Nginx proxy reverse (Pydio Cells 1.0)

nginx
ubuntu

#1

Hi,I have successfully installed Pydio Cells on my server, and I have local access to the public IP, but I can not connect to my nginx proxy reverse server to put in my subdomain.

“404 Site subdomain is not served on this interface”

Can anybody help me?

I have searched for configurations but none of them are useful for the Pydio Cells. It’s the new one.

Thanks in advance.


#2

+1 looking for a solution.

I installed Cells into Centos7, using the default settings and with the IP:443 for the URL.

I wanted to then setup the server on it’s own domain and found the ‘url’ parameter in pydio.json

Changed that, and it allowed access using the URL (page loaded) but did not login due a 404… on the IP which the URL setting was changed from. There is probably a setting I am missing, but hopefully someone will answer or more in-depth docs will come.


#3

Server: MacOS Apache Reverse Proxy

My first attempt was to set Cells up on port 8180 with ssl and a custom domain name using reverse proxy. I received the same error in the Cells log.

My second attempt was to let the proxy server handle the ssl and domain name. Internal and external for Cells was set to localhost:8180. The interface loads and login works, but I kept getting a time out error showing in the front end and loading errors for mixed ssl content.

My third attempt was to turn on self assign certificates so the proxy connection would be ssl, still using localhost:8180. This also loads the front end but still has errors. It has Websocket closed errors and access control check errors.

I think there still needs to be directives for the websocket connection and maybe modifying the headers? This is not my area whatsoever, so I’ll be watching this thread.

My current apache reverse proxy config is below, which may help even though you are using Nginx

<VirtualHost *:8443>
  ServerAdmin admin@example.com
  ServerName files.example.com
  ProxyRequests off
  SSLProxyEngine on
  
  ProxyPass / https://localhost:8180/
  ProxyPassReverse / https://localhost:8180/

  ErrorLog "/logs/sites-files.com-error-ssl.log"
  CustomLog "/logs/sites-files.com-access-ssl.log" common
  
  SSLCertificateFile "/etc/letsencrypt/live/example.com/cert.pem"
  SSLCertificateKeyFile "/etc/letsencrypt/live/example.com/privkey.pem"
  SSLCertificateChainFile "/etc/letsencrypt/live/example.com/chain.pem"
</VirtualHost>

#4

I found a configuration for Apache that works and resolves the following

  • "404 Site subdomain is not served on this interface”
  • UI errors mixed content
  • timeout errors
  • websocket connection errors
  • access control check errors

I run home automation with Home Assistant which also uses websockets and I managed to cobble together the proxy settings from that. They also have instructions for Ngix, maybe it will help find the correct directives. Hopefully someone may be able to confirm these are the only and correct directives needed.

Cells Install Config
I use 8180 because I run Apache on 8080 on a non-provilidged user

Binding Host (Internal, Other): files.example.com:8180
External Host: files.example.com
I also supplied the correct location for the files.examples.com
cert and key files, not self signed

Apache Reverse Proxy

<VirtualHost *:8080>
        ServerAdmin admin@files.example.com
        ServerName files.example.com
        ServerSignature Off

        <IfModule mod_rewrite.c>
           RewriteEngine On
           RewriteCond %{HTTPS} off
           RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
        </IfModule>
          
    ErrorLog "/logs/sites-files.example.com-error.log"
    CustomLog "/logs/sites-files.example.com-access.log" common
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:8443>
  ServerAdmin admin@files.example.com
  ServerName files.example.com
  ProxyPreserveHost On
  ProxyRequests off
  SSLProxyEngine on
  
  RewriteEngine on
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /(.*)  wss://files.example.com:8180/$1 [P,L]
  RewriteCond %{HTTP:Upgrade} !=websocket [NC]
  RewriteRule /(.*)  https://files.example.com:8180/$1 [P,L]
  
