Issues using Nginx Proxy Manager

[Basti-Fantasti]

Issue

I've been using tandoor with docker-compose successfully behind npm now for quite a while.

Now I moved the installatation from my Proxmox base system to an unprivileged LXC container running docker. So far the rest of the docker containers seems to be running fine, but tandoor stopped working. When I open my tandoor url it takes a very long time to come to the login page. After entering my credentials it tries to load but always leads to a timeout.

I'm using the same npm nginx config as I have before:

server {
set $forward_scheme http;
set $server         "192.168.1.3";
set $port           981;

listen 80;
listen [::]:80;

listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mytandoor.domain.net;

# Let's Encrypt SSL
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/ssl-ciphers.conf;
ssl_certificate /etc/letsencrypt/live/npm-3/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/npm-3/privkey.pem;

# Force SSL
include conf.d/include/force-ssl.conf;

access_log /data/logs/proxy-host-3_access.log proxy;
error_log /data/logs/proxy-host-3_error.log warn;

location / {

    # Proxy!
    include conf.d/include/proxy.conf;
}

# Custom
include /data/nginx/custom/server_proxy[.]conf;
}

So my question is, do I need to modify the nginx config, or can it be related to the fact, that docker is now running in an unprivileged lxc container and not on a native debian host as before?

I can locally access tandoor using the internal IP through http it works. Any help is appreciated

Best regards Bastian

Tandoor Version

1.4.10

OS Version

Debian 11 in unprivileged LXC container

Setup

Docker / Docker-Compose

Reverse Proxy

Nginx Proxy Manager (NPM)

Other

No response

Environment file

# only set this to true when testing/debugging
# when unset: 1 (true) - dont unset this, just for development
DEBUG=0
SQL_DEBUG=0

# hosts the application can run under e.g. recipes.mydomain.com,cooking.mydomain.com,...
ALLOWED_HOSTS=*

# random secret key, use for example `base64 /dev/urandom | head -c50` to generate one
SECRET_KEY=mysecret

# your default timezone See https://timezonedb.com/time-zones for a list of timezones
TIMEZONE=Europe/Berlin

# add only a database password if you want to run with the default postgres, otherwise change settings accordingly
DB_ENGINE=django.db.backends.postgresql
# DB_OPTIONS= {} # e.g. {"sslmode":"require"} to enable ssl
POSTGRES_HOST=db_recipes
POSTGRES_PORT=5432
POSTGRES_USER=djangouser
POSTGRES_PASSWORD=password
POSTGRES_DB=djangodb

# database connection string, when used overrides other database settings.
# format might vary depending on backend
# DATABASE_URL = engine://username:password@host:port/dbname

# the default value for the user preference 'fractions' (enable/disable fraction support)
# default: disabled=0
FRACTION_PREF_DEFAULT=0

# the default value for the user preference 'comments' (enable/disable commenting system)
# default comments enabled=1
COMMENT_PREF_DEFAULT=1

# Users can set a amount of time after which the shopping list is refreshed when they are in viewing mode
# This is the minimum interval users can set. Setting this to low will allow users to refresh very frequently which
# might cause high load on the server. (Technically they can obviously refresh as often as they want with their own scripts)
SHOPPING_MIN_AUTOSYNC_INTERVAL=5

# Default for user setting sticky navbar
# STICKY_NAV_PREF_DEFAULT=1

# If base URL is something other than just /  (you are serving a subfolder in your proxy for instance http://recipe_app/recipes/)
# SCRIPT_NAME=/recipes

# If staticfiles are stored at a different location uncomment and change accordingly, MUST END IN /
# this is not required if you are just using a subfolder
# This can either be a relative path from the applications base path or the url of an external host
# STATIC_URL=/static/

# If mediafiles are stored at a different location uncomment and change accordingly, MUST END IN /
# this is not required if you are just using a subfolder
# This can either be a relative path from the applications base path or the url of an external host
# MEDIA_URL=/media/

