docker-compose: can't connect to DB

[MightyCreak]

I am trying to install FreshRSS on my server using docker-compose, but I get this error when setting up the database:

Arf ! Vérifiez les informations d’accès à la base de données. : Access to database is denied for freshrss: SQLSTATE[08006] [7] could not connect to server: Connection refused Is the server running on host "localhost" (127.0.0.1) and accepting TCP/IP connections on port 5432? could not connect to server: Cannot assign requested address Is the server running on host "localhost" (::1) and accepting TCP/IP connections on port 5432?

Steps to reproduce

I tried the same steps on Fedora 32 (the Linux on my local machine) using podman-compose and it worked as expected.

It is when I installed FreshRSS on my server that I got the error. The differences are that my server is on Ubuntu 18.04 and I use Nginx on my server (while I was using localhost:8080 on my machine)

1. Be on Ubuntu 18.04

2. Copy the docker-compose.yml file locally

3. Run docker-compose up -d

4. Set up nginx using the conf given in the FreshRSS repo but removing the SSL part for now:

    upstream freshrss {
        server 127.0.0.1:8500;
    }
    
    server {
        server_name feed.example.net;
        listen      80;
        listen [::]:80;
   
        # Needed for Freshrss cookie/session :
        proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=Lax";
   
        location / {
                proxy_pass http://freshrss/;
                add_header X-Frame-Options SAMEORIGIN;
                add_header X-XSS-Protection "1; mode=block";
                proxy_redirect off;
                proxy_buffering off;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Port $server_port;
                proxy_read_timeout 90;
   
                # Forward the Authorization header for the Google Reader API.
                proxy_set_header Authorization $http_authorization;
                proxy_pass_header Authorization;
        }
    }
   

5. Restart Nginx: sudo systemctl reload nginx.service

6. Go to http://feed.example.net

7. Set up the language, pass the verifications, and set up the database like this:
   db type: postgresql
   host: localhost
   user: freshrss
   passwd: freshrss
   database: freshrss

8. Validate

9. See the error appear in red at the top:
   

Debugging

I learned that with PostgreSQL we can test the db connection with pg_isready so I did that, first in the db container and then in the app container.

In freshrss-db

1. Get into the container:

    $ docker exec -it freshrss-db bash
   

2. Run:

    $ pg_isready -d freshrss -h localhost -p 5432 -U freshrss
   

3. See the output:

    localhost:5432 - accepting connections
   

In freshrss-app

1. Get into the container:

    $ docker exec -it freshrss-app bash
   

2. Update the packages and install postgresql-client

    $ apt update
    $ apt install postgresql-client
   

3. Run:

    $ pg_isready -d freshrss -h localhost -p 5432 -U freshrss
   

4. See the output:

    localhost:5432 - no response
   

5. Try with the host freshrss-db instead:

    $ pg_isready -d freshrss -h freshrss-db -p 5432 -U freshrss
   

6. See the output:

    freshrss-db:5432 - accepting connections
   

As you can see, the connections are accepted on freshrss-db, but then if I change db host from localhost to freshrss-db in the form, I get a weird behavior: it reload the DB setup page as if I first arrived on it (with only SQLite selected in the dropdown).

[Alkarex]

Please restart from scratch and provide:

• Output of docker ps -a
• Screenshot of the FreshRSS database form (you must use freshrss-db as hostname for the DB)

[MightyCreak]

Thanks @Alkarex, I'll do that as soon as I get back home!

[MightyCreak]

Well, I think you found the culprit!

I have tt-rss mounted up as well and it is also using a postgres container listening on port 5432...

I know that eventually I'll remove tt-rss, but do you know if there is a way with docker-compose to really create a networking bubble where I could put both FreshRss and PostgreSQL using standard port 5432 without interfering with the other containers?

I don't know if I'm asking too much here (both from you and from docker ;) )

Edit:
Wait... this is actually what the domain names are in Docker.. that is why I can reach freshrss-db:5432 from freshrss-app.
I'll continue the investigation...

