Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTPS proxy in front of HTTP server #29

Open
mthld opened this issue Apr 2, 2019 · 11 comments

Comments

@mthld
Copy link
Contributor

commented Apr 2, 2019

Hello,

The generation of previews when uploading an image fails, even if the jobs seems to be successfully triggered:

Apr  2 12:43:56 pixelfed01 php[23918]: [2019-04-02 12:43:55][64] Processing: App\Jobs\ImageOptimizePipeline\ImageOptimize
Apr  2 12:43:56 pixelfed01 php[23918]: [2019-04-02 12:43:55][64] Processed:  App\Jobs\ImageOptimizePipeline\ImageOptimize
Apr  2 12:43:56 pixelfed01 php[23918]: [2019-04-02 12:43:55][65] Processing: App\Jobs\ImageOptimizePipeline\ImageResize
Apr  2 12:43:57 pixelfed01 php[23918]: [2019-04-02 12:43:56][65] Processed:  App\Jobs\ImageOptimizePipeline\ImageResize
Apr  2 12:43:57 pixelfed01 php[23918]: [2019-04-02 12:43:56][66] Processing: App\Jobs\ImageOptimizePipeline\ImageThumbnail
Apr  2 12:43:57 pixelfed01 php[23918]: [2019-04-02 12:43:56][66] Processed:  App\Jobs\ImageOptimizePipeline\ImageThumbnail
Apr  2 12:43:57 pixelfed01 php[23918]: [2019-04-02 12:43:56][67] Processing: App\Jobs\ImageOptimizePipeline\ImageUpdate
Apr  2 12:43:58 pixelfed01 php[23918]: [2019-04-02 12:43:57][67] Processed:  App\Jobs\ImageOptimizePipeline\ImageUpdate

Screenshot 2019-04-02 at 14 09 05

How can we fix this?

@dansup

This comment has been minimized.

Copy link
Member

commented Apr 3, 2019

@mathiasblc This looks like a permission problem, can you run php artisan self-diagnosis and post the results here?

@mthld

This comment has been minimized.

Copy link
Contributor Author

commented Apr 3, 2019

Hi @dansup

Thanks for answering. Here we are:

# sudo -u www-data php artisan self-diagnosis
|-------------------------------------
| Common Checks
|-------------------------------------
Running check 1/11: App key is set...  ✔
Running check 2/11: The correct PHP version is installed...  ✔
Running check 3/11: The database can be accessed...  ✔
Running check 4/11: All directories have the correct permissions...  ✔
Running check 5/11: The environment file exists...  ✔
Running check 6/11: The example environment variables are set...  ✔
Running check 7/11: Required locales are installed...  ✘
Running check 8/11: Maintenance mode is not enabled...  ✔
Running check 9/11: The migrations are up to date...  ✔
Running check 10/11: The required PHP extensions are installed...  ✔
Running check 11/11: The storage directory is linked...  ✔

|-------------------------------------
| Environment Specific Checks (production)
|-------------------------------------
Running check 1/5: Composer dependencies (without dev) are up to date...  ✘
Running check 2/5: Configuration is cached...  ✔
Running check 3/5: Debug mode is not enabled...  ✔
Running check 4/5: Unwanted PHP extensions are disabled...  ✔
Running check 5/5: Routes are cached...  ✔

The following checks failed:
The following locales are missing:
en_US

Your composer dependencies are not up to date. Call "composer install" to update them. Cannot create cache directory /root/.composer/cache/repo/https---packagist.org/, or directory is not writable. Proceeding without cache
Cannot create cache directory /root/.composer/cache/files/, or directory is not writable. Proceeding without cache
Loading composer repositories with package information
Installing dependencies from lock file
Package operations: 0 installs, 0 updates, 32 removals
  - Uninstalling webmozart/assert (1.4.0)
  - Uninstalling theseer/tokenizer (1.1.0)
  - Uninstalling sebastian/version (2.0.1)
  - Uninstalling sebastian/resource-operations (2.0.1)
  - Uninstalling sebastian/recursion-context (3.0.0)
  - Uninstalling sebastian/object-reflector (1.1.1)
  - Uninstalling sebastian/object-enumerator (3.0.3)
  - Uninstalling sebastian/global-state (2.0.0)
  - Uninstalling sebastian/exporter (3.1.0)
  - Uninstalling sebastian/environment (4.1.0)
  - Uninstalling sebastian/diff (3.0.2)
  - Uninstalling sebastian/comparator (3.0.2)
  - Uninstalling sebastian/code-unit-reverse-lookup (1.0.1)
  - Uninstalling phpunit/phpunit (7.5.7)
  - Uninstalling phpunit/php-token-stream (3.0.1)
  - Uninstalling phpunit/php-timer (2.1.1)
  - Uninstalling phpunit/php-text-template (1.2.1)
  - Uninstalling phpunit/php-file-iterator (2.0.2)
  - Uninstalling phpunit/php-code-coverage (6.1.4)
  - Uninstalling phpspec/prophecy (1.8.0)
  - Uninstalling phpdocumentor/type-resolver (0.4.0)
  - Uninstalling phpdocumentor/reflection-docblock (4.3.0)
  - Uninstalling phpdocumentor/reflection-common (1.0.1)
  - Uninstalling phar-io/version (2.0.1)
  - Uninstalling phar-io/manifest (1.0.3)
  - Uninstalling nunomaduro/collision (v2.1.1)
  - Uninstalling myclabs/deep-copy (1.8.1)
  - Uninstalling mockery/mockery (1.2.2)
  - Uninstalling hamcrest/hamcrest-php (v2.0.0)
  - Uninstalling fzaninotto/faker (v1.8.0)
  - Uninstalling filp/whoops (2.3.1)
  - Uninstalling doctrine/instantiator (1.1.0)