# Serve mediafiles directly using gunicorn. Basically everyone recommends not doing this. Please use any of the examples
# provided that include an additional nxginx container to handle media file serving.
# If you know what you are doing turn this back on (1) to serve media files using djangos serve() method.
# when unset: 1 (true) - this is temporary until an appropriate amount of time has passed for everyone to migrate
GUNICORN_MEDIA=0

# S3 Media settings: store mediafiles in s3 or any compatible storage backend (e.g. minio)
# as long as S3_ACCESS_KEY is not set S3 features are disabled
# S3_ACCESS_KEY=
# S3_SECRET_ACCESS_KEY=
# S3_BUCKET_NAME=
# S3_REGION_NAME= # default none, set your region might be required
# S3_QUERYSTRING_AUTH=1 # default true, set to 0 to serve media from a public bucket without signed urls
# S3_QUERYSTRING_EXPIRE=3600 # number of seconds querystring are valid for
# S3_ENDPOINT_URL= # when using a custom endpoint like minio

# Email Settings, see https://docs.djangoproject.com/en/3.2/ref/settings/#email-host
# Required for email confirmation and password reset (automatically activates if host is set)
EMAIL_HOST=mail.yyy.tld
EMAIL_PORT=587
EMAIL_HOST_USER=xxx
EMAIL_HOST_PASSWORD=yyy
EMAIL_USE_TLS=1
# EMAIL_USE_SSL=0
DEFAULT_FROM_EMAIL=gitlab@gtr.de # email sender address (default 'webmaster@localhost')
# ACCOUNT_EMAIL_SUBJECT_PREFIX= # prefix used for account related emails (default "[Tandoor Recipes] ")

# allow authentication via reverse proxy (e.g. authelia), leave off if you dont know what you are doing
# see docs for more information https://vabene1111.github.io/recipes/features/authentication/
# when unset: 0 (false)
REVERSE_PROXY_AUTH=1
VIRTUAL_HOST=mytandoor.domain.net
LETSENCRYPT_HOST=mytandoor.domain.net
LETSENCRYPT_EMAIL=mymail

# Default settings for spaces, apply per space and can be changed in the admin view
# SPACE_DEFAULT_MAX_RECIPES=0 # 0=unlimited recipes
# SPACE_DEFAULT_MAX_USERS=0 # 0=unlimited users per space
# SPACE_DEFAULT_MAX_FILES=0 # Maximum file storage for space in MB. 0 for unlimited, -1 to disable file upload.
# SPACE_DEFAULT_ALLOW_SHARING=1 # Allow users to share recipes with public links

# allow people to create accounts on your application instance (without an invite link)
# when unset: 0 (false)
# ENABLE_SIGNUP=0

# If signup is enabled you might want to add a captcha to it to prevent spam
# HCAPTCHA_SITEKEY=
# HCAPTCHA_SECRET=

# if signup is enabled you might want to provide urls to data protection policies or terms and conditions
# TERMS_URL=
# PRIVACY_URL=
# IMPRINT_URL=

# enable serving of prometheus metrics under the /metrics path
# ATTENTION: view is not secured (as per the prometheus default way) so make sure to secure it
# trough your web server (or leave it open of you dont care if the stats are exposed)
# ENABLE_METRICS=0

# allows you to setup OAuth providers
# see docs for more information https://vabene1111.github.io/recipes/features/authentication/
# SOCIAL_PROVIDERS = allauth.socialaccount.providers.github, allauth.socialaccount.providers.nextcloud,

# Should a newly created user from a social provider get assigned to the default space and given permission by default ?
# ATTENTION: This feature might be deprecated in favor of a space join and public viewing system in the future
# default 0 (false), when 1 (true) users will be assigned space and group
# SOCIAL_DEFAULT_ACCESS = 1

# if SOCIAL_DEFAULT_ACCESS is used, which group should be added
# SOCIAL_DEFAULT_GROUP=guest

# Django session cookie settings. Can be changed to allow a single django application to authenticate several applications
# when running under the same database
# SESSION_COOKIE_DOMAIN=.example.com
# SESSION_COOKIE_NAME=sessionid # use this only to not interfere with non unified django applications under the same top level domain