Here's the output of docker ps -a:

$ docker ps -a
CONTAINER ID        IMAGE                             COMMAND                  CREATED             STATUS              PORTS                                       NAMES
537865f4ca8e        freshrss/freshrss:latest          "./Docker/entrypoint…"   16 seconds ago      Up 13 seconds       0.0.0.0:8080->80/tcp                        freshrss-app
642378ac3aea        postgres:12-alpine                "docker-entrypoint.s…"   18 seconds ago      Up 16 seconds       5432/tcp                                    freshrss-db
31acefb1a996        cthulhoo/ttrss-fpm-pgsql-static   "/updater.sh"            3 days ago          Up 3 days           9000/tcp                                    ttrssdocker_updater_1
90088ce08256        cthulhoo/ttrss-web                "/bin/parent caddy -…"   3 days ago          Up 3 days           80/tcp, 443/tcp, 127.0.0.1:8280->2015/tcp   ttrssdocker_web_1
7242ec296858        cthulhoo/ttrss-fpm-pgsql-static   "/bin/sh -c /startup…"   3 days ago          Up 3 days           9000/tcp                                    ttrssdocker_app_1
bd4f34e934af        postgres:12-alpine                "docker-entrypoint.s…"   3 days ago          Up 3 days           5432/tcp                                    ttrssdocker_db_1

Screenshot before I click on "Validate":

Screenshot after I click on "Validate":

[MightyCreak]

So I dug a little further and got into PostgreSQL and connected to freshrss-db server from the freshrss-app container.

It seems even after validating the form, I don't have any tables in the DB. Here are the command lines and the output I did:

root@freshrss-app:/var/www/FreshRSS# pg_isready -d freshrss -h freshrss-db -p 5432 -U freshrss
freshrss-db:5432 - accepting connections

root@freshrss-app:/var/www/FreshRSS# psql -h freshrss-db -U freshrss -p 5432
Password for user freshrss: 
psql (11.9 (Debian 11.9-0+deb10u1), server 12.4)
WARNING: psql major version 11, server major version 12.
         Some psql features might not work.
Type "help" for help.

freshrss=# select version();
                                        version                                        
---------------------------------------------------------------------------------------
 PostgreSQL 12.4 on x86_64-pc-linux-musl, compiled by gcc (Alpine 9.3.0) 9.3.0, 64-bit
(1 row)

freshrss=# \l
                                 List of databases
   Name    |  Owner   | Encoding |  Collate   |   Ctype    |   Access privileges   
-----------+----------+----------+------------+------------+-----------------------
 freshrss  | freshrss | UTF8     | en_US.utf8 | en_US.utf8 | 
 postgres  | freshrss | UTF8     | en_US.utf8 | en_US.utf8 | 
 template0 | freshrss | UTF8     | en_US.utf8 | en_US.utf8 | =c/freshrss          +
           |          |          |            |            | freshrss=CTc/freshrss
 template1 | freshrss | UTF8     | en_US.utf8 | en_US.utf8 | =c/freshrss          +
           |          |          |            |            | freshrss=CTc/freshrss
(4 rows)

freshrss=# \c freshrss
psql (11.9 (Debian 11.9-0+deb10u1), server 12.4)
WARNING: psql major version 11, server major version 12.
         Some psql features might not work.
You are now connected to database "freshrss" as user "freshrss".
freshrss=# \dt
Did not find any relations.

[MightyCreak]

Hello @Alkarex, sorry to bother you 😕 do you have any idea what could be the problem?

[Alkarex]

As a plan B, you can always use SQLite. The performances are good.
What logs do you have in e.g. docker logs -f freshrss-app ?
Have you tried to delete your PostgreSQL container AND PostgreSQL volume before trying again?
Then try a docker-compose pull to get the latest images.
And post your docker ps -a.
If that still does not work, we should give it a try with the CLI approach to install FreshRSS (instead of Web interface) to try to get more debug information.

[MightyCreak]

Hello @Alkarex !

Note: I tried again and pulled the latest image using docker-compose pull before

Have you tried to delete your PostgreSQL container AND PostgreSQL volume before trying again?

Yes, always, I use the command docker-compose down && docker volume prune each time I make another try. And, this time, I made extra care that no FreshRSS volumes where still here.

As a plan B, you can always use SQLite. The performances are good.

