search

NathanVaughn / webtrees-docker

Up-to-date Docker image for webtrees with all the bells and whistles.
https://hub.docker.com/r/nathanvaughn/webtrees
MIT License
64 stars 15 forks source link

Reverse proxy (i think) setup issue #122

Closed LunaUrsa closed 1 year ago

LunaUrsa commented 1 year ago

Hey Nathan, thanks for making this project. I've got an issue and could use some help. I am trying to setup web trees via docker-compose:

  webtrees_db:
    container_name: webtrees_db
    image: mariadb:latest
    restart: unless-stopped
    networks:
      - webtrees-net
    env_file: .env
    environment:  
      MARIADB_ROOT_PASSWORD: ${DB_ROOT}
      MARIADB_USER: webtrees
      MARIADB_PASSWORD: ${WT_PASS}
      MARIADB_DATABASE: webtrees
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - webtrees_db:/var/lib/mysql
    labels:
      - "traefik.enable=false"
  webtrees:
      container_name: webtrees
      image: ghcr.io/nathanvaughn/webtrees:latest
      restart: unless-stopped
      depends_on:
      - webtrees_db
      networks:
      - webtrees-net
      env_file: .env
      environment:
        PRETTY_URLS: "0"
        HTTPS: "0"
        HTTPS_REDIRECT: "0"
        LANG: "en-US"
        BASE_URL: "http://webtrees.${WT_DOMAIN}.${WT_TLD}"
        DB_TYPE: "mysql"
        DB_HOST: "webtrees_db"
        DB_PORT: "3306"
        MARIADB_USER: "webtrees"
        MARIADB_PASSWORD: ${WT_PASS}
        MARIADB_DATABASE: "webtrees"
        DB_PREFIX: "wt_"
        WT_USER: "admin"
        WT_NAME: ${WT_NAME}
        WT_PASS: ${WT_PASS}
        WT_EMAIL: ${WT_EMAIL}
      volumes:
        - webtrees_data:/var/www/webtrees/data/
        - webtrees_media:/var/www/webtrees/media/
        - webtrees_themes:/var/www/webtrees/modules_v4/
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.webtrees.rule=Host(`${WT_DOMAIN}.${WT_TLD}`)"
        - "traefik.http.routers.webtrees.entrypoints=websecure"
        - "traefik.http.routers.webtrees.service=webtrees"
        - "traefik.http.routers.webtrees.tls=true"
        - "traefik.http.routers.webtrees.tls.certresolver=letsencrypt"
        - "traefik.http.services.webtrees.loadbalancer.server.port=80"

This works on the first run: I can set up the website and see the database has tables created. I can navigate the site, so I'm confident there are no major issues with your image, Cloudflare, or Traefik. The issue happens when I restart the container. I get a 500 error:

