Nginx reverse proxy

[ghost]

Hello,

It's been 2 days where I'm fighting against nginx to make a working reverse haha

I don't know what to change in the example nginx conf to make mine work.
I already changed the ssl certificates, the server_name and of course the root of my installation. I messed around with the headers but I can't get it to work in my console browser I always get a white screen with

**GET https://code.domain.tld/api/config?cb=15f26c1e68b net::ERR_ABORTED**
require.js?ver=2.3.5:168 Uncaught Error: **Script error for "/api/config?cb=15f26c1e68b"**, needed by: /common/boot.js?ver=1.0
http://requirejs.org/docs/errors.html#scripterror
    at makeError (require.js?ver=2.3.5:168)

server {
    listen 443 ssl http2;


    server_name code.domain.tld;

    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;

    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE
    # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)  Everything better than SHA1 (deprecated)
    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA';
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
#    add_header X-Frame-Options "SAMEORIGIN";

    root /home/user/cryptpad;
    index index.html;

    location = /cryptpad_websocket {
        proxy_pass http://localhost:3000;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        # WebSocket support (nginx 1.4)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection upgrade;
    }

    location ^~ /customize.dist/ {
        # This is needed in order to prevent infinite recursion between /customize/ and the root
    }
    location ^~ /customize/ {
        rewrite ^/customize/(.*)$ $1 break;
        try_files /customize/$uri /customize.dist/$uri;
    }
    location = /api/config {
        default_type text/javascript;
        rewrite ^.*$ /customize/api/config break;
    }

    location ^~ /blob/ {
        try_files $uri =404;
    }

    ## TODO fix in the code so that we don't need this
    location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media)$ {
        rewrite ^(.*)$ $1/ redirect;
    }

    try_files /www/$uri /www/$uri/index.html /customize/$uri;
}

[pawelngei]

I have a similar problem. My nginx config for pad.alxd.org:

server {
    listen 443 ssl http2;

    server_name pad.alxd.org;

    ssl_certificate         /etc/letsencrypt/live/pad.alxd.org/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/pad.alxd.org/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/pad.alxd.org/fullchain.pem;

    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE
    # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)  Everything better than SHA1 (deprecated)
    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA';
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    # add_header X-Frame-Options "SAMEORIGIN";

    root /home/cryptpad/cryptpad;
    index index.html;

    if ($args ~ ver=) {
        set $cacheControl max-age=31536000;
    }
    # Will not set any header if it is emptystring
    add_header Cache-Control $cacheControl;

    set $styleSrc   "'unsafe-inline' 'self'";
    set $scriptSrc  "'self'";
    #set $connectSrc "'self' wss://pad.alxd.org wss://api.pad.alxd.org";
    set $connectSrc "'self' wss://pad.alxd.org";
    set $fontSrc    "'self'";
    set $imgSrc     "data: * blob:";
    set $frameSrc   "'self' pad.alxd.org";

    if ($uri = /pad/inner.html) {
        set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline'";
    }
    add_header Content-Security-Policy "default-src 'none'; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc;";

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location = /cryptpad_websocket {
        proxy_pass http://localhost:3000;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

#       add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        # WebSocket support (nginx 1.4)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection upgrade;
    }

    location ^~ /customize.dist/ {
        # This is needed in order to prevent infinite recursion between /customize/ and the root
    }
    location ^~ /customize/ {
        rewrite ^/customize/(.*)$ $1 break;
        try_files /customize/$uri /customize.dist/$uri;
    }
    location = /api/config {
        default_type text/javascript;
        rewrite ^.*$ /customize/api/config break;
    }

    location ^~ /blob/ {
        try_files $uri =404;
    }

    ## TODO fix in the code so that we don't need this
    location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media)$ {
        rewrite ^(.*)$ $1/ redirect;
    }

    try_files /www/$uri /www/$uri/index.html /customize/$uri;
}

I keep getting:

2017/10/18 19:30:59 [error] 30866#30866: *1 open() "/home/cryptpad/cryptpad/customize/api/config" failed (2: No such file or directory), client: 89.78.176.13, server: pad.alxd.org, request: "GET /api/config?cb=15f30f7adaf HTTP/2.0", host: "pad.alxd.org", referrer: "https://pad.alxd.org/"

Latest cryptpad is run through docker. Everything on Ubuntu 16.04.3 LTS.