I've tried with SQLite, but the result is the same: when clinking on "Validate", I am being redirected to i/index.php?step=2.

What logs do you have in e.g. docker logs -f freshrss-app ?

Here are the freshrss-app logs when using SQLite (I've obfuscated the domain name):

$ docker logs -f freshrss-app
Result: success
[Thu Nov 05 07:26:31.174426 2020] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.38 (Debian) configured -- resuming normal operations
[Thu Nov 05 07:26:31.174741 2020] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
192.222.209.176 - - [05/Nov/2020:07:26:34 -0500] "GET / HTTP/1.0" 200 446 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
192.222.209.176 - - [05/Nov/2020:07:26:34 -0500] "GET /themes/p.css HTTP/1.0" 200 172 "http://example.com/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
192.222.209.176 - - [05/Nov/2020:07:26:34 -0500] "GET /themes/icons/icon.svg HTTP/1.0" 200 266 "http://example.com/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
192.222.209.176 - - [05/Nov/2020:07:26:34 -0500] "GET /i/ HTTP/1.0" 200 1135 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
192.222.209.176 - - [05/Nov/2020:07:26:34 -0500] "GET /themes/Origine/origine.css?1604524385 HTTP/1.0" 200 4220 "http://example.com/i/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
192.222.209.176 - - [05/Nov/2020:07:26:34 -0500] "GET /themes/base-theme/template.css?1604524385 HTTP/1.0" 200 5027 "http://example.com/i/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
192.222.209.176 - - [05/Nov/2020:07:26:34 -0500] "GET /scripts/install.js?1604524385 HTTP/1.0" 200 803 "http://example.com/i/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
192.222.209.176 - - [05/Nov/2020:07:26:36 -0500] "GET /i/?step=1 HTTP/1.0" 200 1096 "http://example.com/i/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
[Thu Nov 05 07:26:37.517947 2020] [php7:notice] [pid 30] [client 192.222.209.176:0] PHP Notice:  session_start(): A session had already been started - ignoring in /var/www/FreshRSS/lib/Minz/Session.php on line 72, referer: http://example.com/i/?step=1
192.222.209.176 - - [05/Nov/2020:07:26:37 -0500] "GET /i/?step=2 HTTP/1.0" 200 1068 "http://example.com/i/?step=1" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
[Thu Nov 05 07:26:38.454287 2020] [php7:notice] [pid 27] [client 192.222.209.176:0] PHP Notice:  session_start(): A session had already been started - ignoring in /var/www/FreshRSS/lib/Minz/Session.php on line 72, referer: http://example.com/i/?step=2
192.222.209.176 - - [05/Nov/2020:07:26:38 -0500] "POST /i/index.php?step=2 HTTP/1.0" 302 3538 "http://example.com/i/?step=2" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
192.222.209.176 - - [05/Nov/2020:07:26:38 -0500] "GET /i/index.php?step=3 HTTP/1.0" 302 3122 "http://example.com/i/?step=2" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
[Thu Nov 05 07:26:38.551156 2020] [php7:notice] [pid 28] [client 192.222.209.176:0] PHP Notice:  session_start(): A session had already been started - ignoring in /var/www/FreshRSS/lib/Minz/Session.php on line 72, referer: http://example.com/i/?step=2
192.222.209.176 - - [05/Nov/2020:07:26:38 -0500] "GET /i/index.php?step=2 HTTP/1.0" 200 1068 "http://example.com/i/?step=2" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
[Thu Nov 05 07:26:39.510160 2020] [php7:notice] [pid 29] [client 192.222.209.176:0] PHP Notice:  session_start(): A session had already been started - ignoring in /var/www/FreshRSS/lib/Minz/Session.php on line 72, referer: http://example.com/i/index.php?step=2
192.222.209.176 - - [05/Nov/2020:07:26:39 -0500] "POST /i/index.php?step=2 HTTP/1.0" 302 3538 "http://example.com/i/index.php?step=2" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
192.222.209.176 - - [05/Nov/2020:07:26:39 -0500] "GET /i/index.php?step=3 HTTP/1.0" 302 3122 "http://example.com/i/index.php?step=2" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
[Thu Nov 05 07:26:39.607562 2020] [php7:notice] [pid 27] [client 192.222.209.176:0] PHP Notice:  session_start(): A session had already been started - ignoring in /var/www/FreshRSS/lib/Minz/Session.php on line 72, referer: http://example.com/i/index.php?step=2
192.222.209.176 - - [05/Nov/2020:07:26:39 -0500] "GET /i/index.php?step=2 HTTP/1.0" 200 1068 "http://example.com/i/index.php?step=2" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
[Thu Nov 05 07:26:40.488203 2020] [php7:notice] [pid 31] [client 192.222.209.176:0] PHP Notice:  session_start(): A session had already been started - ignoring in /var/www/FreshRSS/lib/Minz/Session.php on line 72, referer: http://example.com/i/index.php?step=2
192.222.209.176 - - [05/Nov/2020:07:26:40 -0500] "POST /i/index.php?step=2 HTTP/1.0" 302 3538 "http://example.com/i/index.php?step=2" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
192.222.209.176 - - [05/Nov/2020:07:26:40 -0500] "GET /i/index.php?step=3 HTTP/1.0" 302 3122 "http://example.com/i/index.php?step=2" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
[Thu Nov 05 07:26:40.565687 2020] [php7:notice] [pid 29] [client 192.222.209.176:0] PHP Notice:  session_start(): A session had already been started - ignoring in /var/www/FreshRSS/lib/Minz/Session.php on line 72, referer: http://example.com/i/index.php?step=2
192.222.209.176 - - [05/Nov/2020:07:26:40 -0500] "GET /i/index.php?step=2 HTTP/1.0" 200 1068 "http://example.com/i/index.php?step=2" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"