[NV_INIT] PRETTY_URLS found in environment variables
[NV_INIT] HTTPS found in environment variables
[NV_INIT] HTTPS_REDIRECT found in environment variables
[NV_INIT] SSL_CERT_FILE NOT found in environment variables, using default: /certs/webtrees.crt
[NV_INIT] SSL_CERT_KEY_FILE NOT found in environment variables, using default: /certs/webtrees.key
[NV_INIT] BASE_URL found in environment variables
[NV_INIT] LANG found in environment variables
[NV_INIT] DB_TYPE found in environment variables
[NV_INIT] DB_HOST found in environment variables
[NV_INIT] DB_PORT found in environment variables
[NV_INIT] MYSQL_USER NOT found in environment variables, using default: None
[NV_INIT] MARIADB_USER found in environment variables
[NV_INIT] MYSQL_PASSWORD NOT found in environment variables, using default: None
[NV_INIT] MARIADB_PASSWORD found in environment variables
[NV_INIT] MYSQL_DATABASE NOT found in environment variables, using default: None
[NV_INIT] MARIADB_DATABASE found in environment variables
[NV_INIT] DB_PREFIX found in environment variables
[NV_INIT] WT_USER found in environment variables
[NV_INIT] WT_NAME found in environment variables
[NV_INIT] WT_PASS found in environment variables
[NV_INIT] WT_EMAIL found in environment variables
[NV_INIT] DB_KEY NOT found in environment variables, using default: None
[NV_INIT] DB_CERT NOT found in environment variables, using default: None
[NV_INIT] DB_CA NOT found in environment variables, using default: None
[NV_INIT] DB_VERIFY NOT found in environment variables, using default: None
[NV_INIT] PHP_MEMORY_LIMIT NOT found in environment variables, using default: 1024M
[NV_INIT] PHP_MAX_EXECUTION_TIME NOT found in environment variables, using default: 90
[NV_INIT] PHP_POST_MAX_SIZE NOT found in environment variables, using default: 50M
[NV_INIT] PHP_UPLOAD_MAX_FILE_SIZE NOT found in environment variables, using default: 50M
[NV_INIT] Setting up folder permissions for uploads
[NV_INIT] Updating php.ini
[NV_INIT] Creating php.ini
[NV_INIT] Setting value for memory_limit in php.ini
[NV_INIT] Setting value for max_execution_time in php.ini
[NV_INIT] Setting value for post_max_size in php.ini
[NV_INIT] Setting value for upload_max_filesize in php.ini
[NV_INIT] Updating config file
[NV_INIT] Setting value for rewrite_urls in config
[NV_INIT] Setting value for base_url in config
[NV_INIT] Setting value for dbtype in config
[NV_INIT] Setting value for dbhost in config
[NV_INIT] Setting value for dbport in config
[NV_INIT] Setting value for dbuser in config
[NV_INIT] Setting value for dbpass in config
[NV_INIT] Setting value for dbname in config
[NV_INIT] Setting value for tblpfx in config
[NV_INIT] Configuring HTTPS
[NV_INIT] Removing HTTPS
[NV_INIT] Disabling site webtrees-redir
Site webtrees-redir already disabled
[NV_INIT] Disabling site webtrees-ssl
Site webtrees-ssl already disabled
[NV_INIT] Enabling site webtrees
Enabling site webtrees.
To activate the new configuration, you need to run:
  service apache2 reload
[NV_INIT] Setting up folder permissions for uploads
[NV_INIT] Starting Apache
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.22.0.5. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.22.0.5. Set the 'ServerName' directive globally to suppress this message
[Wed May 24 16:37:12.375426 2023] [mpm_prefork:notice] [pid 32] AH00163: Apache/2.4.54 (Debian) PHP/8.1.14 OpenSSL/1.1.1n configured -- resuming normal operations
[Wed May 24 16:37:12.376582 2023] [core:notice] [pid 32] AH00094: Command line: 'apache2 -D FOREGROUND'
webtrees:80 127.0.0.1 - - [24/May/2023:16:37:41 +0000] "GET / HTTP/1.1" 500 4378 "-" "curl/7.74.0"

I see your Reverse Proxy Issues section in the readme, and the UPDATE command didn't work, so I did an INSERT and added those settings:

MariaDB [webtrees]> select * from wt_site_setting;
+-------------------+--------------------------------+
| setting_name      | setting_value                  |
+-------------------+--------------------------------+
| LANGUAGE          | en-US                          |
| LOGIN_URL         | https://domain.tld/login       |
| SERVER_URL        | https://domain.tld/            |
| WT_SCHEMA_VERSION | 45                             |
+-------------------+--------------------------------+
4 rows in set (0.001 sec)

Even after that and playing around with the HTTPS/BASE_URL variables, I need help figuring this out. I might be overlooking something basic here, and any help would be appreciated, thank you!

NathanVaughn commented 1 year ago

Try changing LOGIN_URL to https://domain.tld/login.php. I'm going to experiment and see if I can replicate this. Additionally, set the BASE_URL to the https version of your domain

LunaUrsa commented 1 year ago

Thanks for the response!

