search

ether / etherpad-lite

Etherpad: A modern really-real-time collaborative document editor.
http://docs.etherpad.org/
Apache License 2.0
16.11k stars 2.8k forks source link

Admin login fails without error" admin-auth/ 404 (Not Found)" since v2.0 #6367

Open Artim96 opened 1 month ago

Artim96 commented 1 month ago

Describe the bug After getting v2 to work, I just can't figure out how to log in to the admin settings page, Upon entering what's set in the settings.ini, the page tells me the login failed. Only in the browser developer console I see the error "admin-auth/ 404 (Not Found)" (and in etherpad.access.log I see >>"POST /admin-auth/ HTTP/2.0" 404 94<<). Even with v2.0.3 this isn't fixed. Running bin/run.sh does show that /admin is created though.

Server (please complete the following information):

SamTV12345 commented 1 month ago

You normally navigate to /admin/ and then you should see the new admin console. If it says something like 404. You first need to build the admin panel by going to admin folder and doing pnpm build and copying the dist folder to template/admin

Artim96 commented 1 month ago

I just had pnpm build inside admin. I guess with template/admin you mean src/templates/admin as there is no template directory in etherpads root directory. But which dist folder is supposed to be copied there? The only folders called dist are in /node_modules/.pnpm/. And there are 151 folders with that name.

dcht00 commented 1 month ago

There was also nothing for me at /admin, /src/templates/admin was missing. Just a

"Sorry, something bad happened"

Running "pnpm build" in the /admin subdirectory of the EP install made those files. But now got an empty page.

The problem is with paths in admin's index.html I changed 

    <script type="module" crossorigin src="/admin/assets/index-6MWu4lkJ.js"></script>
    <link rel="stylesheet" crossorigin href="/admin/assets/index-E-lmtrZj.css">

to

     <script type="module" crossorigin src="assets/index-6MWu4lkJ.js"></script>
     <link rel="stylesheet" crossorigin href="assets/index-E-lmtrZj.css">

This made it work at http://localhost:9001/admin, but not https://localhost/pad/admin (how I usually access EP, via a proxypass), as there's more absolute paths in the .js files.

SamTV12345 commented 1 month ago

There was also nothing for me at /admin, /src/templates/admin was missing. Just a

"Sorry, something bad happened"

Running "pnpm build" in the /admin subdirectory of the EP install made those files. But now got an empty page.

The problem is with paths in admin's index.html I changed

    <script type="module" crossorigin src="/admin/assets/index-6MWu4lkJ.js"></script>
    <link rel="stylesheet" crossorigin href="/admin/assets/index-E-lmtrZj.css">

to

     <script type="module" crossorigin src="assets/index-6MWu4lkJ.js"></script>
     <link rel="stylesheet" crossorigin href="assets/index-E-lmtrZj.css">

This made it work at http://localhost:9001/admin, but not https://localhost/pad/admin (how I usually access EP, via a proxypass), as there's more absolute paths in the .js files.

This is also fixed and I also updated the wiki for it.

SamTV12345 commented 1 month ago

I just had pnpm build inside admin. I guess with template/admin you mean src/templates/admin as there is no template directory in etherpads root directory. But which dist folder is supposed to be copied there? The only folders called dist are in /node_modules/.pnpm/. And there are 151 folders with that name.

I added a new command in the admin directory. If you run pnpm run build-copy . It should also copy the assets in the correct directory.

Artim96 commented 1 month ago

I added a new command in the admin directory. If you run pnpm run build-copy . It should also copy the assets in the correct directory.

I guess that will be available in 2.0.4? Let's hope I can use that version then. Right now I had to go back to 2.0.1 as using the APIKEY in 2.0.3 is broken.

SamTV12345 commented 1 month ago

Sure I'll create a release soon so that Etherpad can be used with the APIKEY again.

Artim96 commented 3 weeks ago

This issue seems to still be present. I just updated to v2.1 and still get the error message that admin-auth/ can't be found with a 404 error. Same after running pnpm build in admin.