I've clicked several time on "Validate", that's why I have lots of POST->GET->GET triplets at the end. Apparently, what's happening is "Validate" requests POST /i/index.php?step=2 which returns a 302 to GET /i/index.php?step=3 which also returns a 302 to GET /i/index.php?step=2.. and we're back to the step 2.

Compared to last time (with older images) there is a new entry in the log each time between the last two GETs:

PHP Notice:  session_start(): A session had already been started - ignoring in /var/www/FreshRSS/lib/Minz/Session.php on line 72

Just to be sure, I've tried in a private tab and the log above is the result of it.

And post your docker ps -a.

$ docker ps -a
CONTAINER ID        IMAGE                             COMMAND                  CREATED             STATUS              PORTS                                       NAMES
ee6a6facd0b8        freshrss/freshrss:latest          "./Docker/entrypoint…"   6 minutes ago       Up 5 minutes        0.0.0.0:8500->80/tcp                        freshrss-app
63407f195df8        postgres:12-alpine                "docker-entrypoint.s…"   6 minutes ago       Up 6 minutes        5432/tcp                                    freshrss-db
31acefb1a996        cthulhoo/ttrss-fpm-pgsql-static   "/updater.sh"            5 weeks ago         Up 11 days          9000/tcp                                    ttrssdocker_updater_1
90088ce08256        cthulhoo/ttrss-web                "/bin/parent caddy -…"   5 weeks ago         Up 11 days          80/tcp, 443/tcp, 127.0.0.1:8280->2015/tcp   ttrssdocker_web_1
7242ec296858        cthulhoo/ttrss-fpm-pgsql-static   "/bin/sh -c /startup…"   5 weeks ago         Up 11 days          9000/tcp                                    ttrssdocker_app_1
bd4f34e934af        1803a5e2bc8e                      "docker-entrypoint.s…"   5 weeks ago         Up 11 days          5432/tcp                                    ttrssdocker_db_1
564baa0d5eea        funkwhale/all-in-one:1.0          "/init"                  8 weeks ago         Up 11 days          0.0.0.0:5000->80/tcp                        funkwhale

If that still does not work, we should give it a try with the CLI approach to install FreshRSS (instead of Web interface) to try to get more debug information.

I guess that's the next step then 😉

[Alkarex]

Did you try with our most recent release freshrss/freshrss:1.17.0 ?
I will double-check the latest version tomorrow.

[MightyCreak]

I've tested again with the latest version (image ID: 82a10e9a838f, digest: 95e4e67fb6a8) but the result is the same.

Then I've tested with 1.17.0 (and postgres 12-alpine as it is set in the latest docker-compose.yml), but same result again.

I'm sure it has something to do with my setup, because you should have more people with the same issue by now. Though, I don't have anything extraordinary, it is a basic Kimsufi/OVH server with Ubuntu 18.04.

[snugglej]

I wanted to leave a comment that I'm trying to set this up on a remote postgresql server on Azure and I'm getting the same error.

If I test with the proper query form the command line on the web server I can connect but I can't connect through the configuration screen:

psql "host={myname}.postgres.database.azure.com port=5432 user=freshaccess@{myhostname} dbname=freshrss"

psql "host={myname}.postgres.database.azure.com port=5432 user=freshaccess@{myhostname} dbname=freshrss sslmode=require"

Was there ever a solution found for this?

[Alkarex]

@snugglej 's issue was a bit different and solved #3376

[jinyu121]

I'm facing exactly the same issue here. Same version, same status.
I found that the server can not accept any parameter when you click "submit". When you click submit, a 302 redirect response is generated, rather than a 200 response.

[jinyu121]

Besides, the config.php is generated, and the info is right.

[Alkarex]

@jinyu121 Could you please share the docker-compose you are trying?

[jinyu121]

The docker-compose file

version: "3.6"
services:
  # Infrastructure
  nginx:
    image: nginx:alpine
    container_name: nginx
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./nginx:/etc/nginx/conf.d:ro
      - ./logs:/var/log/nginx
    depends_on:
      - freshrss-web
    restart: always

  # FressRSS
  freshrss-web:
    image: freshrss/freshrss:latest
    container_name: freshrss-web
    restart: always
    depends_on:
      - freshrss-postgres
      - freshrss-mysql
    volumes:
      - ./fresh_rss/data:/var/www/FreshRSS/data
      - ./fresh_rss/extensions:/var/www/FreshRSS/extensions
    environment:
      CRON_MIN: '*/20'
      TZ: Asia/Shanghai

  freshrss-postgres:
    image: postgres:alpine
    container_name: freshrss-postgres
    restart: always
    volumes:
      - ./postgres:/var/lib/postgresql/data
    environment:
      POSTGRES_USER: freshrss
      POSTGRES_PASSWORD: freshrss
      POSTGRES_DB: freshrss

  freshrss-mysql:
    image: mariadb
    container_name: freshrss-mysql
    restart: always
    volumes:
      - ./mysql:/var/lib/mysql
    command:
      - --character-set-server=utf8mb4
      - --collation-server=utf8mb4_unicode_ci
    environment:
      - MYSQL_ROOT_PASSWORD=freshrss
      - MYSQL_USER=freshrss
      - MYSQL_PASSWORD=freshrss
      - MYSQL_DATABASE=freshrss

[jinyu121]

When you submit your database setting for the first time, there is an error in the docker-compose log:

freshrss-postgres    | 2021-02-06 16:29:53.373 UTC [59] ERROR:  database "freshrss" already exists
freshrss-postgres    | 2021-02-06 16:29:53.373 UTC [59] STATEMENT:  CREATE DATABASE "freshrss" ENCODING 'UTF8';

Other info are just the same with #3198 (comment) and #3198 (comment)

[Alkarex]

@jinyu121 Could you please try the docker-compose below, based on yours but with slight modifications, just for debugging?

version: "3.6"

volumes:
    freshrss-postgres-data:
    freshrss-web-data:
    freshrss-web-extensions:

services:

  freshrss-web:
    image: freshrss/freshrss:latest
    container_name: freshrss-web
    restart: always
    depends_on:
      - freshrss-postgres
    volumes:
      - freshrss-web-data:/var/www/FreshRSS/data
      - freshrss-web-extensions:/var/www/FreshRSS/extensions
    ports:
      - 8080:80
    environment:
      CRON_MIN: '*/20'
      TZ: Asia/Shanghai

  freshrss-postgres:
    image: postgres:alpine
    container_name: freshrss-postgres
    restart: always
    volumes:
      - freshrss-postgres-data:/var/lib/postgresql/data
    environment:
      POSTGRES_USER: freshrss
      POSTGRES_PASSWORD: freshrss
      POSTGRES_DB: freshrss

[jinyu121]

@Alkarex This file works fine.

