[SOLVED] Pydio Cells doesn't work behind Haproxy with HTTPS offloading

Bittone · March 15, 2019, 9:26am

Hello,
I have been trying to install Cells three times but still it seems something is wrong if I try to use it behind a HAproxy HTTPS offloader rev-proxy. The very same reverse proxy offloading config works perfectly fine for Pydio 8.
When trying to configure I use my internal IP on port 8080, disable HTTPS and use the real URL WITH HTTPS for the external URL.
What I get is a messed up caddy config that results in this error when trying to access the site from the outside:

404 Site is not served on this interface

Moreover when starting cells I get this upon caddy start:

Restarting proxy	{"caddyfile": "\n\t\thttp://192.168.220.100:8080 {\n\t\tproxy /a  192.168.220.100:43885 {\n\t\t\twithout /a\n\t\t\theader_upstream Host {host}\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t}\n\t\tproxy /auth/dex 192.168.220.100:39225 {\n\t\t\tinsecure_skip_verify\n\t\t\theader_upstream Host {host}\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t}\n\t\tproxy /io   :33891 {\n\t\t\theader_upstream Host smartshare.archidata.it\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t}\n\t\tproxy /data :33891 {\n\t\t\theader_upstream Host smartshare.archidata.it\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t}\n\t\tproxy /ws   192.168.220.100:40007 {\n\t\t\twebsocket\n\t\t\twithout /ws\n\t\t}\n\t\tproxy /plug/ 192.168.220.100:35869 {\n\t\t\theader_upstream Host {host}\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t\theader_downstream Cache-Control \"public, max-age=31536000\"\n\t\t}\n\t\tproxy /dav/ 192.168.220.100:34965 {\n\t\t\theader_upstream Host {host}\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t}\n\n\t\tproxy /public/ 192.168.220.100:35869 {\n\t\t\theader_upstream Host {host}\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t}\n\n\t\tproxy /user/reset-password/ 192.168.220.100:35869 {\n\t\t\theader_upstream Host {host}\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t}\n\n\t\tproxy /robots.txt 192.168.220.100:35869 {\n\t\t\theader_upstream Host {host}\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t}\n\n\t\tproxy /login 192.168.220.100:35869/gui {\n\t\t\twithout /login\n\t\t\theader_upstream Host {host}\n\t\t\theader_upstream X-Real-IP {remote}\n\t\t\theader_upstream X-Forwarded-Proto {scheme}\n\t\t}\n\n\t\tredir 302 {\n\t\t  if {path} is /\n\t\t  / /login\n\t\t}\n\n\t\t\n\t\t\n        proxy /wopi/ 192.168.220.100:33805 {\n            transparent\n        }\n\n        proxy /loleaflet/ https://localhost:9980/loleaflet {\n            transparent\n            insecure_skip_verify\n            without /loleaflet/\n        }\n\n        proxy /hosting/discovery https://localhost:9980/hosting/discovery {\n            transparent\n            insecure_skip_verify\n            without /hosting/discovery\n        }\n\n        proxy /lool/ https://localhost:9980/lool/ {\n            transparent\n            insecure_skip_verify\n            websocket\n            without /lool/\n        }\n    \n\t\t\n\n\t\trewrite {\n\t\t\tif {path} not_starts_with \"/a/\"\n\t\t\tif {path} not_starts_with \"/auth/\"\n\t\t\tif {path} not_starts_with \"/io\"\n\t\t\tif {path} not_starts_with \"/data\"\n\t\t\tif {path} not_starts_with \"/ws/\"\n\t\t\tif {path} not_starts_with \"/plug/\"\n\t\t\tif {path} not_starts_with \"/dav/\"\n\t\t\t\n\t\t\tif {path} not_starts_with \"/wopi/\"\n\t\t\t\n\t\t\tif {path} not_starts_with \"/loleaflet/\"\n\t\t\t\n\t\t\tif {path} not_starts_with \"/hosting/discovery\"\n\t\t\t\n\t\t\tif {path} not_starts_with \"/lool/\"\n\t\t\t\n\t\t\tif {path} not_starts_with \"/public/\"\n\t\t\tif {path} not_starts_with \"/user/reset-password\"\n\t\t\tif {path} not_starts_with \"/robots.txt\"\n\t\t\tto {path} {path}/ /login\n\t\t}\n\n\t\t\n\t\terrors \"/home/pydio/.config/pydio/cells/logs/caddy_errors.log\"\n\t\t}\n\n\t\t\n\t"}