Also, APIKEY still won't work, even after adding Environment=APIKEY=/path/to/APIKEY.txt to the systemd service file.

dcht00 commented 3 weeks ago

@Artim96 , this should solve it? https://github.com/ether/etherpad-lite/issues/6374 In short, setting "authenticationMethod": "${AUTHENTICATION_METHOD:apikey}",

(I'm only commenting on the apikey, I don't use /admin and hadn't looked at that).

Artim96 commented 3 weeks ago

@Artim96 , this should solve it? #6374 In short, setting "authenticationMethod": "${AUTHENTICATION_METHOD:apikey}",

(I'm only commenting on the apikey, I don't use /admin and hadn't looked at that).

That's the question if it would actually do what I intend it to do. Right now with v2.0.1 and lower, anybody can create pads. That's to be kept that way. But so that other programs can read and write to pads without limitations, it was deemed the easiest way to just use the APIKEY. So the question is, setting the Authentication Method to apikey, will it only restore that ability or will it have any side effects?

EDIT: works as expected, as far as I can tell.

dcht00 commented 3 weeks ago

Think there should be no changes to the way it works :)

Artim96 commented 2 weeks ago

@SamTV12345 It would be great if you could re-open this issue as it clearly isn't solved yet.

Artim96 commented 1 week ago

I may have a lead to what's going on. Firefox' dev console tells me Firefox can’t establish a connection to the server at wss://pad.fsmuw.rwth-aachen.de/socket.io/?EIO=4&transport=websocket. index-laED_ieF.js:40:70206 and setting ninx' error log into debug verbosity does show lines like these: 2024/06/19 12:36:35 [info] 1567775#1567775: *28 client closed connection while waiting for request, client: xxx.xxx.xxx.xxx, server: 0.0.0.0:80. While I can't be 100 % certain these are related, I'm at least 95 % sure. Setting etherpad logging verbosity to debugging sadly doesn't really reveal anything. For this it only shows "POST /admin-auth/ HTTP/2.0" 404 94.

Also, since the way admin login is being handled, it's not impossible that something in the nginx config used may be interfering that previously wasn't:

server {
    server_name pad.domain.tld;
    root /opt/etherpad/etherpad-lite;

    access_log  /var/log/etherpad/etherpad.access.log;
    error_log /var/log/etherpad/eplite.error.log;

    # Allow normal files to pass through
    location ~ ^/(locales/|locales.json|admin/|static/|pluginfw/|javascripts/|ep/|minified/|api/|ro/|error/|jserror/|favicon.ico|robots.txt) {
             proxy_buffering off;
             proxy_pass http://127.0.0.1:9001;
         proxy_redirect off;
         proxy_set_header Host $host;
    }

    location ^~ /socket {
         rewrite  ^/socket/(.*)  /$1 break; #used to send request to base url
         proxy_pass http://127.0.0.1:9001;
         proxy_redirect off;
         proxy_pass_request_headers on;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header Host $http_host;
         proxy_set_header X-NginX-Proxy true;
         proxy_set_header X-Forwarded-Host $host;
         proxy_set_header X-Forwarded-Server $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
         proxy_set_header Host $host;
        }

    # Match the home page
    location ~ ^/$ {
             proxy_buffering off;
             proxy_pass http://127.0.0.1:9001;
    }

    # Handle pad URLs here
    location / {
           proxy_buffering off;
           rewrite ^/p/(.*) /p/$1 break;
           rewrite /(.*) /p/$1;
           proxy_pass http://127.0.0.1:9001/;
           proxy_redirect off;
           proxy_pass_header Server;
           proxy_set_header Host $host;
           proxy_set_header     X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
           proxy_set_header    X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
           proxy_set_header     X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
           proxy_http_version   1.1; # recommended with keepalive connections

         # WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
           proxy_set_header  Upgrade $http_upgrade;
           proxy_set_header Connection "Upgrade";
    }

    #Favicon
        location = /favicon.ico {
             alias  /etc/nginx/favicon.ico;
        }