I don't get why the locale problem, indeed my system is configured with en_US-UTF8 as main locale...

@dansup

This comment has been minimized.

Copy link
Member

commented Apr 4, 2019

@mathiasblc Are you running this in docker?

@mthld

This comment has been minimized.

Copy link
Contributor Author

commented Apr 4, 2019

@dansup no, Ubuntu 18.04 in a LXC container.

@Un-Cornichon

This comment has been minimized.

Copy link

commented Apr 4, 2019

Hello.

Same problem here. I spoke about that on IRC.
The only clue I have right now is some 401 HTTP errors.
pixelfed 401 errors on upload

@Un-Cornichon

This comment has been minimized.

Copy link

commented Apr 6, 2019

Ok, it took me some hours of random tests, but I've found a solution. I must said, I'm a little afraid, because for me, it's imply strange things on how pixelfed deals with protocols.

I host many web sites at home, so I've got a reverse proxy used to manage all TLS terminations and dispatching all connections to the right VMs. The communication between this first nginx server and the servers actually hosting the websites are in HTTP.
Basic schema :
web --https--> nginx (tls terminations) --http--> nginx ( pixelfed)

If I change the communication between the first nginx and the second to HTTPS, I don't have the issue anymore... I tried that because I found that pixelfed just don't work over HTTP.
Basic schema with no issue :
web --https--> nginx (tls termination) --httpS--> nginx ( pixelfed)

@Un-Cornichon

This comment has been minimized.

Copy link

commented Apr 7, 2019

So, I did a little more digging into this.

When I initially configured the pixelfed nginx, I thaugh that REQUEST_SCHEME will do the trick:
fastcgi_param REQUEST_SCHEME $http_x_forwarded-proto;

In fact what you need is something like that:

map $http_x_forwarded_proto $proxy_https {
    default '';
    https 'on';
}

server {
 [...]
  location ~ \.php$ {
    include /etc/nginx/pixelfed-fastcgi.conf;
    fastcgi_pass unix:/var/run/php/pixelfed.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_param  REQUEST_SCHEME     $http_x_forwarded-proto;
    fastcgi_param  HTTPS              $proxy_https if_not_empty;
    [...]
  }
[...]
}

Of course, if like me you use an include to manage the fastcgi configuration, you can put all theses options in it. And of course, on the first nginx server (with TLS terminations) you need to add some headers:
proxy_set_header X-Forwarded-Proto $scheme;

For me, the preview generation fails when the fastcgi_param HTTPS is not equal to on.
I understand the need for a web app to test if HTTPS is used or not, but only in the preview part after a picture upload, it's really weird. It should be more consistent, IMO.

@mthld

This comment has been minimized.

Copy link
Contributor Author

commented Apr 7, 2019

Thanks @Un-Cornichon for the workaround, it helped.

@dansup

This comment has been minimized.

Copy link
Member

commented Apr 13, 2019

@mathiasblc @Un-Cornichon The issue is that pixelfed enforces HTTPS at the app level, so all links are https links. You can remove this by commenting out the line below.

https://github.com/pixelfed/pixelfed/blob/9f5d31ec01100f4b0e3636ca40582b435899c2a6/app/Providers/AppServiceProvider.php#L24

@dansup dansup closed this Apr 13, 2019
@benpro

This comment has been minimized.

Copy link

commented Jul 26, 2019

@dansup That is not a viable solution as it will produce mixed content.

@benpro

This comment has been minimized.

Copy link

commented Jul 26, 2019

Pixelfed should read HTTP_X_FORWARDED_PROTO variable if received instead of using only HTTPS variable.
If HTTP_X_FORWARDED_PROTO is equal to https, then the app need to do the necessary actions and not produce a 401 error.

Anyway, the nginx hack from @Un-Cornichon works and should be documented somewhere...

@trwnh trwnh reopened this Oct 9, 2019
@trwnh trwnh transferred this issue from pixelfed/pixelfed Oct 9, 2019
@trwnh trwnh changed the title Preview generation fails HTTPS proxy in front of HTTP server Oct 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.