Unfortunately, no change in behavior =/ Just to clarify, I changed my docker-compose so that the web trees service's environment now starts with:

      environment:
        PRETTY_URLS: "1"
        HTTPS: "0"
        HTTPS_REDIRECT: "0"
        LANG: "en-US"
        LOGIN_URL: "https://domain.tld/login.php"
        SERVER_URL: "https://domain.tld"
        BASE_URL: "https://domain.tld"

Did a fresh install of everything (thank you, docker) with that and also made sure to update the MariaDB wt_site_settings with the same values, same thing: I can do the setup process, but once I restart the container, it gives me a 404. I wish I had more logs to give you, is there some kind of debug logs I can enable? All I can see in the browser console is a 404 error for my domain and the favicon, and a 500 error on the Webtrees container side.

Happy to do whatever to help resolve this, I'd really like to use this software, thanks again!

NathanVaughn commented 1 year ago

Okay, so I was able to spend more time looking into this. After starting the container for the second time, can you attach a terminal to it and check the contents on /var/ww/webtrees/data/config.ini.php?

When I was trying to replicate this issue, I found some of the environment variables were not getting loaded properly, and it was causing the webtrees config to get corrupted: image

At least for that problem, I will dig into it more.

You should be able to prevent this by not setting any of the WT_ environment variables and manually doing the setup wizard.

NathanVaughn commented 1 year ago

Tags 2.1.16 and latest have been re-pushed, try that now

LunaUrsa commented 1 year ago

Thanks for the response! I've made progress, but still hitting an issue:

If my docker-compose has no env variables, it has me go through the site creation process, as I would expect. When I create the user in the final step, the page refreshes to the login screen, but there's no CSS formatting, so it looks gross. However! This is the only setup where the login page works. I can reload the container, and it stays the same: I can keep logging into that page and set up my family's specific tree. However, something is broken with the site cuz the formatting is broken.

image

If I add the 'BASE_URL: "https://webtrees.${DNS_DOMAIN}"' env variable and reload the container, the site looks normal, but I can no longer log in.

If I add my full env config, it seems to auto-complete the setup process, but I can't log in at all, even if I remove the BASE_URL variable and redo the container.

For clarity, I pasted my environment below. I've tried with pretty_urls on and off, along with a bunch of other combinations, but nothing I try seems to let me log in, except the first method without an env at all. When I go into MariaDB, I can see that the user is created, but maybe the password is getting hashed wrong? Just a guess, because there is a hashed password value there

      environment:
        PRETTY_URLS: "1"
        LANG: "en-US"
        LOGIN_URL: "https://webtrees.${DNS_DOMAIN}/login.php"
        SERVER_URL: "https://webtrees.${DNS_DOMAIN}"
        BASE_URL: "https://webtrees.${DNS_DOMAIN}"
        DB_TYPE: "mysql"
        DB_HOST: "webtrees_db"
        DB_PORT: "3306"
        MARIADB_USER: "webtrees"
        MARIADB_PASSWORD: "${WT_DB_PASS}"
        MARIADB_DATABASE: "webtrees"
        DB_PREFIX: "wt_"
        WT_USER: "${WT_USER}"
        WT_NAME: "${WT_NAME}"
        WT_PASS: "${WT_PASS}"
        WT_EMAIL: "${WT_EMAIL}"

If I have the browser console open while i click login, it shows:

webtrees:80 172.22.0.4 - - [31/May/2023:20:50:34 +0000] "POST /login HTTP/1.1" 302 526 "https://webtrees.${DNS_DOMAIN}/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0"
webtrees:80 172.22.0.4 - - [31/May/2023:20:50:34 +0000] "GET /login HTTP/1.1" 200 4240 "https://webtrees.${DNS_DOMAIN}/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0"
NathanVaughn commented 1 year ago

I'm still not sure what's going on exactly. If you could post your full docker compose file and traffic config (feel free to leave out environment variables), that would be appreciated.