---

But back to my config, the first step is language select, right? When I select Chinese and submit, the UI is still English. But this configuration works as exactly what have expected.

[Frenzie]

Not all strings are translated into Chinese, although I believe most are.

[aledeg]

@jinyu121 As @Frenzie mentioned, not all strings are translated. You are welcomed to translate the missing strings to help us. That would be really appreciated!

[Alkarex]

@jinyu121 Ok. The usual suspect is then nginx, which is very error prone and therefore often badly configured. Could you please share your configuration?

But except if you really want nginx, I suggest to use a dedicated reverse proxy software such as Traefik (better, easier, safer). In case that might be relevant, here is a full example with Traefik + Let's Encrypt, IPv6-enabled (I will put it in our documentation via #3351 )

version: "2.4"

networks:
  network:
    enable_ipv6: true
    ipam:
      config:
        - subnet: 172.20.0.0/16
        - subnet: fd10::/80

volumes:
    postgres-data:
    freshrss-data:
    freshrss-extensions:

services:

  traefik:
    image: traefik:2.3
    container_name: traefik
    restart: unless-stopped
    logging:
      options:
        max-size: 10m
    ports:
      - 80:80
      - 443:443
    networks:
      - network
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /mnt/ssd/docker/volumes/traefik-tmp:/tmp
      - /mnt/ssd/docker/volumes/traefik-letsencrypt:/etc/traefik/acme
      - ./traefik/tls.yaml:/etc/traefik/tls.yaml:ro
    command:
      - --global.sendAnonymousUsage
      - --accesslog=false
      - --api=false
      - --providers.docker=true
      - --providers.docker.exposedByDefault=false
      - --log.level=INFO
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
      - --entryPoints.http.http.redirections.entryPoint.to=https
      - --entryPoints.http.http.redirections.entryPoint.scheme=https
      - --certificatesResolvers.letsEncrypt.acme.storage=/etc/traefik/acme/acme.json
      - --certificatesResolvers.letsEncrypt.acme.email=${ADMIN_EMAIL}
      - --certificatesResolvers.letsEncrypt.acme.tlsChallenge=true
      - --providers.file.filename=/etc/traefik/tls.yaml
    labels:
      - traefik.enable=false

  postgres:
    image: postgres:13
    container_name: postgres
    restart: unless-stopped
    logging:
      options:
        max-size: 10m
    networks:
      - network
    expose:
      - 5432
    volumes:
      - postgres-data:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
      - POSTGRES_USER=${POSTGRES_USER}
      - POSTGRES_DB=${POSTGRES_DB}
    labels:
      - traefik.enable=false

  freshrss:
    image: freshrss/freshrss
    container_name: freshrss
    restart: unless-stopped
    depends_on:
      - postgres
    logging:
      options:
        max-size: 10m
    networks:
      - network
    volumes:
      - /mnt/ssd/git/FreshRSS:/var/www/FreshRSS
      - freshrss-data:/var/www/FreshRSS/data
      - freshrss-extensions:/var/www/FreshRSS/extensions
    environment:
      - CRON_MIN=4,34
      - TZ=Europe/Paris
      - FRESHRSS_ENV=development
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.freshrssM1.compress=true
      - traefik.http.middlewares.freshrssM2.headers.forceSTSHeader=true
      - traefik.http.middlewares.freshrssM2.headers.stsSeconds=31536000
      - traefik.http.routers.freshrss.middlewares=freshrssM1,freshrssM2
      - traefik.http.routers.freshrss.entryPoints=https
      - traefik.http.routers.freshrss.rule=Host(`freshrss.${SERVER_DNS}`)
      - traefik.http.routers.freshrss.tls=true
      - traefik.http.routers.freshrss.tls.certResolver=letsEncrypt

  ipv6nat:
    image: robbertkl/ipv6nat
    container_name: ipv6nat
    privileged: true
    restart: unless-stopped
    logging:
      options:
        max-size: 10m
    network_mode: host
    volumes:
      - /lib/modules:/lib/modules:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    labels:
      - traefik.enable=false

tls.yaml:

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256

.env:

ADMIN_EMAIL=admin@example.net
POSTGRES_DB=freshrss
POSTGRES_USER=freshrss
POSTGRES_PASSWORD=freshrss
SERVER_DNS=example.net

[Alkarex]

I can reproduce your symptoms, when the PHP session is not working (typically due to a cookie misconfiguration in nginx). I will try to add a test for that in the installer.