# by default SORT_TREE_BY_NAME is disabled this will store all Keywords and Food in the order they are created
# enabling this setting makes saving new keywords and foods very slow, which doesn't matter in most usecases.
# however, when doing large imports of recipes that will create new objects, can increase total run time by 10-15x
# Keywords and Food can be manually sorted by name in Admin
# This value can also be temporarily changed in Admin, it will revert the next time the application is started
# This will be fixed/changed in the future by changing the implementation or finding a better workaround for sorting
# SORT_TREE_BY_NAME=0
# LDAP authentication
# default 0 (false), when 1 (true) list of allowed users will be fetched from LDAP server
#LDAP_AUTH=
#AUTH_LDAP_SERVER_URI=
#AUTH_LDAP_BIND_DN=
#AUTH_LDAP_BIND_PASSWORD=
#AUTH_LDAP_USER_SEARCH_BASE_DN=

Docker-Compose file

version: "3"
services:
  db_recipes:
    restart: always
    image: postgres:11-alpine
    volumes:
      - ./postgresql:/var/lib/postgresql/data
    env_file:
      - ./.env

  web_recipes:
    image: vabene1111/recipes
    restart: always
    env_file:
      - ./.env
    volumes:
      - staticfiles:/opt/recipes/staticfiles
      - nginx_config:/opt/recipes/nginx/conf.d
      - ./mediafiles:/opt/recipes/mediafiles
    depends_on:
      - db_recipes

  nginx_recipes:
    image: nginx:mainline-alpine
    restart: always
    ports:
      - 981:80
    env_file:
      - ./.env
    depends_on:
      - web_recipes
    volumes:
      - nginx_config:/etc/nginx/conf.d:ro
      - staticfiles:/static
      - ./mediafiles:/media

volumes:
  nginx_config:
  staticfiles:

Relevant logs

## Startup

Attaching to tandoor-db_recipes-1, tandoor-nginx_recipes-1, tandoor-web_recipes-1
tandoor-db_recipes-1     |
tandoor-db_recipes-1     | PostgreSQL Database directory appears to contain a database; Skipping initialization
tandoor-db_recipes-1     |
tandoor-db_recipes-1     | 2023-05-21 09:23:38.659 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
tandoor-db_recipes-1     | 2023-05-21 09:23:38.659 UTC [1] LOG:  listening on IPv6 address "::", port 5432
tandoor-db_recipes-1     | 2023-05-21 09:23:38.668 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
tandoor-db_recipes-1     | 2023-05-21 09:23:38.688 UTC [22] LOG:  database system was shut down at 2023-05-21 09:23:29 UTC
tandoor-db_recipes-1     | 2023-05-21 09:23:38.694 UTC [1] LOG:  database system is ready to accept connections
tandoor-web_recipes-1    | Checking configuration...
tandoor-web_recipes-1    | Waiting for database to be ready...
tandoor-web_recipes-1    | Database is ready
tandoor-web_recipes-1    | Migrating database
tandoor-web_recipes-1    | ERROR failed to initialize plugins
tandoor-nginx_recipes-1  | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
tandoor-nginx_recipes-1  | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
tandoor-nginx_recipes-1  | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
tandoor-nginx_recipes-1  | 10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist
tandoor-nginx_recipes-1  | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
tandoor-nginx_recipes-1  | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
tandoor-nginx_recipes-1  | /docker-entrypoint.sh: Configuration complete; ready for start up
tandoor-nginx_recipes-1  | 2023/05/21 09:23:39 [notice] 1#1: using the "epoll" event method
tandoor-nginx_recipes-1  | 2023/05/21 09:23:39 [notice] 1#1: nginx/1.23.4
tandoor-nginx_recipes-1  | 2023/05/21 09:23:39 [notice] 1#1: built by gcc 12.2.1 20220924 (Alpine 12.2.1_git20220924-r4)
tandoor-nginx_recipes-1  | 2023/05/21 09:23:39 [notice] 1#1: OS: Linux 5.15.107-2-pve
tandoor-nginx_recipes-1  | 2023/05/21 09:23:39 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 524288:524288
tandoor-nginx_recipes-1  | 2023/05/21 09:23:39 [notice] 1#1: start worker processes
tandoor-nginx_recipes-1  | 2023/05/21 09:23:39 [notice] 1#1: start worker process 20
tandoor-nginx_recipes-1  | 2023/05/21 09:23:39 [notice] 1#1: start worker process 21
tandoor-web_recipes-1    | Operations to perform:
tandoor-web_recipes-1    |   Apply all migrations: account, admin, auth, authtoken, contenttypes, cookbook, oauth2_provider, sessions, sites, socialaccount
tandoor-web_recipes-1    | Running migrations:
tandoor-web_recipes-1    |   No migrations to apply.
tandoor-web_recipes-1    | Generating static files
tandoor-web_recipes-1    | ERROR failed to initialize plugins
tandoor-web_recipes-1    | js-reverse file written to /opt/recipes/cookbook/static/django_js_reverse
tandoor-web_recipes-1    | ERROR failed to initialize plugins
tandoor-web_recipes-1    |
tandoor-web_recipes-1    | 1 static file copied to '/opt/recipes/staticfiles', 611 unmodified, 1282 post-processed.
tandoor-web_recipes-1    | Done
tandoor-web_recipes-1    | [2023-05-21 09:23:46 +0000] [1] [INFO] Starting gunicorn 20.1.0
tandoor-web_recipes-1    | [2023-05-21 09:23:46 +0000] [1] [INFO] Listening at: http://0.0.0.0:8080 (1)
tandoor-web_recipes-1    | [2023-05-21 09:23:46 +0000] [1] [INFO] Using worker: gthread
tandoor-web_recipes-1    | [2023-05-21 09:23:46 +0000] [11] [INFO] Booting worker with pid: 11
tandoor-web_recipes-1    | [2023-05-21 09:23:46 +0000] [12] [INFO] Booting worker with pid: 12
tandoor-web_recipes-1    | ERROR failed to initialize plugins
tandoor-web_recipes-1    | [2023-05-21 09:23:46 +0000] [13] [INFO] Booting worker with pid: 13
tandoor-web_recipes-1    | ERROR failed to initialize plugins
tandoor-web_recipes-1    | ERROR failed to initialize plugins

[Basti-Fantasti]

Update 1:

I now moved to a privileged LXC container but without any change in the result. Same behaviour, loading of login screen takes very long, and after entering the credentials I receive a page load error.

Based on the logs, this attempt stops at the npm, so I assume that there's something wrong with my current configuration. Does anyone have an example on howto setup npm properly to get it working again?

[boospy]

Here is my working nginx config. Maybe it helps you.

map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
}

upstream rezepte.tux.lan {
        server 127.0.0.1:8080;
}

server {
        listen 80;
        server_name rezepte.tux.lan;
        access_log /var/log/nginx/rezepte_access.log;
        error_log /var/log/nginx/rezepte_error.log;
        return 301 https://rezepte.tux.lan$request_uri;

}

server {
    listen 443 ssl;
    server_name rezepte.tux.lan;
    access_log /var/log/nginx/rezepte_access.log;
    error_log /var/log/nginx/rezepte_error.log;

    client_max_body_size 100M;

    # SSL
    ssl_certificate /etc/ssl/certs/ssl-cert-tux.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-tux.key;
    ssl_trusted_certificate /usr/local/share/ca-certificates/tux-root-wildcard1.crt;

    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;    
    add_header Strict-Transport-Security "max-age=63072000" always;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

        location / {
        proxy_set_header Host $http_host;
        proxy_pass http://rezepte.tux.lan;
        proxy_set_header X-Forwarded-Proto $scheme;
        }

        location /websockify {
                proxy_pass http://rezepte.tux.lan;
                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;

                 }

        }

[Basti-Fantasti]

@boospy , thanks for your feedback. I assume you created the nginx config manually. Using npm I'm quite limited in adjusting the nginx configuration to my needs. I need to check if I can get a similar result.

[Basti-Fantasti]

I found the reason 😢 my router decided to not forward port 443 to my docker host anymore.

Port is now forwarded again and tandoor works like a charm 🥳

Thanks again