[SOLVED] Pydio Cells doesn't work behind Haproxy with HTTPS offloading

#1

Hello,
I have been trying to install Cells three times but still it seems something is wrong if I try to use it behind a HAproxy HTTPS offloader rev-proxy. The very same reverse proxy offloading config works perfectly fine for Pydio 8.
When trying to configure I use my internal IP on port 8080, disable HTTPS and use the real URL WITH HTTPS for the external URL.
What I get is a messed up caddy config that results in this error when trying to access the site from the outside:

404 Site is not served on this interface

Moreover when starting cells I get this upon caddy start:

Restarting proxy	{"caddyfile": "\n\t\thttp://192.168.220.100:8080 {\n\t\tproxy /a  192.168.220.100:43885 {\n\t\t\twithout /a\n\t\t\theader_upstream Host {host}\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t}\n\t\tproxy /auth/dex 192.168.220.100:39225 {\n\t\t\tinsecure_skip_verify\n\t\t\theader_upstream Host {host}\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t}\n\t\tproxy /io   :33891 {\n\t\t\theader_upstream Host smartshare.archidata.it\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t}\n\t\tproxy /data :33891 {\n\t\t\theader_upstream Host smartshare.archidata.it\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t}\n\t\tproxy /ws   192.168.220.100:40007 {\n\t\t\twebsocket\n\t\t\twithout /ws\n\t\t}\n\t\tproxy /plug/ 192.168.220.100:35869 {\n\t\t\theader_upstream Host {host}\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t\theader_downstream Cache-Control \"public, max-age=31536000\"\n\t\t}\n\t\tproxy /dav/ 192.168.220.100:34965 {\n\t\t\theader_upstream Host {host}\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t}\n\n\t\tproxy /public/ 192.168.220.100:35869 {\n\t\t\theader_upstream Host {host}\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t}\n\n\t\tproxy /user/reset-password/ 192.168.220.100:35869 {\n\t\t\theader_upstream Host {host}\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t}\n\n\t\tproxy /robots.txt 192.168.220.100:35869 {\n\t\t\theader_upstream Host {host}\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t}\n\n\t\tproxy /login 192.168.220.100:35869/gui {\n\t\t\twithout /login\n\t\t\theader_upstream Host {host}\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t}\n\n\t\tredir 302 {\n\t\t  if {path} is /\n\t\t  / /login\n\t\t}\n\n\t\t\n\t\t\n        proxy /wopi/ 192.168.220.100:33805 {\n            transparent\n        }\n\n        proxy /loleaflet/ https://localhost:9980/loleaflet {\n            transparent\n            insecure_skip_verify\n            without /loleaflet/\n        }\n\n        proxy /hosting/discovery https://localhost:9980/hosting/discovery {\n            transparent\n            insecure_skip_verify\n            without /hosting/discovery\n        }\n\n        proxy /lool/ https://localhost:9980/lool/ {\n            transparent\n            insecure_skip_verify\n            websocket\n            without /lool/\n        }\n    \n\t\t\n\n\t\trewrite {\n\t\t\tif {path} not_starts_with \"/a/\"\n\t\t\tif {path} not_starts_with \"/auth/\"\n\t\t\tif {path} not_starts_with \"/io\"\n\t\t\tif {path} not_starts_with \"/data\"\n\t\t\tif {path} not_starts_with \"/ws/\"\n\t\t\tif {path} not_starts_with \"/plug/\"\n\t\t\tif {path} not_starts_with \"/dav/\"\n\t\t\t\n\t\t\tif {path} not_starts_with \"/wopi/\"\n\t\t\t\n\t\t\tif {path} not_starts_with \"/loleaflet/\"\n\t\t\t\n\t\t\tif {path} not_starts_with \"/hosting/discovery\"\n\t\t\t\n\t\t\tif {path} not_starts_with \"/lool/\"\n\t\t\t\n\t\t\tif {path} not_starts_with \"/public/\"\n\t\t\tif {path} not_starts_with \"/user/reset-password\"\n\t\t\tif {path} not_starts_with \"/robots.txt\"\n\t\t\tto {path} {path}/ /login\n\t\t}\n\n\t\t\n\t\terrors \"/home/pydio/.config/pydio/cells/logs/caddy_errors.log\"\n\t\t}\n\n\t\t\n\t"}

Accessing the internal IP returns a grey page with cells logo and “loading…” underneath it and nothing more.
Looks to em something is wrong.

So my question is : does cells works behind a rev-proxy with https ofloading at all?
Thanks
Alberto

#2

I’ve had a lot of issues with this but got feedback from the devs that cells has to be able to connect to itself on its own public url.

If you’re running directly on a VM or server, you might be able to achieve this with a \etc\hosts entry. If you’re running in Docker, you need either NAT hairpinning turned on in your router, or you need to run a local DNS server to point back to the same box. All that said, I haven’t yet set up the DNS server, but am planning on testing that soon.

#3

Hello geoff,
thanks for your reply.
The URL is correctly registered in the archidata.it zone with an A record. And if I ping from the VM I get the correct response (host is smartshare.archidata.it).
Moreover the VM can access internet on HTTP/HTTPS and it can access the rev-proxy interface.
My problem seems related to caddy config since it states that:

404 Site is not served on this interface

A split-brain DNS is surely possible (I already use this solution for Zimbra) but still I would like know WHY I’d need it.
I would also like to point out that in none of the examples posted in the admin section of the manual there is an HTTPS offloading config. Only HTTP rev-proxy.
Maybe pydio-cells NEEDS to handle HTTPS directly?

Bye

Alberto

#4

If you have a look at the network requests in chrome Dev tools (or similar) can you see if there are failures?

For reference I have my configuration for internal URL as
0.0.0.0:8888

And public url as
https://domainnamehere

I too use haproxy with TLS termination and host Cells in a docker container

1 Like
#5

Hello rossbeazley,
that DID IT! many thanks.
Binding caddy to 0.0.0.0:8080 solved the problem.
What was the process that brought you to use that binding?.
Thank you

Alberto

#6

I would never know what the IP address would be (it can change on a deploy) so 0.0.0.0 binds to all interfaces on the machine.

thats all ¯_(ツ)_/¯

#7

maybe we mark this as [solved] ?

#8

Yep you are right.
Still I would like to understand why the binding to the appropriate address did not work…
I understand that cells is still a work in progress on many aspects like missing sync or no content indexing still the performance gain over Pydio8 is really impressive.
Thanks again for your help.
Bye
Alberto

closed #9
#10

Hi @Bittone ,
if you have more questions you can open a topic about it.