[jinyu121]

@Frenzie , I'm willing to join the translation group. But the question here is not about translation itself.

If I use Nginx, the language selection is not working at all, and almost all configuration do not work. As @Alkarex mentioned, the cookie/session seems broken.
But if not behind Nginx, everything is OK. For example, at the first step of the install guide, I selected Chinese, and when I reach step 2, everything is Chinese.

[Alkarex]

@jinyu121 I am making a patch, so it will not be possible to pass the step 1 of the installer if the session/cookies are broken.
Please show your nginx config - there is likely a little bug somewhere in it

[Alkarex]

@jinyu121 In a few minutes, there will be a new build a626e5f on https://hub.docker.com/r/freshrss/freshrss/builds ; please give it a try

[jinyu121]

Thank you for your fix.

Here is my Nginx configuration:

server {
    listen 443 http2 ssl;
    # listen [::]:443 http2 ssl ipv6only=on;

    server_name domain.of.my.site;

    ssl_certificate         /etc/letsencrypt/live/domain.of.my.site/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/domain.of.my.site/key.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/domain.of.my.site/ca.pem;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

# Note that the website is under sub-folder
location /read/ {
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_pass       http://freshrss-web/;
}

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        try_files '' /index.html =404;
    }
}

And after upgrade to the newest docker/code, as you said, I can not get into step1 (checks) of installation.

---

I checked my cookie, and saw this:

set-cookie: FreshRSS=trfdbirov0u45377fbos31a4jm; path=/i/; HttpOnly; SameSite=Lax

But the URL of the install guide is

http://domain.of.my.site/read/i/index.php

So I think the cookie here should be path=/read/I/ rather than path=/i/?

But I added

proxy_cookie_path /read /;

into the Nginx configuration, not work.

---

solved:

proxy_cookie_path /i/ /read/i/;

[Alkarex]

Right, but then this might be a sign of yet another nginx-related wrong configuration, making FreshRSS unable to detect its public address properly.
Could you please check in ./FreshRSS/data/config.php the line 'base_url', which I am afraid might be wrong?

docker exec freshrss-web cat data/config.php

When the base_url is wrong, several features will not work, such as WebSub (getting instead notifications of new articles from compatible Web sites)

[Alkarex]

P.S. If the proxy changes the path, it needs to provide a X-Forwarded-Prefix header

[jinyu121]

Thank you @Alkarex.
Before adding X-Forwarded-Prefix, the base_url is domain.of.my.site; after add that, is domain.of.my.site/read, so I do not have to add the proxy_cookie_path setting. X-Forwarded-Prefix solved this issue.

[Alkarex]

@jinyu121 Excellent. Would you mind editing https://github.com/FreshRSS/FreshRSS/blob/master/Docker/README.md#alternative-reverse-proxy-using-nginx to add the missing information? Thanks!

[MightyCreak]

Well... bad news for me it still doesn't work (it's even a bit worse now) 😞

I've pulled the most recent docker-compose.yml and docker images. Here's my docker-compose.yml:

version: "3"

services:
  freshrss-db:
    image: postgres:12-alpine
    container_name: freshrss-db
    hostname: freshrss-db
    restart: unless-stopped
    volumes:
      - db:/var/lib/postgresql/data
    environment:
      POSTGRES_USER: freshrss
      POSTGRES_PASSWORD: freshrss
      POSTGRES_DB: freshrss

  freshrss-app:
    image: freshrss/freshrss:latest
    container_name: freshrss-app
    hostname: freshrss-app
    restart: unless-stopped
    ports:
      - "8500:80"
    depends_on:
      - freshrss-db
    volumes:
      - data:/var/www/FreshRSS/data
      - extensions:/var/www/FreshRSS/extensions
    environment:
      CRON_MIN: '*/20'
      TZ: Europe/Paris

volumes:
  db:
  data:
  extensions:

