search

ether / etherpad-lite

Etherpad: A modern really-real-time collaborative document editor.
http://docs.etherpad.org/
Apache License 2.0
16.11k stars 2.8k forks source link

etherpad-lite 2.1.0 , behind reverse proxy Nginx , wss error 400 #6448

Open Bschalck opened 2 weeks ago

Bschalck commented 2 weeks ago

Describe the bug I can not access any pad since few days

To Reproduce Steps to reproduce the behavior:

  1. Go to 'htps://pad.devloprog.org'

  2. try to create any pad

  3. See error

Screenshots

image

Server (please complete the following information):

My server is a LXC , working since 5 years. It is reached behind a NGINX reverse proxy

server {
    listen 80 ;
    rewrite ^(.*) https://pad.devloprog.org$1 permanent;
    server_name pad.devloprog.org;
}

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}
 server {
  listen 443 ssl;
    server_name pad.devloprog.org;

       #          error_page 500 502 503 504 /50x.html;
       # location /50x.html{
      # #             root /var/www/pro/;
      #   }

   location / {
        include proxy_params;
           proxy_pass       http://192.168.1.21:9001;
        proxy_buffering    off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
        proxy_set_header   Host $host;
        proxy_pass_header  Server;

        # Note you might want to pass these headers etc too.
        proxy_set_header    X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
        proxy_set_header    X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
        proxy_set_header    X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
        proxy_http_version  1.1; # recommended with keepalive connections

        # WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
        proxy_set_header  Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
  }
  server_tokens off;
  root /usr/share/nginx/html;

  ssl_certificate /etc/letsencrypt/live/pad.devloprog.org/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/pad.devloprog.org/privkey.pem;
  ssl_verify_client off;

  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_session_cache  builtin:1000  shared:SSL:10m;

  ssl_prefer_server_ciphers   on;

  add_header Strict-Transport-Security max-age=31536000;
  add_header X-Content-Type-Options nosniff always;

    access_log  /var/log/nginx/pad.devloprog.org.log;
    error_log  /var/log/nginx/pad.devloprog.org.error.log ;

 }

Additional context As you can see , I have an error 400 with wss access .

SamTV12345 commented 1 week ago

Describe the bug I can not access any pad since few days

To Reproduce Steps to reproduce the behavior:

  1. Go to 'htps://pad.devloprog.org'
  2. try to create any pad
  3. See error

Screenshots

image

Server (please complete the following information):

  • Etherpad version: 2.1.0
  • OS: debian 12
  • Node.js version (node --version): v20.13.1
  • npm version (npm --version): 9.1.2
  • Is the server free of plugins:

My server is a LXC , working since 5 years. It is reached behind a NGINX reverse proxy

server {
    listen 80 ;
    rewrite ^(.*) https://pad.devloprog.org$1 permanent;
    server_name pad.devloprog.org;
}

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}
 server {
  listen 443 ssl;
    server_name pad.devloprog.org;

       #          error_page 500 502 503 504 /50x.html;
       # location /50x.html{
      # #             root /var/www/pro/;
      #   }

   location / {
        include proxy_params;
           proxy_pass       http://192.168.1.21:9001;
        proxy_buffering    off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
        proxy_set_header   Host $host;
        proxy_pass_header  Server;

        # Note you might want to pass these headers etc too.
        proxy_set_header    X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
        proxy_set_header    X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
        proxy_set_header    X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
        proxy_http_version  1.1; # recommended with keepalive connections

        # WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
        proxy_set_header  Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
  }
  server_tokens off;
  root /usr/share/nginx/html;

  ssl_certificate /etc/letsencrypt/live/pad.devloprog.org/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/pad.devloprog.org/privkey.pem;
  ssl_verify_client off;

  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_session_cache  builtin:1000  shared:SSL:10m;

  ssl_prefer_server_ciphers   on;

  add_header Strict-Transport-Security max-age=31536000;
  add_header X-Content-Type-Options nosniff always;

    access_log  /var/log/nginx/pad.devloprog.org.log;
    error_log  /var/log/nginx/pad.devloprog.org.error.log ;

 }

Additional context As you can see , I have an error 400 with wss access .

There's a wiki entry for setting up Etherpad behind a reverse proxy https://github.com/ether/etherpad-lite/wiki/How-to-put-Etherpad-Lite-behind-a-reverse-Proxy . That setup is validated and works flawlessly.

showmetheworld commented 4 days ago

I can confirm this Problem with etherpad 2.10 on nginx 1.26.1 and node 18.20.3.

I manage multiple etherpad instances with different versions on multiple servers with different configs. I tried the docu config , all of my own written ones and serveral fresh handwritten ones. Got most of etherpad running when using location ^~ /pad/.... (mind the ^~) for location regex check, but I never got soket.io/?... requests up and running. Always ending in 400.

In the end I reverted to 1.9.7 and it finally worked with this kinda ugly one

    location ^~ /pad {
        include snippets/restrictions.conf;
        rewrite                /pad/(.*) /$1 break;
        rewrite                ^/pad$ /pad/ permanent;
        proxy_pass             http://127.0.0.1:9001/;
        proxy_pass_header Server;
        proxy_redirect         / /pad/;
        proxy_set_header       Host $host;
        proxy_buffering off;
    }

    location ^~ /pad/socket.io {
        rewrite /pad/socket.io/(.*) /socket.io/$1 break;
        proxy_pass http://127.0.0.1:9001/;
        proxy_redirect         / /pad/;
        proxy_set_header Host $host;
        proxy_buffering off;
        proxy_set_header X-Real-IP $remote_addr; 
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host; 
        proxy_http_version 1.1; 
        # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    location  /pad/admin {
        include snippets/restrictions.conf;
        rewrite         /pad/admin/(.*) /admin/$1 break;
        proxy_redirect  / /pad/;
        proxy_set_header   X-Proxy-Path /pad;
        proxy_pass         http://127.0.0.1:9001;

        proxy_buffering    off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
        proxy_set_header   Host $host;
        proxy_pass_header  Server;
    }

    location ^~ /pad/static {
        rewrite /pad/static/(.*) /static/$1 break;
        proxy_pass http://127.0.0.1:9001/;
        proxy_set_header Host $host;
        proxy_buffering off;
    }