ownfoil doesn't work with reverse proxy

[Seruschl]

Hi and at first thanks for this great docker container :D

It is working so far on my LAN but i want to set it up via dyndns with nginx as reverse proxy but with this the data won't load at all in tinfoil.

When i open up the dyndns like https://switch.my.dyndns.name with the login credentials i see the .nsp and all like it should be but when i add it to tinfoil with https and host and all nothing happend. . .

Does anyone has set up something similar with an reverse proxy?

[datapush3r]

I have a very similar experience using Nginx Proxy Manager. I can see all the files via browser but the shop is blank in Tinfoil. More troubleshooting is needed.

[mobihen]

It's working fine for me. I have NginX in docker and I can see the shop locally and even from remote (also cloudflare), I'll try to upload a pic later for the config

[rwbxd]

Had this same issue - I have NPM on a VPS pointing to my server with Traefik. Browser worked, Tinfoil didn't. Removed my authentication from Ownfoil (the reverse proxy only accepts requests from my home IP), and it worked. Obviously not a perfect solution, but a reasonable workaround and hopefully can help diagnose the issue.

EDIT: actually, it still doesn't work - I get failed to open NSP when I try to download a game.

[Seruschl]

so without the reverse proxy on http only with port forwarding it is working. Not the best solution but it works

[pxdl]

It's working fine for me. I have NginX in docker and I can see the shop locally and even from remote (also cloudflare), I'll try to upload a pic later for the config

Same here. Haven't tried authentication yet though.

[BaerHub]

any update on this? its not working when using nginx https proxy, only http.

[kevincali]

Reverse proxying with Caddy didn't work for me either.

I used a Cloudflare Tunnel instead.

[FoUStep]

Tried it with docker-compose, I could confirm this should work with curl on the laptop (curl https://myurl:8000 -v).

version: "3"

services:
  ownfoil:
    container_name: ownfoil
    image: a1ex4/ownfoil
    environment:
      # For write permission in /games directory
      - PUID=1000
      - PGID=1000
    volumes:
      - /home/foustep/games:/games
  nginx-proxy:
    container_name: nginx-proxy-for-ownfoil
    image: nginx
    volumes:
      - ./nginx-proxy/nginx.conf:/etc/nginx/conf.d/default.conf
      - ./nginx-proxy/key.pem:/root/ssl/key.pem
      - ./nginx-proxy/cert.pem:/root/ssl/cert.pem
    ports:
      - "8000:443"
    depends_on:
      - ownfoil

Unfortunately, this doesn't work on the switch. The certificate is valid. Does v2 work?

[a1ex4]

If you use the latest image tag then there is already an nginx instance running in the container, so adding another nginx container on top wouldn't work.

In the v2 version (currently in development) reverse proxies should work, though I have yet to test it.

[FoUStep]

I'm very sorry,perhaps I do not fully understand either nginx or docker-compose, but how to I add the ssl configuration without touching ownfoils port 80 configuration in nginx (as a different site, or .conf)? I tried another container with a reverse proxy and that works for curl but not for the switch itself.

If I try to add another server with 443 ssl, it says the directive server is not allowed and if I use another http, it says it is a duplicate in the original nginx.conf.

I want to add additional (ssl) configuration, without touching the docker(-compose) default configuration of the ownfoil setup. Can someone send me in the right direction with this? I've tried several combinations.

[safety1g]

I can't get reverse proxy working, even on v2.0.

I can access the admin panel fine using http://tinfoil.'mydomain'.com but when i enter the details in tinfoil it's not working. Working fine with local IP. Working fine with public IP and port opened up.

Not sure if I'm entering something wrong in tinfoil. Currently I have:

Protocol: http Host: tinfoil.'mydomain'.com Port: 80 (also tried leaving this blank) Path: / Username: (blank - shop is set to public for testing purposes) Password: (blank - shop is set to public for testing purposes) Title: My Shop Enabled: Yes

Any other troubleshooting steps I can could take?

EDIT: Seems like it's actually working in some form. I can access the games through file manager, but I don't get the welcome message when I start tinfoil, and the search doesn't work.

[Terror-Gene]

If I use "Public Shop," it works for me through Nginx Proxy Manager (HTTPS). However, if I disable "Public Shop" and try to connect with a username and password, the shop doesn't load on Tinfoil startup, but I can browse the file browser (which then shows the success message) and see the content.

Here's what I tested: (Local = HTTP, Proxy = HTTPS)

Public Shop:

• Local: Yes (full function)
• Proxy: Yes (full function)

  Non-Public Shop (with user/pass in Tinfoil):

• Local: Yes (full function)
• Proxy: Semi (only file browser access, no success message on Tinfoil start)
• Proxy (HTTP): Semi (only file browser access, no success message on Tinfoil start)

  Non-Public Shop (without user/pass in Tinfoil):

• Local: "Shop requires authentication" message on start
• Proxy: "Shop requires authentication" message on start

Seems a bit of a strange behavior. (the more i play with this the more it feels like a tinfoil issue....)

I hope this helps in some way.

[a1ex4]

@Terror-Gene thanks for the detailed report, although I can't reproduce any issue with Tinfoil authentication, it works locally on the network with http, and remotely with https without any problem.

I personally use nginx-proxy/nginx-proxy which work without issue, let me know if you still have problems.

[Golumpa]

Hey so I seem to be getting this funny issue aswel when running ownfoil on my nginx reverse proxy.

The EXACT symptoms as @Terror-Gene here https://github.com/a1ex4/ownfoil/issues/26#issuecomment-2263164735

I use swag as my main servers reverse proxy setup. proxy.conf and resolver.conf is part of base swag the only thing I added is ownfoil.subdomain.conf. this same setup works on all 20 other containers I am running on my server

ownfoil.subdomain.conf

``` server { listen 443 ssl; listen [::]:443 ssl; server_name ownfoil.*; include /config/nginx/ssl.conf; client_max_body_size 0; location / { include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; set $upstream_app ownfoil; set $upstream_port 8465; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; } } ```

resolver.conf

``` # This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish. resolver 127.0.0.11 valid=30s; ```

proxy.conf

``` ## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample # Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Proxy Connection Settings proxy_buffers 32 4k; proxy_connect_timeout 240; proxy_headers_hash_bucket_size 128; proxy_headers_hash_max_size 1024; proxy_http_version 1.1; proxy_read_timeout 240; proxy_redirect http:// $scheme://; proxy_send_timeout 240; # Proxy Cache and Cookie Settings proxy_cache_bypass $cookie_session; #proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps proxy_no_cache $cookie_session; # Proxy Header Settings proxy_set_header Connection $connection_upgrade; proxy_set_header Early-Data $ssl_early_data; proxy_set_header Host $host; proxy_set_header Proxy ""; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Method $request_method; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Original-Method $request_method; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Real-IP $remote_addr; ```

[notmayo]

I see this issue so I wanted to share my nginx reverse proxy config to see if it helps anyone. I use a subdomain (tinfoil.x.x) as my method of access using nginx in a VM.

# SSL-enabled server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name tinfoil.REDACTED.com;
    root /var/www/tinfoil.REDACTED.com;

    # SSL configuration
    ssl_certificate /etc/letsencrypt/live/tinfoil.REDACTED.X/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tinfoil.REDACTED.X/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/tinfoil.REDACTED.X/chain.pem;

    # Logging configuration
    access_log /var/log/nginx/access.log combined buffer=512k flush=1m;
    error_log /var/log/nginx/error.log warn;

    # Index file
    index index.php;

    # Reverse proxy configuration
    location / {
        proxy_pass http://192.168.XXX.XXX:8465;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# HTTP to HTTPS redirect
server {
    listen 80;
    listen [::]:80;
    server_name tinfoil.REDACTED.X;

    location / {
        return 301 https://tinfoil.REDACTED.X$request_uri;
    }
}

[dslatt]

I ran into a similar problem.

When running through caddy the only part of Tinfoil that worked was the file browser. New games/dlc weren't visible and the 'Install All DLC/Latest Update' options from Tinfoil didn't seem to work. No issues actually installing the files however.

Everything worked fine once I removed caddy.

Feels like a tinfoil problem but idk.

[ajmandourah]

This is probably because of the http Auth used in the container. I have not test it but setting it to public shop then adding the http Auth in your reverse proxy should work. Will give it a try tomorrow.

[Gusfit1]

EDIT: actually, it still doesn't work - I get failed to open NSP when I try to download a game.

Just wanted to stop in to say I was getting this error but with Cloudflare Tunnel, I can get around it by disabling "Always Use HTTPS" in Edge Certificates.

[dnsBlah]

try adding proxy_set_header Authorization ""; proxy_set_header X-Forwarded-User $remote_user;

to your location block

[ajmandourah]

I think I solved this as I have faced the same issue when working on Tinshop-ng. Tinfoil expect a content type json when querying shops. This is different from file browser which can just parse the response. Some proxyies can manage that but explicitly assigning the header fixed the issue. @a1ex4 lemme know if you need help with that

[a1ex4]

@ajmandourah thanks for the hint, although all requests served to Tinfoil explicitly have the Content-Type: application/json header. Since people are describing issues with authenticated requests I double checked and all requests are the same, through auth or not.

Now I am more convinced that the problem is in the reverse proxy configuration, I don't see anything different for Ownfoil... I'll try to change my reverse proxy configuration until it breaks and I can reproduce the issues described here and pinpoint the root cause.

[ajmandourah]

I see. It's been awhile since I do python. But jsonify should set a json header automatically I guess. It seems weird as most re proxy won't modify any headers. I was facing the same issue exactly where without Auth it worked in Tinshop-ng but with Auth somehow the content type was set to text.

Try caddy as it was not working till I sat the header manually. Also give explicitly setting the content header either way. It was working for your setup from the start so I assume your reverse proxy was setting it correctly. Maybe caddy, npm or others was conflicting somehow.

I will do some testing when I have the time and give you some feedback

[NovaXeros]

try adding proxy_set_header Authorization ""; proxy_set_header X-Forwarded-User $remote_user;

to your location block

Tried this in a custom location block for / on Nginx Proxy Manager and sadly it made no difference.

If I direct tinfoil directly at my server locally with port 8465 it works with authentication, but if I use a local reverse proxy (http://ownfoil.lan) or exposed reverse proxy (https://foil.domain.com) the tinfoil shop shows as empty and no files are listed in the browser.

The docker terminal logs (displayed on Dockge) also don't seem to receive any API requests from Tinfoil, despite being able to browse to either of the above URLs and log in to see the UI as expected.

Update:

After closing Tinfoil and reopening, it threw an error that the "Shop requires Authentication" so clearly the above approach didn't work.

Howver, removing the custom location block and reverting to previous results in the shop working, to some extent (I get the shop welcome message and can see my files in "File Browser" but no New Games list appears as it does if I don't use reverse proxy, even after restarting Tinfoil). Very confusing