Accessing the internal IP returns a grey page with cells logo and “loading…” underneath it and nothing more.
Looks to em something is wrong.

So my question is : does cells works behind a rev-proxy with https ofloading at all?
Thanks
Alberto

geoff · March 18, 2019, 1:40pm

I’ve had a lot of issues with this but got feedback from the devs that cells has to be able to connect to itself on its own public url.

If you’re running directly on a VM or server, you might be able to achieve this with a \etc\hosts entry. If you’re running in Docker, you need either NAT hairpinning turned on in your router, or you need to run a local DNS server to point back to the same box. All that said, I haven’t yet set up the DNS server, but am planning on testing that soon.

Bittone · March 18, 2019, 2:04pm

Hello geoff,
thanks for your reply.
The URL is correctly registered in the archidata.it zone with an A record. And if I ping from the VM I get the correct response (host is smartshare.archidata.it).
Moreover the VM can access internet on HTTP/HTTPS and it can access the rev-proxy interface.
My problem seems related to caddy config since it states that:

404 Site is not served on this interface

A split-brain DNS is surely possible (I already use this solution for Zimbra) but still I would like know WHY I’d need it.
I would also like to point out that in none of the examples posted in the admin section of the manual there is an HTTPS offloading config. Only HTTP rev-proxy.
Maybe pydio-cells NEEDS to handle HTTPS directly?

Bye

Alberto

rossbeazley · March 20, 2019, 8:38pm

If you have a look at the network requests in chrome Dev tools (or similar) can you see if there are failures?

For reference I have my configuration for internal URL as
0.0.0.0:8888

And public url as
https://domainnamehere

I too use haproxy with TLS termination and host Cells in a docker container

Bittone · March 21, 2019, 9:13am

Hello rossbeazley,
that DID IT! many thanks.
Binding caddy to 0.0.0.0:8080 solved the problem.
What was the process that brought you to use that binding?.
Thank you

Alberto

rossbeazley · March 21, 2019, 12:13pm

I would never know what the IP address would be (it can change on a deploy) so 0.0.0.0 binds to all interfaces on the machine.

thats all ¯_(ツ)_/¯

rossbeazley · March 21, 2019, 12:14pm

maybe we mark this as [solved] ?

Bittone · March 21, 2019, 1:04pm

Yep you are right.
Still I would like to understand why the binding to the appropriate address did not work…
I understand that cells is still a work in progress on many aspects like missing sync or no content indexing still the performance gain over Pydio8 is really impressive.
Thanks again for your help.
Bye
Alberto

zayn · March 28, 2019, 9:30am

Hi @Bittone ,
if you have more questions you can open a topic about it.

Topic		Replies	Views
Can't access Cells behind a Caddy reverse proxy Pydio Cells install	4	2117	June 4, 2019
[Solved] Can't acces pydio cell behind apache reverse proxy Pydio Cells	8	2023	March 20, 2019
Nginx proxy reverse (Pydio Cells 1.0) Pydio Cells nginx , ubuntu	5	3709	July 11, 2018
New Install - Can't Access External Pydio Cells	4	973	August 16, 2019
Setup pydio with caddy and localhost ssl Pydio Cells install	4	599	April 6, 2024

[SOLVED] Pydio Cells doesn't work behind Haproxy with HTTPS offloading

Related Topics