  ProxyPass / https://files.example.com:8180/
  ProxyPassReverse / https://files.example.com:8180/
  ProxyPass /ws/ ws://files.example.com:8180/ws/
  ProxyPassReverse /ws/ ws://files.example.com:8180/ws/

  ErrorLog "/logs/sites-files.example.com-error-ssl.log"
  CustomLog "/logs/sites-files.example.com-access-ssl.log" common
  
  SSLCertificateFile "/etc/letsencrypt/live/files.example.com/cert.pem"
  SSLCertificateKeyFile "/etc/letsencrypt/live/files.example.com/privkey.pem"
  SSLCertificateChainFile "/etc/letsencrypt/live/files.example.com/chain.pem"
</VirtualHost>
</IfModule>

#5

Hi,
Thanks for replying and helping out ! We must start a dedicated knowledge base for Pydio Cells, it’s in the pipe.
As a hint, I’ll add a working config that we use also for a similar setup (Cells listening on an internal port and Apache reverse-proxying the domain name) :

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName domain.pydio.com
  # May be necessary for API direct accesses
  AllowEncodedSlashes On
  RewriteEngine On
   # Make sure to proxy SSL
  SSLProxyEngine On
  # Disable SSLProxyCheck : maybe necessary if Cells is configured with self_signed
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerName Off
  SSLProxyVerify none

  # Proxy WebSocket
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /(.*)           wss://domain.pydio.com:8080/$1 [P,L]
   # Finally simple proxy instruction
  ProxyPass "/" "https://domain.pydio.com:8080/"
  ProxyPassReverse "/" "https://domain.pydio.com:8080/"
</VirtualHost>
</IfModule>

Please note:

  • The AllowEncodedSlashes On that may be necessary if not activated globally in apache (to call APIs like /a/meta/bulk/path%2F%to%2Ffolder
  • When I configure Cells, even on another port, I actually make sure to bind it directly to the domain.pydio.com as well (like Apache). This is necessary for the presigned URL used with S3 API for uploads and downloads (they used signed headers and a mismatch between received Host headers may break the signature). Another option is to still bind Cells using a local IP, then in the Admin Settings, under Configs Backend, use the field “Replace Host Header for S3 Signature” and use the internal IP here.

Anybody willing to translate this into NGINX is welcome!


#6

I’m testing different configurations of the NGINX with Pydio Cells, but the following error comes up, can someone tell me where the error is, thanks in advance.

I’m using NGINX proxy reverse with Apache Pydio Cells.

My NGINX is

server_name _;
return 301 https://$host$request_uri;
}

server {
listen 443;
server_name _;
root /home/josep/.config/pydio/cells/static/pydio;
index index.php;

add_header X-Frame-Options “SAMEORIGIN”;

SSL Settings

ssl_certificate /etc/letsencrypt/live/pydio.example.com/fullchain.pem

; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/pydio.example.com/privkey.pem; # managed by Certbot

ssl on;

ssl_session_cache builtin:1000  shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;

Log files

access_log /var/log/nginx/pydio_access.log;
error_log /var/log/nginx/pydio_error.log;

# All non existing files are redirected to index.php
 if (!-e $request_filename){
# For old links generated from Pydio 6
 rewrite ^/data/public/([a-zA-Z0-9_-]+)$ /public/$1? permanent;
 rewrite ^(.*)$ /index.php last;
                          }

# Manually deny some paths to ensure Pydio security
location ~* ^/(?:\.|conf|data/(?:files|personal|logs|plugins|tmp|cache)|plugins/editor.zoho/agent/files) {
            deny all;
}

location /cells {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass "http://192.168.1.26$request_uri";
        proxy_redirect off;
                   }
                   }

I have in error nginx from server this:

[error] 12130#12130: *2 open() “/home/josep/.config/pydio/cells/static/pydio/index.php” failed (2: No such file or directory), client: 83.40.40.190, server: pydio.example.com, request: “GET / HTTP/1.1”, host: “pydio.example.com