        #robots.txt
    location = /robots.txt {
            return 200 "User-agent: *\nDisallow: /\n";
    }

        #Disable execution of scripts other than PHP from your document root
        location ~* .(pl|cgi|py|sh|lua|asp)$ {
           return 444;
        }

    location ~* ^.+\.(json~)$ {
       deny all;
           access_log off;
           log_not_found off;
    }

    # Header
    add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.domain.tld; connect-src 'self' *.domain.tld; img-src 'self' data: *.domain.tld; style-src 'self' 'unsafe-inline' *.domain.tld; object-src 'self' *.domain.tld; frame-src 'self' *.domain.tld; font-src 'self' data: *.domain.tld; base-uri 'self'; form-action 'self'; frame-ancestors 'self';" always;

    listen 443 ssl;
    #listen 443 quic reuseport;
    ssl_certificate /etc/ssl/certs/pad.domain.tld.fullchain.pem;
    ssl_certificate_key /etc/ssl/private/pad.domain.tld.private.pem;
}

server {
       server_name pad.domain.tld;
       return 301 https://pad.domain.tld$request_uri;
       listen 80;
}
SamTV12345 commented 1 week ago

I may have a lead to what's going on. Firefox' dev console tells me Firefox can’t establish a connection to the server at wss://pad.fsmuw.rwth-aachen.de/socket.io/?EIO=4&transport=websocket. index-laED_ieF.js:40:70206 and setting ninx' error log into debug verbosity does show lines like these: 2024/06/19 12:36:35 [info] 1567775#1567775: *28 client closed connection while waiting for request, client: xxx.xxx.xxx.xxx, server: 0.0.0.0:80. While I can't be 100 % certain these are related, I'm at least 95 % sure. Setting etherpad logging verbosity to debugging sadly doesn't really reveal anything. For this it only shows "POST /admin-auth/ HTTP/2.0" 404 94.

Also, since the way admin login is being handled, it's not impossible that something in the nginx config used may be interfering that previously wasn't:

server {
  server_name pad.domain.tld;
  root /opt/etherpad/etherpad-lite;

  access_log  /var/log/etherpad/etherpad.access.log;
  error_log /var/log/etherpad/eplite.error.log;

  # Allow normal files to pass through
  location ~ ^/(locales/|locales.json|admin/|static/|pluginfw/|javascripts/|ep/|minified/|api/|ro/|error/|jserror/|favicon.ico|robots.txt) {
           proxy_buffering off;
           proxy_pass http://127.0.0.1:9001;
       proxy_redirect off;
       proxy_set_header Host $host;
  }

  location ^~ /socket {
       rewrite  ^/socket/(.*)  /$1 break; #used to send request to base url
       proxy_pass http://127.0.0.1:9001;
       proxy_redirect off;
       proxy_pass_request_headers on;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header Host $http_host;
       proxy_set_header X-NginX-Proxy true;
       proxy_set_header X-Forwarded-Host $host;
       proxy_set_header X-Forwarded-Server $host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       proxy_set_header Host $host;
        }

  # Match the home page
  location ~ ^/$ {
           proxy_buffering off;
           proxy_pass http://127.0.0.1:9001;
  }

  # Handle pad URLs here
  location / {
         proxy_buffering off;
           rewrite ^/p/(.*) /p/$1 break;
           rewrite /(.*) /p/$1;
           proxy_pass http://127.0.0.1:9001/;
         proxy_redirect off;
           proxy_pass_header Server;
         proxy_set_header Host $host;
             proxy_set_header     X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
         proxy_set_header    X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
         proxy_set_header     X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
         proxy_http_version   1.1; # recommended with keepalive connections

       # WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
         proxy_set_header  Upgrade $http_upgrade;
         proxy_set_header Connection "Upgrade";
    }

  #Favicon
      location = /favicon.ico {
             alias  /etc/nginx/favicon.ico;
      }

