Bug: docker with nginx SSL reverse proxy

[thatso]

Is this urgent?

No

What parts are affected

Frontend

What is the server version

docker latest

What is the client version

docker latest

What platform are you using

Web

What's the problem 🤔

I'm trying to run KitchenOwl in docker behind a ngnix SSL reverse proxy, however I only get 502 Bad Gateway openresty. Most likely, I'm only missing some detail. The docker compose file seems to resemble the one in the docs.

Share your logs

kitchenowl container:

/usr/src/kitchenowl/migrations/env.py:21: DeprecationWarning: 'get_engine' is deprecated and will be removed in Flask-SQLAlchemy 3.2. Use 'engine' or 'engines[key]' instead. If you're using Flask-Migrate or Alembic, you'll need to update your 'env.py' file.

  return current_app.extensions['migrate'].db.get_engine()

/usr/src/kitchenowl/migrations/env.py:21: DeprecationWarning: 'get_engine' is deprecated and will be removed in Flask-SQLAlchemy 3.2. Use 'engine' or 'engines[key]' instead. If you're using Flask-Migrate or Alembic, you'll need to update your 'env.py' file.

  return current_app.extensions['migrate'].db.get_engine()

INFO  [alembic.runtime.migration] Context impl SQLiteImpl.

INFO  [alembic.runtime.migration] Will assume non-transactional DDL.

Upgrading households: 0it [00:00, ?it/s]
Upgrading households: 0it [00:00, ?it/s]

[uWSGI] getting INI configuration from wsgi.ini

*** Starting uWSGI 2.0.23 (64bit) on [Fri Mar 22 15:48:34 2024] ***

compiled with version: 12.2.0 on 06 January 2024 17:03:35

os: Linux-6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01)

nodename: 7ac5fd4bfa31

machine: x86_64

clock source: unix

pcre jit disabled

detected number of CPU cores: 4

current working directory: /usr/src/kitchenowl

detected binary path: /opt/venv/bin/uwsgi

uWSGI running as root, you can use --uid/--gid/--chroot options

*** WARNING: you are running uWSGI as root !!! (use the --uid flag) *** 

your memory page size is 4096 bytes

detected max file descriptor number: 1048576

- async cores set to 200 - fd table size: 1048576

lock engine: pthread robust mutexes

thunder lock: disabled (you can enable it with --thunder-lock)

uwsgi socket 0 bound to TCP6 address [::]:5000 fd 3

uWSGI running as root, you can use --uid/--gid/--chroot options

*** WARNING: you are running uWSGI as root !!! (use the --uid flag) *** 

Python version: 3.11.7 (main, Dec 19 2023, 03:30:20) [GCC 12.2.0]

Python main interpreter initialized at 0x7f191437ced8

uWSGI running as root, you can use --uid/--gid/--chroot options

*** WARNING: you are running uWSGI as root !!! (use the --uid flag) *** 

python threads support enabled

your server socket listen backlog is limited to 100 connections

your mercy for graceful operations on workers is 60 seconds

mapped 4307328 bytes (4206 KB) for 200 cores

*** Operational MODE: async ***

uWSGI running as root, you can use --uid/--gid/--chroot options

*** WARNING: you are running uWSGI as root !!! (use the --uid flag) *** 

spawned uWSGI master process (pid: 29)

spawned uWSGI worker 1 (pid: 30, cores: 200)

WSGI app 0 (mountpoint='') ready in 3 seconds on interpreter 0x7f191437ced8 pid: 30 (default app)

*** running gevent loop engine [addr:0x55b6b3a91650] ***

[pid: 30|app: 0|req: 1/1]  () {16 vars in 245 bytes} [Fri Mar 22 15:49:22 2024] GET /api/health/8M4F88S8ooi4sMbLBfkkV7ctWwgibW6V => generated 71 bytes in 1 msecs (HTTP/1.1 200) 2 headers in 71 bytes (3 switches on core 199)

[pid: 30|app: 0|req: 2/2]  () {16 vars in 245 bytes} [Fri Mar 22 15:50:22 2024] GET /api/health/8M4F88S8ooi4sMbLBfkkV7ctWwgibW6V => generated 71 bytes in 0 msecs (HTTP/1.1 200) 2 headers in 71 bytes (3 switches on core 199)

[pid: 30|app: 0|req: 3/3]  () {16 vars in 245 bytes} [Fri Mar 22 15:51:22 2024] GET /api/health/8M4F88S8ooi4sMbLBfkkV7ctWwgibW6V => generated 71 bytes in 0 msecs (HTTP/1.1 200) 2 headers in 71 bytes (3 switches on core 199)

[pid: 30|app: 0|req: 4/4]  () {16 vars in 245 bytes} [Fri Mar 22 15:52:22 2024] GET /api/health/8M4F88S8ooi4sMbLBfkkV7ctWwgibW6V => generated 71 bytes in 0 msecs (HTTP/1.1 200) 2 headers in 71 bytes (3 switches on core 199)

[pid: 30|app: 0|req: 5/5]  () {16 vars in 245 bytes} [Fri Mar 22 15:53:23 2024] GET /api/health/8M4F88S8ooi4sMbLBfkkV7ctWwgibW6V => generated 71 bytes in 0 msecs (HTTP/1.1 200) 2 headers in 71 bytes (3 switches on core 199)

kitchenowl_web container:
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration

/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/

/docker-entrypoint.sh: Launching /docker-entrypoint.d/01-kitchenowl-customization.sh

/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh

10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf

10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf

/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh

20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/default.conf.template to /etc/nginx/conf.d/default.conf

