search

AdguardTeam / AdGuardHome

Network-wide ads & trackers blocking DNS server
https://adguard.com/adguard-home.html
GNU General Public License v3.0
24.83k stars 1.79k forks source link

AGH Login page no longer works (Traefik File Provider + Adguard Home in Docker) #5782

Closed benisai closed 1 year ago

benisai commented 1 year ago

Prerequisites

Operating system type

Linux, Other (please mention the version in the description)

CPU architecture

AMD64

Installation

Docker

Setup

On one machine

AdGuard Home version

v0.107.29

Description

VPS with Treaefik as reverse proxy. AGH in Docker at home server (Ubuntu 22.4.2)

I've been using Traefik as my reverse proxy for a while now, but recently, AGH login page does not load. F12 shows these 2 not loading. Something changed in AGH code where it doesnt reply to the proxy. AGH logs dont provide much. Treafik logs shows the connection going outbound, but AGH does not respond, it kicks back this error ""2023/04/28 22:38:40 reverseproxy.go:667: httputil: ReverseProxy read error during body copy: read tcp 172.18.0.10:41890->10.10.10.5:84: read: connection reset by peer."

I can curl my agh webport, so I have connectivity. AGH is killing the request. I need to know why/how to fix it.

/login.c6c85272422dd3c3b02f.css /login.c6c85272422dd3c3b02f.js

benisai commented 1 year ago

Rolling back to a version from 5 months ago doesnt work because the scheme isnt recognized ([fatal] unknown configuration schema version 20), so I cant prove when it broken.

rfgamaral commented 1 year ago

I'm having the same issue.

I've been running AdGuard Home with Traefik for years, and this never happened before.

I've only noticed this today, and I'm pretty sure everything was working fine for me a couple of weeks ago. Don't know exactly which version I was running, but I have auto-updates on my containers with watchtower so I'm tempted to say that this was a recent change, but @benisai opened this issue back in April. Not sure what to make of this.

rfgamaral commented 1 year ago

@ainar-g Can we please get some feedback on this one?

ainar-g commented 1 year ago

@benisai, @rfgamaral, have you tried the recent versions, including the required steps as described in the release notes for v0.107.34? (See the “Removed” section.)

If so, verbose logs of AdGuard Home should shed some light on what's happening.

rfgamaral commented 1 year ago

@ainar-g Awesome. Pulled the latest version, recreated the container, all is working for me with v0.107.36. Thank you!

ainar-g commented 1 year ago

Good to hear. Assuming that OP has the same issue, I'll close this one. Feel free to reopen if it's not the same, preferably with the verbose log data.

benisai commented 1 year ago

Not fixed for me. AGH is not responding from what treafik logs show. F12 shows the same 502 bad gateway.

image

Traefik Logs:

time="2023-08-16T01:53:34Z" level=debug msg="'502 Bad Gateway' caused by: read tcp 172.18.0.19:42206->10.10.10.5:84: read: connection reset by peer" time="2023-08-16T01:55:37Z" level=debug msg="'502 Bad Gateway' caused by: read tcp 172.18.0.19:54528->10.10.10.5:84: read: connection reset by peer"

benisai commented 1 year ago

my Toml file looks like this, I do have Authelia inbetween, I set Adguard to bypass any auth from Authelia, but still doesnt work:

` [http] [http.middlewares] [http.middlewares.adhome-redirect.redirectScheme] scheme = "https"

[http.routers.adhome-redirect] entrypoints = ["http"] rule = "Host(adguard.example.com)" middlewares = ["adhome-redirect"] service = "adhome"

[http.routers.adhome] entrypoints = ["https"] rule = "Host(adguard.example.com)" service = "adhome" middlewares = ["authelia@docker"] [http.routers.adhome.tls] certResolver = "letsencrypt"

[http.services] [http.services.adhome.loadbalancer] [[http.services.adhome.loadbalancer.servers]] url = "http://10.10.10.5:84" `

benisai commented 1 year ago

when I browse http://10.10.10.5:84/ from my home netowrk, I can browse the AGH webpage. When Treafik tries, it doesnt get a response from AGH. Telnets work from my Server where Treafik is to 10.10.10.5 over 84. So I have a good connection. But AGH is not returning a response for some reason. Did you guys lock down the requests to match the src? or something along those lines?

benisai commented 1 year ago

My Traefik container is able to ping/traceroute the subnet and telnet 10.10.10.5:84