And I've configured my nginx config file like so:

upstream freshrss {
    server 127.0.0.1:8500;
    keepalive 64;
}
server {
	server_name my.domain.name;
	listen      80;
	listen [::]:80;

	# Needed for Freshrss cookie/session :
	proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=Lax";

	location / {
		proxy_pass http://freshrss/;
		add_header X-Frame-Options SAMEORIGIN;
		add_header X-XSS-Protection "1; mode=block";
		proxy_redirect off;
		proxy_buffering off;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-Port $server_port;
		proxy_read_timeout 90;

		# Forward the Authorization header for the Google Reader API.
		proxy_set_header Authorization $http_authorization;
		proxy_pass_header Authorization;
	}
}

As you can see:

• I'm using a direct nginx configuration (i.e. no subdirectory)
• I don't have HTTPS for now because I simply want to test if it works
• I didn't add the X-Forwarded-Prefix config line, because I don't know how it works

The result is that I can't pass the first step now (the language selection), when it tries to go to step=1 it is redirected to step=0:

freshrss-app    | xx.xx.xx.xx - - [10/Feb/2021:02:21:59 +0100] "GET /i/index.php?step=1 HTTP/1.0" 302 3470 "http://my.domain.name/i/index.php?step=0" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0"

(I prefer nginx for now because I have several services running behind my nginx web server and I'd prefer not to mix different web servers on the host machine).

[Alkarex]

@MightyCreak Ok, that is actually an improvement, because at least now you know that it is not a database connection issue, but a wrong nginx configuration related to cookies / sessions.
Try to check the set-cookie in the headers of the HTTP response (visible in your Web browser developer tools, in networking, and then in storage) like shown higher up #3198 (comment)

[MightyCreak]

Indeed, it is an improvement in that aspect 😉

So, for GET http://feed.beta.foolstep.com/i/, I get a 200 OK with this in the response header:

Set-Cookie: FreshRSS=pklu7s8g755p9659nfch9pidtl; path=/; HTTPOnly; Secure; SameSite=Laxi/; HttpOnly; SameSite=Lax

[Alkarex]

At a quick glance, this response does not look valid, the SameSite=Laxi/; in particular

[MightyCreak]

You're right.. I thought it was a typo from the copy/paste, but no, I've tried again and have the same response header. I've also checked in the nginx config and it is as I have posted in #3198 (comment).

It seems like nginx is appending i/; HttpOnly; SameSite=Lax to the Set-Cookie line.

[MightyCreak]

Ok, this is a bit weird.. well.. mainly because I don't understand what the proxy_cookie_path does exactly I suppose.

I commented out the proxy_cookie_path line and now everything works!
And I do have a well-formed cookie now (couldn't see the Set-Cookie in the response, but maybe I've missed it..):

[MightyCreak]

@Alkarex do you want me to edit https://github.com/FreshRSS/FreshRSS/blob/master/Docker/README.md#alternative-reverse-proxy-using-nginx with an alternative without a subdirectory?

[Alkarex]

@MightyCreak I think the proper fix might be to properly define X-Forwarded-Prefix for both cases (with or without subdirectory) and drop the proxy_cookie_path hack #3198 (comment)

[Alkarex]

P.S. Not tested, but probably just something like:

# Set it to the same as the location path
proxy_set_header X-Forwarded-Prefix /freshrss/;

Patch welcome

[MightyCreak]

I'm not sure exactly what X-Forwarded-Prefix does. Is it possible that it is unnecessary when configuring without subdirectory?

[Alkarex]

X-Forwarded-Prefix is to tell the application (FreshRSS) that there is a proxy in front with a subdirectory. In your case, the value is empty or / and is thus not necessary, but I think it is better to be explicit in all cases.
In all cases, it should be same value than what comes just after location in: location / {

[MightyCreak]

I've made a PR: #3438

I think having both nginx config file is better. I personally prefer not to set a property if the value is already the default value. Hope it's fine.