        #robots.txt
  location = /robots.txt {
          return 200 "User-agent: *\nDisallow: /\n";
  }

        #Disable execution of scripts other than PHP from your document root
        location ~* .(pl|cgi|py|sh|lua|asp)$ {
           return 444;
        }

  location ~* ^.+\.(json~)$ {
     deny all;
           access_log off;
           log_not_found off;
  }

  # Header
  add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.domain.tld; connect-src 'self' *.domain.tld; img-src 'self' data: *.domain.tld; style-src 'self' 'unsafe-inline' *.domain.tld; object-src 'self' *.domain.tld; frame-src 'self' *.domain.tld; font-src 'self' data: *.domain.tld; base-uri 'self'; form-action 'self'; frame-ancestors 'self';" always;

  listen 443 ssl;
  #listen 443 quic reuseport;
  ssl_certificate /etc/ssl/certs/pad.domain.tld.fullchain.pem;
  ssl_certificate_key /etc/ssl/private/pad.domain.tld.private.pem;
}

server {
       server_name pad.domain.tld;
       return 301 https://pad.domain.tld$request_uri;
       listen 80;
}

Can you try this? There seems to be errors in your config. If I want to access the manifest.json file I'm getting redirected to a pad 

server {
    listen 80;
    listen [::]:80;
    location /pad {
        rewrite         /pad/(.*) /$1 break;
        rewrite         ^/pad$ /pad/ permanent;
        proxy_redirect  / /pad/;

        proxy_pass         http://127.0.0.1:9001;
        proxy_buffering    off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
        proxy_set_header   Host $host;
        proxy_pass_header  Server;

        # Note you might want to pass more headers etc too. See above configs.
    }

    location /pad/socket.io {
        rewrite         /pad/socket.io/(.*) /socket.io/$1 break;
        proxy_redirect  / /pad/;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass         http://127.0.0.1:9001;
        proxy_buffering    off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
        proxy_set_header   Host $host;
        proxy_pass_header  Server;
    proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Note you might want to pass more headers etc too. See above configs.
    }

    location /pad/admin {
        rewrite         /pad/admin/(.*) /admin/$1 break;
        proxy_redirect  / /pad/;
    proxy_set_header   X-Proxy-Path /pad;
        proxy_pass         http://127.0.0.1:9001;

        proxy_buffering    off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
        proxy_set_header   Host $host;
        proxy_pass_header  Server;

        # Note you might want to pass more headers etc too. See above configs.
    }

    location /pad/admin-auth {
        rewrite         /pad/admin-auth/(.*) /admin-auth/$1 break;
        proxy_redirect  / /pad/;
    proxy_set_header   X-Proxy-Path /pad;
        proxy_pass         http://127.0.0.1:9001;

        proxy_buffering    off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
        proxy_set_header   Host $host;
        proxy_pass_header  Server;

        # Note you might want to pass more headers etc too. See above configs.
    }

    location /pad/static {
        rewrite  /pad/static/(.*) /static/$1 break;

        proxy_pass         http://127.0.0.1:9001;
        proxy_buffering    off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
        proxy_set_header   Host $host;
        proxy_pass_header  Server;

        # Note you might want to pass more headers etc too. See above configs.
    }
}
Artim96 commented 1 week ago

Thanks. Unfortunately that doesn't seem to help. First off, I have no clue how my config worked in the first place. The root directory /opt/etherpad/etherpad-lite doesn't exist for a while now, I had moved everything up a level and it's all under /opt/etherpad now. Just fixing that doesn't change anything, probably to no much surprise.

Now, your config with the wrong root directory gives the obvious error *1 "/opt/etherpad/etherpad-lite/index.html" is not found (2: No such file or directory). Changing it to /opt/etherpad though results in *1 directory index of "/opt/etherpad/" is forbidden. Removing the entry entirely only changes it to *1 directory index of "/etc/nginx/html/" is forbidden. Even adding back the various headers from the old config doesn't help. Until now, I had /opt/etherpad and all files inside be owned by etherpad. Is that now outdated?