/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh

/docker-entrypoint.sh: Configuration complete; ready for start up

2024/03/22 15:48:22 [notice] 1#1: using the "epoll" event method

2024/03/22 15:48:22 [notice] 1#1: nginx/1.24.0

2024/03/22 15:48:22 [notice] 1#1: built by gcc 12.2.1 20220924 (Alpine 12.2.1_git20220924-r4) 

2024/03/22 15:48:22 [notice] 1#1: OS: Linux 6.1.0-18-amd64

2024/03/22 15:48:22 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576

2024/03/22 15:48:22 [notice] 1#1: start worker processes

2024/03/22 15:48:22 [notice] 1#1: start worker process 37

2024/03/22 15:48:22 [notice] 1#1: start worker process 38

2024/03/22 15:48:22 [notice] 1#1: start worker process 39

2024/03/22 15:48:22 [notice] 1#1: start worker process 40

127.0.0.1 - - [22/Mar/2024:15:48:52 +0000] "GET / HTTP/1.1" 200 3413 "-" "curl/8.5.0" "-"

127.0.0.1 - - [22/Mar/2024:15:49:22 +0000] "GET / HTTP/1.1" 200 3413 "-" "curl/8.5.0" "-"

127.0.0.1 - - [22/Mar/2024:15:49:52 +0000] "GET / HTTP/1.1" 200 3413 "-" "curl/8.5.0" "-"

127.0.0.1 - - [22/Mar/2024:15:50:22 +0000] "GET / HTTP/1.1" 200 3413 "-" "curl/8.5.0" "-"

127.0.0.1 - - [22/Mar/2024:15:50:52 +0000] "GET / HTTP/1.1" 200 3413 "-" "curl/8.5.0" "-"

127.0.0.1 - - [22/Mar/2024:15:51:22 +0000] "GET / HTTP/1.1" 200 3413 "-" "curl/8.5.0" "-"

127.0.0.1 - - [22/Mar/2024:15:51:53 +0000] "GET / HTTP/1.1" 200 3413 "-" "curl/8.5.0" "-"

127.0.0.1 - - [22/Mar/2024:15:52:23 +0000] "GET / HTTP/1.1" 200 3413 "-" "curl/8.5.0" "-"

127.0.0.1 - - [22/Mar/2024:15:52:53 +0000] "GET / HTTP/1.1" 200 3413 "-" "curl/8.5.0" "-"

Share your configuration

services:
  front:
    image: tombursch/kitchenowl-web:latest
    container_name: kitchenowl_web
    restart: unless-stopped
    ports:
      - 8040:80
    depends_on:
      - back
    networks:
      - default
      - npm

  back:
    image: tombursch/kitchenowl:latest
    container_name: kitchenowl
    restart: unless-stopped
    environment:
      - JWT_SECRET_KEY=[redacted]
      - FRONT_URL=https://kitchenowl.lan
    volumes:
      - data:/data
    networks:
      - default

volumes:
  data:
    name: kitchenowl_data

networks:
  default:
  npm:
    name: nginxproxymanager_default
    external: true

[TomBursch]

Your config and logs look good. It is most likely something wrong with your reverse proxy setup/config.

[thatso]

Thanks for your confirmation of my docker file. I'm still wondering what's wrong, but at least now I can focus on the proxy. Do you BTW plan to publish the AIO container #373 anytime soon?

[Karamellwuerfel]

@thatso Did you find the error? I've the same issue with jwilder nginx proxy. My docker-compose config file looks like yours but I get an 502 error and can't find any solution. Thank you guys!

[Karamellwuerfel]

I found the solution for me in #201 and my compose file is:

version: "3"
services:
  kitchenowlfront:
    image: tombursch/kitchenowl-web:latest
    container_name: kitchenowlfront
    restart: unless-stopped
    depends_on:
      - kitchenowlback
    environment:
      - BACK_URL=kitchenowlback:5000
      - VIRTUAL_HOST=kitchen.[hidden].de
      - LETSENCRYPT_HOST=kitchen.[hidden].de
      - LETSENCRYPT_EMAIL=info@[hidden].de
      - WEBROOT=/var/www/web/kitchenowl

  kitchenowlback:
    image: tombursch/kitchenowl:latest
    container_name: kitchenowlback
    environment:
      - JWT_SECRET_KEY=secret
    ports:
      - 5000:5000

volumes:
  kitchenowl_data:

networks:
  default:
    external:
      name: nginx-proxy

Needed the ports: - 5000:5000.

Thank you!

[thatso]

@Karamellwuerfel : this is great news! Where did you find the webroot environment definition? Also, according to this comment, I deemed the port 5000 definitions not necessary. Interesting find!

Still waiting for the AIO container though in the hope it will simplify the setup even more. :wink:

[Karamellwuerfel]

@thatso: I used the webroot and the other environment variables except BACK_URL from and for my nginx proxy configuration. The nginx proxy is from jwilder (Docker Hub).

I tried without port 5000 but it didn't work and I got the 502 error again. When I added it, everything works. 👍

The AIO was (I think) merged today and you can use the BETA in the docs. 😺

[TomBursch]

Awesome that you've found a solution. I've merged the docs for the AIO container and will publish the corresponding release later today 😃

[thatso]

For later reference and future readers: this is my currently working docker compose file with the npm network referring to a separate Nginx Proxy Manager container:

services:
  kitchenowl:
    image: tombursch/kitchenowl:latest
    container_name: kitchenowl
    restart: unless-stopped
    environment:
      - JWT_SECRET_KEY=[redacted]
    volumes:
      - data:/data
    networks:
      - npm

volumes:
  data:
    name: kitchenowl_data

networks:
  npm:
    name: nginxproxymanager_default
    external: true

@TomBursch: your AIO container seems to work fine, thanks! :+1: