, I think Pydio Cells is incompatible with proxies. I don’t understand how it’s possible, but the facts are there.


#6

I don’t think so.

Help me to help you


#7

I don’t think so.

Can you point to a working example of a so simple setup? (accessing Pydio from internal and external network). I found none. I only found people stuck with the same problem.

Help me to help you

Everything already had been described in the first message.
I don’t know what to add.

For example with HAproxy, just to redirect port 80 to 8080 I used:

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

# end of default configuration file

frontend http-in
        bind *:80
        default_backend pydio-http

backend pydio-http
        http-request set-header Host 10.0.0.123:8080
        server pydio-cells 10.0.0.123:8080

While Cell’s internal and external bindind are both 10.0.0.123:8080
This work for similar need I encoutered. For the tests I just added my configuration after “end of default configuration file”.


#8

sorry sorry for the lack of docs on that, we are working on a dedicated blog post - stay tuned


#9

I Charles.

Before having a doc, you should have a working example :slight_smile:

I’m digging into the communication between the browser and the app. Seems there is a problem with cookies which lead to the freeze.

And at least you should provide a way to ignore the filter on the requested host because there is a lot of situations where this will be a pain in the ass for administrators.


#10

You mean the cookie domain?
Sorry but when I re-read your thread, I don’t see the actual config of your pydio.json => bind / urlExternal ?
So, sorry again if this is a repeat
From the docs :

CELLS_BIND : address where the application http server is bound to. It MUST contain a server name and a port.
CELLS_EXTERNAL : url the end user will use to connect to the application.
Example:
If you want your application to run on the localhost at port 8080 and use the url mycells.mypydio.com, then set CELLS_BIND to localhost:8080 and CELLS_EXTERNAL to mycells.mypydio.com

Did you set the external to http://cells.domain.com ?


#11

Did you set the external to http://cells.domain.com ?

Yes if we use it without using a reverse proxy. But then we can not reach it from the local network.
And yes or no when using a reverse proxy. We can use 127.0.0.1, or 10.0.0.123 or cells.example.com (require to change /etc/hosts on the proxy), or whatever.

As stated in the first message, the problem is to reach Pydio Cells from the internet and from the local network at the same time.


#12

Ok that’s totally clear. I think currently it’s not possible. Not because we “refuse” connections, but this is how the JS currently works along with rewrite rules on public links. We’ll have to see how to handle that case, it should not be over-complicated, but you’ll probably have to wait for a (near) future release.

I’ll change the title of your thread to make it clearer.


#13

i was going to use mod_substitute when running apache as a reverse proxy, as its docs says

"A common use scenario for mod_substitute is the situation in which a front-end server proxies requests to a back-end server which returns HTML with hard-coded embedded URLs that refer to the back-end server. These URLs don’t work for the end-user, since the back-end server is unreachable.

In this case, mod_substitute can be used to rewrite those URLs into something that will work from the front end:"

which describes this situation perfectly (i think)


#14

Ive just tried this on my own network. I created a reverse proxy using apache that all internal requests went to and just for shiggles i didnt use https on the internal connection. I was able to access pydio via the public internet using the domain name and also on the internal network using a different IP. Here is my vhost;

<VirtualHost *:30111>
    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot "/usr/local/apache2/"
    ServerName 192.168.10.81

    RequestHeader unset Accept-Encoding "expr=%{REQUEST_URI} =~ m#^/#"

    ProxyPass "/" "http://192.168.10.221:30010/"
    ProxyPassReverse "/" "http://192.168.10.221:30010/"
    
  Substitute "s|https://my.letsencrypt.secured.endpoint|http://192.168.10.81:30111"

  FilterDeclare Substitute
  FilterProvider Substitute SUBSTITUTE "%{REQUEST_URI} =~ m#^/#"
  FilterChain +Substitute

    ErrorLog "logs/dummy-host.example.com-error_log"
    CustomLog "logs/dummy-host.example.com-access_log" common
</VirtualHost>

I hope this is of some use to you