I was able to set up a fresh instance from a blank slate on my computer with the following configs (admittedly without https):

docker-compose.yml:

services:
  traefik:
    image: traefik:latest
    volumes:
      - ./traefik.toml:/etc/traefik/traefik.toml
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
       - "80:80"
       - "8080:8080"

  webtrees_db:
    container_name: webtrees_db
    image: mariadb:latest
    restart: unless-stopped
    environment:
      MARIADB_ROOT_PASSWORD: rootpass
      MARIADB_USER: webtrees
      MARIADB_PASSWORD: wtpass
      MARIADB_DATABASE: webtrees
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - webtrees_db:/var/lib/mysql
    labels:
      - "traefik.enable=false"
    ports:
      - "3306:3306"

  webtrees:
      container_name: webtrees
      image: ghcr.io/nathanvaughn/webtrees:latest
      restart: unless-stopped
      depends_on:
      - webtrees_db
      environment:
        PRETTY_URLS: "1"
        HTTPS: "0"
        HTTPS_REDIRECT: "0"
        LANG: "en-US"
        BASE_URL: "http://webtrees.localhost"
        DB_TYPE: "mysql"
        DB_HOST: "webtrees_db"
        DB_PORT: "3306"
        MARIADB_USER: "webtrees"
        MARIADB_PASSWORD: wtpass
        MARIADB_DATABASE: "webtrees"
        DB_PREFIX: "wt_"
        WT_USER: "admin"
        WT_NAME: Nathan
        WT_PASS: wtpass
        WT_EMAIL: nathan@example.com
      volumes:
        - webtrees_data:/var/www/webtrees/data/
        - webtrees_media:/var/www/webtrees/media/
        - webtrees_themes:/var/www/webtrees/modules_v4/
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.webtrees.rule=Host(`webtrees.localhost`)"
        - "traefik.http.routers.webtrees.entrypoints=insecure"
        - "traefik.http.routers.webtrees.service=webtrees"
        - "traefik.http.services.webtrees.loadbalancer.server.port=80"

volumes:
  webtrees_db:
    driver: local
  webtrees_data:
    driver: local
  webtrees_media:
    driver: local
  webtrees_themes:
    driver: local

traefik.toml:

[entryPoints]
  [entryPoints.insecure]
    address = ":80"

[api]
  dashboard = true
  insecure = true
  debug = true

[log]
  level = "debug"

[providers.docker]

After modifying my hosts file for webtrees.localhost, this was able to completely automate the setup wizard, and then I logged in and created my tree. I restarted the container and the pretty URLs worked. image I never had to modify any database settings.

Maybe the problem is HTTPS. If you think so, I can try to spend more time replicating that locally.

LunaUrsa commented 1 year ago

Hey Nathan, thanks a ton! I'm not 100% sure what I was doing wrong, but it was probably something with the .env variables. I took your above example and started fresh, and I can run the site on HTTPS. If anyone else has this issue in the future, maybe my docker-compose will help:

  traefik:
    container_name: traefik
    image: traefik:latest
    restart: unless-stopped
    command:
      # Global
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=true
      # Log info
      - --log=true
      - --log.filePath=/var/log/traefik/traefik.log
      - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      # Access logs
      - --accesslog=true
      - --accesslog.filepath=/var/log/traefik/access.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=204-299,400-499,500-599
      - --accesslog.fields.headers.names.Content-Type=keep
      - --accesslog.fields.headers.names.Referer=keep
      - --accesslog.fields.headers.names.User-Agent=keep
      # Enable the Trafik dashboard
      - --api=true
      - --api.dashboard=true
      - --api.insecure=false
      - --api.debug=true
      # Tell Traefik to discover containers using the Docker API
      - --providers.docker
      - --providers.docker.exposedbydefault=false
      - --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security
      - --providers.docker.network=traefik-net
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/data/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
      - --providers.file.watch=true # Only works on top level files in the rules folder
      # Set up an insecure listener that redirects all traffic to TLS
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      # Set up the TLS configuration for our https listener
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.certResolver=letsencrypt
      - --entrypoints.websecure.http.tls.domains[0].main=*.${DNS_DOMAIN}
      - --entrypoints.websecure.http.tls.domains[0].sans=${DNS_DOMAIN}
      - --entrypoints.websecure.http.tls.options=tls-opts@file
      - --entrypoints.websecure.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
      # Set up LetsEncrypt
      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.letsencrypt.acme.email=${LETSENCRYPT_EMAIL}
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers==1.1.1.1:53,1.0.0.1:53
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.disablepropagationcheck=true
    secrets:
      - cloudflare_email
      - cloudflare_api_key
      - cloudflare_api_token
    environment:
      - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
      - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_key
      - CF_ZONE_API_TOKEN_FILE=/run/secrets/cloudflare_api_token
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${DOCKERDIR}/traefik/data/:/data
      - ${DOCKERDIR}/traefik/logs:/var/log/traefik
      - ${LOCAL_MOUNT}/traefik/letsencrypt:/letsencrypt
      - /etc/traefik:/etc/traefik
    networks:
      - webtrees-net
    labels:
      - traefik.enable=true
      # Dashboard Config
      - traefik.http.routers.traefik-rtr.rule=Host(`traefik.${DNS_DOMAIN}`)
      - traefik.http.routers.traefik-rtr.entrypoints=websecure
      - traefik.http.routers.traefik-rtr.tls.certresolver=letsencrypt
      - traefik.http.routers.traefik-rtr.service=api@internal
      - traefik.http.routers.traefik-rtr.middlewares=middlewares-traefik-strip@file,chain-authelia@file
  webtrees_db:
    container_name: webtrees_db
    image: mariadb:latest
    restart: unless-stopped
    networks:
      - webtrees-net
    environment:
      - MARIADB_ROOT_PASSWORD=${MARIADB_ROOT_PASSWORD}
      - MARIADB_USER=webtrees
      - MARIADB_PASSWORD=${MARIADB_PASSWORD}
      - MARIADB_DATABASE=webtrees
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${DOCKERDIR}/data/webtrees_db/mysql:/var/lib/mysql
    labels:
      - traefik.enable=false
  webtrees:
      container_name: webtrees
      image: ghcr.io/nathanvaughn/webtrees:latest
      restart: unless-stopped
      depends_on:
      - webtrees_db
      networks:
      - webtrees-net
      environment:
        PRETTY_URLS: "1"
        HTTPS: "0"
        HTTPS_REDIRECT: "0"
        LANG: "en-US"
        LOGIN_URL: "https://webtrees.${DNS_DOMAIN}"
        SERVER_URL: "https://webtrees.${DNS_DOMAIN}"
        BASE_URL: "https://webtrees.${DNS_DOMAIN}"
        DB_TYPE: "mysql"
        DB_HOST: "webtrees_db"
        DB_PORT: "3306"
        MARIADB_USER: "webtrees"
        MARIADB_PASSWORD: ${WT_DB_PASS}
        MARIADB_DATABASE: "webtrees"
        DB_PREFIX: "wt_"
        WT_USER: ${WT_USER}
        WT_NAME: ${WT_NAME}
        WT_PASS: ${WT_PASS}
        WT_EMAIL: ${WT_EMAIL}
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock
        - ${DOCKERDIR}/data/webtrees/data:/var/www/webtrees/data/
        - ${DOCKERDIR}/data/webtrees/media:/var/www/webtrees/media/
        - ${DOCKERDIR}/data/webtrees/modules_v4:/var/www/webtrees/modules_v4/
      labels:
        - traefik.enable=true
        - traefik.http.routers.webtrees.rule=Host(`webtrees.${DNS_DOMAIN}`)
        - traefik.http.routers.webtrees.service=webtrees
        - traefik.http.services.webtrees.loadbalancer.server.port=80
        - traefik.http.routers.webtrees.entrypoints=websecure
        - traefik.http.routers.webtrees.tls.certresolver=letsencrypt
        - traefik.http.routers.webtrees.tls=true

Thanks once again!