search

hoarder-app / hoarder

A self-hostable bookmark-everything app (links, notes and images) with AI-based automatic tagging and full text search
https://hoarder.app
GNU Affero General Public License v3.0
5.97k stars 196 forks source link

Gateway Timeouts when running with Traefik Reverse Proxy #667

Open PhilipJonasFranz opened 9 hours ago

PhilipJonasFranz commented 9 hours ago

Describe the Bug

Im currently trying to setup the service using the following compose file:

version: "3.8"
services:
  web:
    image: ghcr.io/hoarder-app/hoarder:${HOARDER_VERSION:-release}
    restart: unless-stopped
    volumes:
      - ./data/web:/data
    env_file:
      - .env
    environment:
      MEILI_ADDR: http://meilisearch:7700
      BROWSER_WEB_URL: http://chrome:9222
      # OPENAI_API_KEY: ...
      DATA_DIR: /data
    networks:
      - internal
      - proxy
    labels:
      - "traefik.enable=true"

      - "traefik.http.routers.hoarder.entrypoints=http"
      - "traefik.http.routers.hoarder.rule=Host(`hoarder.mydomain.tld`)"
      - "traefik.http.routers.hoarder.priority=1000"
      - "traefik.http.middlewares.hoarder-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.hoarder.middlewares=hoarder-https-redirect"

      - "traefik.http.routers.hoarder-secure.entrypoints=https"
      - "traefik.http.routers.hoarder-secure.rule=Host(`hoarder.mydomain.tld`)"
      - "traefik.http.routers.hoarder-secure.priority=1000"
      - "traefik.http.routers.hoarder-secure.tls=true"
      - "traefik.http.routers.hoarder-secure.service=hoarder"
      - "traefik.http.services.hoarder.loadbalancer.server.port=3000"
      - "traefik.http.routers.hoarder-secure.middlewares=local-whitelist@file"

  chrome:
    image: gcr.io/zenika-hub/alpine-chrome:123
    restart: unless-stopped
    command:
      - --no-sandbox
      - --disable-gpu
      - --disable-dev-shm-usage
      - --remote-debugging-address=0.0.0.0
      - --remote-debugging-port=9222
      - --hide-scrollbars
    networks:
      - internal

  meilisearch:
    image: getmeili/meilisearch:v1.11.1
    restart: unless-stopped
    env_file:
      - .env
    environment:
      MEILI_NO_ANALYTICS: "true"
    volumes:
      - ./data/meilisearch:/meili_data
    networks:
      - internal

networks:
  proxy:
    external: true
  internal:

The reverse proxy setup works for a bunch of services, but i cannot get it to work for this one. I keep getting 504 Gateway Timeouts. I have set the NEXTAUTH_URL to point to the base-url of the service.

Strangely, after some time of trying to connect to the service, it randomly works, and i get this error message in the web-container log:

[next-auth][error][CLIENT_FETCH_ERROR] 
https://next-auth.js.org/errors#client_fetch_error Unexpected token 'F', "Forbidden" is not valid JSON {
  error: {
    message: `Unexpected token 'F', "Forbidden" is not valid JSON`,
    stack: `SyntaxError: Unexpected token 'F', "Forbidden" is not valid JSON\n` +
      '    at JSON.parse (<anonymous>)\n' +
      '    at parseJSONFromBytes (node:internal/deps/undici/undici:5682:19)\n' +
      '    at successSteps (node:internal/deps/undici/undici:5663:27)\n' +
      '    at fullyReadBody (node:internal/deps/undici/undici:4561:9)\n' +
      '    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)\n' +
      '    at async consumeBody (node:internal/deps/undici/undici:5672:7)',
    name: 'SyntaxError'
  },
  url: 'https://hoarder.mydomain.tld/api/auth/providers',
  message: `Unexpected token 'F', "Forbidden" is not valid JSON`
}
}

I can then connect to the dashboard, sign in and navigate pages, until it suddenly stops working and i get a gateway timeout again. Then im stuck with gateway timeouts again and cannot access the dashboard.

Steps to Reproduce

Expected Behaviour

Screenshots or Additional Context

No response

Device Details

Firefox 132.0.2 (64-bit), Windows 10

Exact Hoarder Version

v.0.19.0

MohamedBassem commented 8 hours ago

hmmm, the error message indicates that something is responding with forbidden to nextauth's request (and it's probably not hoarder). What's this middleware that you have configured? What does it do? Have you tried commenting this middleware out as an experiment?

PhilipJonasFranz commented 8 hours ago

Hi,

thanks for the quick reply. The Middleware is a simple IP-Whitelist Filter:

    local-whitelist:
      ipWhiteList:
        sourceRange:
        # Local IP Ranges
        - "10.0.0.0/8"

I have tried commenting it out but sadly it does not change the behaviour. Its also worth noting that if i run the service without traefik and expose port 3000, i at least can connect to the dashboard without issues via IP:Port. The SSL Cert that Traefik serves is valid and not expired.