[ghost]

Yep it's how you described it
I tried the "hard" way and also with docker it's exactly the same. I also tried an old version (probably released 2 months ago) and it worked ! So I suppose it's this version that has a problem or maybe we haven't seen something you have to absolutelty do to make it work ^^

[pawelngei]

@jenkinsddl I noticed that docker-compose doesn't properly expose the ports and I needed to use the docker command.

Have you tried curling localhost:3000 after running both the old and the new version? Do you need anything?

[nanu-c]

Mhm I am trying the same, but with an automatic nginx config from jwilder/docker-gen
I keep getting the error

WebSocket connection to 'wss://cryptpad.domain/cryptpad_websocket' failed: Error during WebSocket handshake: Unexpected response code: 303

The cert is from letsencrypt, and handled by the reverse proxy.
So my question, is it possible to use (wss)
wss://cryptpad.domain/cryptpad_websocket
behind a reverse proxy without specific configuration of nginx because i use an autoconf for hundreds of domains and can't make an exception just for one domain.

upstream cryptpad.domain {
                        # cryptpad
                        server ip:80;
}

server {
        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
        server_name cryptpad.domain;
        proxy_buffering off;
        error_log /proc/self/fd/2;
        access_log /proc/self/fd/1;
        location / {
                proxy_pass http://cryptpad.domain;
                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                # HTTP 1.1 support
                proxy_http_version 1.1;
                proxy_set_header Connection "";
        }
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/nginx/certs/cryptpad.domain/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/nginx/certs/cryptpad.domain/privkey.pem; # managed by Certbot
        ssl_session_cache shared:le_nginx_SSL:1m; # managed by Certbot
        ssl_session_timeout 1440m; # managed by Certbot
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # managed by Certbot
        ssl_prefer_server_ciphers on; # managed by Certbot
        ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECD$
}

[agrabsi]

Yup I saw that docker-compose didn't expose the port properly and I tried with the docker command. It worked and I was able to access the homepage but when I try to go to a coding pad for example I always get a white screen. I tried to put it behind a subdomain with nginx and nothing was working that way.

[ansuz]

My colleague and I spent some time working with nginx yesterday, and I definitely agree that it can be cumbersome to work with. We're going to put some effort towards simplifying the setup process soon (maybe version 1.21.0, to be released December 5th).

We don't use docker, though, so I can't promise to fix any issues that might be coming from that side of things. If anyone who is familiar with docker could join our matrix/irc channel, I'd be happy to discuss solutions there.

[ansuz]

Closing this since we now provide a very detailed example nginx config.

[nanu-c]

i am using cryptpad since a while without any problem, thanks :)

[throny]

i am using cryptpad since a while without any problem, thanks :)

Can you maybe provide how you solved it with the jwilder nginx? I am struggling with subdomain handling and passing multiple ports to different subdomains..

Edit: Nevermind, got it working. In case someone finds this thread and having the same issues:
Let Cryptpad run on port 3000 and 3001 (standard config)
Change the listening ip to your local docker IP in your config.js if you're connected to the nginx-network otherwise it wont work.

add to your docker-compose.yml

ports:
      - "3001:3001"
  environment:
      - VIRTUAL_HOST=pad.host.tld,pad-sandbox.host.tld
      - VIRTUAL_PORT=3000
      - LETSENCRYPT_HOST=pad.host.tld,pad-sandbox.host.tld

That works like a charm for me :)