/ # busybox-extras telnet 10.10.10.5 84 Connected to 10.10.10.5

I can curl from within the Traefik container (VPS Server) to the AdguardHome Container on my local network: / # curl http://10.10.10.5:84 <a href="/login.html">Found</a>

so it has to be AGH not returning the response

ainar-g commented 1 year ago

@benisai, please provide the verbose logs. It's hard to diagnose anything without them. If you have issues getting them, please describe the steps you're taking.

dontcrash commented 11 months ago

I am having the same result when using Traefik and AdGuardHome image

dontcrash commented 11 months ago

I can curl the login page fine, but the CSS and JS fail:

user@ubuntu:~$ curl --verbose https://dns1.redacted.com/login.html
*   Trying 172.16.2.243:443...
* Connected to dns1.redacted.com (172.16.2.243) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=redacted.com
*  start date: Oct 18 15:19:08 2023 GMT
*  expire date: Jan 16 15:19:07 2024 GMT
*  subjectAltName: host "dns1.redacted.com" matched cert's "*.redacted.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /login.html]
* h2h3 [:scheme: https]
* h2h3 [:authority: dns1.redacted.com]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0xaaab15c56480)
> GET /login.html HTTP/2
> Host: dns1.redacted.com
> user-agent: curl/7.88.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 200 
< accept-ranges: bytes
< alt-svc: h3=":443"; ma=2592000
< content-type: text/html; charset=utf-8
< date: Mon, 23 Oct 2023 17:07:38 GMT
< vary: Accept-Encoding
< content-length: 1137
< 
<!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name="google" content="notranslate"><link rel="apple-touch-icon" sizes="180x180" href="assets/apple-touch-icon-180x180.png"/><meta name="mobile-web-app-capable" content="yes"/><meta name="apple-mobile-web-app-capable" content="yes"/><meta name="apple-mobile-web-app-status-bar-style" content="default"><link rel="mask-icon" href="assets/safari-pinned-tab.svg" color="#67B279"><link rel="icon" type="image/png" href="assets/favicon.png" sizes="48x48"><title>Login</title><link href="login.c57f2e5e7989b37bc698.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root"></div><script>(function() {
                var prefersDark = window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches;
                var currentTheme = prefersDark ? 'dark' : 'light';
                document.body.dataset.theme = currentTheme;
* Connection #0 to host dns1.redacted.com left intact
            })();</script><script src="login.c57f2e5e7989b37bc698.js"></script></body></html>

CSS or JS produce a bad gateway:

user@ubuntu:~$ curl --verbose https://dns1.redacted.com/login.c57f2e5e7989b37bc698.css
*   Trying 172.16.2.243:443...
* Connected to dns1.redacted.com (172.16.2.243) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=redacted.com
*  start date: Oct 18 15:19:08 2023 GMT
*  expire date: Jan 16 15:19:07 2024 GMT
*  subjectAltName: host "dns1.redacted.com" matched cert's "*.redacted.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /login.c57f2e5e7989b37bc698.css]
* h2h3 [:scheme: https]
* h2h3 [:authority: dns1.redacted.com]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0xaaaae7526480)
> GET /login.c57f2e5e7989b37bc698.css HTTP/2
> Host: dns1.redacted.com
> user-agent: curl/7.88.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 502 
< alt-svc: h3=":443"; ma=2592000
< content-type: text/plain; charset=utf-8
< content-length: 11
< date: Mon, 23 Oct 2023 17:11:18 GMT
< 
* Connection #0 to host dns1.redacted.com left intact
Bad Gateway

I set AdGuardHome to verbose, could not see anything relevant in it. AdGuardHome is a standard install on an Ubuntu VM, everything is fresh and brand new, installed today. Traefik is running in Docker, if I try to go to my original AdGuardHome instance in Docker using the labels it works perfectly:

Label Value
traefik.enable true
traefik.http.routers.dns.entrypoints https
traefik.http.routers.dns.rule Host(`dns.redacted.com`)
traefik.http.routers.dns.tls true
traefik.http.services.dns.loadbalancer.server.port 80

As the new instance is not in Docker, I used static YAML for Traefik:

http:
  routers:
    dns1:
      rule: "Host(`dns1.vlan.au`)"
      service: dns1
      tls: true
  services:
    dns1:
      loadBalancer:
        servers:
          - url: "http://172.16.2.6"

I am using this exact format for many other services and they work flawlessly.

iDevEngineer commented 6 months ago

@dontcrash know this is an older post but I've got the same... ish issue. Ubuntu for AdGuard Home using Unbound on a VM. Traefik running Docker too. Below is my static YAML. Did you get it resolved? Any help appreciated.

http: routers: adguard-https: rule: "Host(adguard.dev.test)" service: adguard-service entrypoints: