search

hudikhq / hoodik

Self hosted, easy to install end to end encrypted storage drive
Other
290 stars 8 forks source link

Unable to deploy w/ nginx #116

Closed yawnbox closed 2 weeks ago

yawnbox commented 3 weeks ago

This is a really cool project, looking forward to testing it!

Problems

  1. My problem is the web page is blank: https://cloud.disobey.net/
  2. The documentation is very rough. Some examples of common secure configurations would be great. Minimally i'd recommend adding the Github Wiki tab for this project.
  3. I tried an APP_URL of cloud.disobey.net but that did not change anything. The documentation for "APP_URL", "APP_CLIENT_URL", and "HTTP_ADDRESS" needs to be improved for when it's behind a reverse proxy, the differences are not clear. What is needed? Again, examples based on common secure configurations.
  4. Is my problem with how nginx is configured? I don't know, there's no logs to indicate anything.

Config

Versions

$ lsb_release -d
Description:    Ubuntu 22.04.5 LTS
$ nginx -v
nginx version: nginx/1.27.1
$ docker -v
Docker version 27.3.1, build ce12230

Deploy

sudo docker run --name hoodik -it -d \
  -e DATA_DIR='/zpool/cloud' \
  -e APP_URL='http://localhost:5443' \
  -e SSL_DISABLED=true \
  -e JWT_SECRET='something long and random' \
  --volume "$(pwd)/data:/data" \
  -p 5443:5443 \
  hudik/hoodik:latest

Nginx

server {
    listen [2620:18c:0:192::251]:443 ssl;
    listen 103.232.207.251:443 ssl;
    http2 on;
    server_name cloud.disobey.net;

    location / {
        proxy_pass http://127.0.0.1:5443;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Accept-Encoding "";
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    ssl_protocols TLSv1.3;
    ssl_ecdh_curve X25519:secp384r1;
    ssl_conf_command Options PrioritizeChaCha;
    ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384;
    ssl_certificate /etc/letsencrypt/live/cloud.disobey.net-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/cloud.disobey.net-0001/privkey.pem; # managed by Certbot

    add_header X-Content-Type-Options 'nosniff';
    add_header X-XSS-Protection '1; mode=block';
    add_header X-Frame-Options 'SAMEORIGIN';
    add_header Content-Security-Policy "default-src 'self';";
    add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload';
}

Testing

d$ curl -v http://127.0.0.1:5443
*   Trying 127.0.0.1:5443...
* Connected to 127.0.0.1 (127.0.0.1) port 5443 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:5443
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< content-length: 1951
< access-control-expose-headers: content-type, access-control-allow-origin, cache-control, x-csrf-token, authorization, content-length
< cache-control: public, max-age=3600, immutable
< vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
< access-control-allow-credentials: true
< content-type: text/html; charset=utf-8
< date: Sun, 06 Oct 2024 10:44:07 GMT
< 
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width,initial-scale=1.0">
  <link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
  <link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
  <link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
  <link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
  <link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
  <link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
  <link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
  <link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
  <link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
  <link rel="icon" type="image/png" sizes="192x192" href="/android-icon-192x192.png">
  <link rel="icon" type="image/png" sizes="512x512" href="/android-icon-512x512.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png">
  <link rel="icon" type="image/png" sizes="96x96" href="/favicon-96x96.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png">
  <title>Hoodik - End 2 End Encrypted File Storage</title>

  <meta name="description" content="Hoodik - End 2 End Encrypted File Storage">
  <script type="module" crossorigin src="/assets/main.ce81eac6.js"></script>
  <link rel="modulepreload" crossorigin href="/assets/index-350c5602.js">
  <link rel="stylesheet" href="/assets/index-11d0d326.css">
</head>

<body>
  <noscript>
    <strong>
      We're sorry but this app due to its nature of in-browser encryption
      does not work without Javascript enabled. Please enable it to continue.
    </strong>
  </noscript>
  <div id="app"></div>

  <!-- built files will be auto injected -->
</body>

* Connection #0 to host 127.0.0.1 left intact

Logs

Nginx

There are no errors in /var/log/nginx/error.log

Docker

sudo docker logs hoodik
Starting Hoodik v1.1.0 on 0.0.0.0:5443
-- Using data_dir: /zpool/cloud
-- SSL is disabled
-- RUST_LOG=Some("hoodik=debug,auth=debug,error=debug,entity=debug,storage=debug,context=debug,util=debug,cryptfns=debug,actix_web=debug")
------------------------------------------
[2024-10-06T10:38:53Z INFO  actix_web::middleware::logger] 172.17.0.1 "GET / HTTP/1.1" 200 1951 "-" "curl/7.81.0" 0.000190
[2024-10-06T10:44:08Z INFO  actix_web::middleware::logger] 172.17.0.1 "GET / HTTP/1.1" 200 1951 "-" "curl/7.81.0" 0.000157
[2024-10-06T10:45:13Z INFO  actix_web::middleware::logger] 172.17.0.1 "GET / HTTP/1.1" 200 1951 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0.1 Safari/605.1.15" 0.000159
[2024-10-06T10:45:18Z INFO  actix_web::middleware::logger] 172.17.0.1 "GET / HTTP/1.1" 200 1951 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0.1 Safari/605.1.15" 0.000158
[2024-10-06T10:45:19Z DEBUG hoodik::server::client] Client: assets/main.ce81eac6.js -> text/javascript
[2024-10-06T10:45:19Z INFO  actix_web::middleware::logger] 172.17.0.1 "GET /assets/main.ce81eac6.js HTTP/1.1" 200 335076 "https://cloud.disobey.net/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0.1 Safari/605.1.15" 0.001743
[2024-10-06T10:45:19Z DEBUG hoodik::server::client] Client: assets/index-350c5602.js -> text/javascript
[2024-10-06T10:45:19Z DEBUG hoodik::server::client] Client: assets/index-11d0d326.css -> text/css
[2024-10-06T10:45:19Z INFO  actix_web::middleware::logger] 172.17.0.1 "GET /assets/index-11d0d326.css HTTP/1.1" 200 48029 "https://cloud.disobey.net/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0.1 Safari/605.1.15" 0.000893
[2024-10-06T10:45:19Z INFO  actix_web::middleware::logger] 172.17.0.1 "GET /assets/index-350c5602.js HTTP/1.1" 200 316477 "https://cloud.disobey.net/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0.1 Safari/605.1.15" 0.001481
[2024-10-06T10:45:20Z INFO  actix_web::middleware::logger] 172.17.0.1 "GET / HTTP/1.1" 200 1951 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0.1 Safari/605.1.15" 0.000162
[2024-10-06T10:45:20Z DEBUG hoodik::server::client] Client: assets/cryptfns_bg-60bb706e.wasm -> application/octet-stream
[2024-10-06T10:45:20Z INFO  actix_web::middleware::logger] 172.17.0.1 "GET /assets/cryptfns_bg-60bb706e.wasm HTTP/1.1" 200 3206667 "https://cloud.disobey.net/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0.1 Safari/605.1.15" 0.009306
[2024-10-06T10:45:23Z INFO  actix_web::middleware::logger] 172.17.0.1 "GET / HTTP/1.1" 200 1951 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0.1 Safari/605.1.15" 0.000223
[2024-10-06T10:45:23Z DEBUG hoodik::server::client] Client: assets/cryptfns_bg-60bb706e.wasm -> application/octet-stream
[2024-10-06T10:45:23Z INFO  actix_web::middleware::logger] 172.17.0.1 "GET /assets/cryptfns_bg-60bb706e.wasm HTTP/1.1" 200 3206667 "https://cloud.disobey.net/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0.1 Safari/605.1.15" 0.008378
htunlogic commented 2 weeks ago

Hey @yawnbox, You are right; I should include a more comprehensive guide on how to set this all up. It is somewhere on my TODO.

Checking your URL https://cloud.disobey.net, an error pops up in the console regarding, I believe, this header:

add_header Content-Security-Policy "default-src 'self';";

This prevents the web assembly from compiling, stopping the entire app from rendering.

Please try to remove that and check if it works then.

yawnbox commented 2 weeks ago

that was simple! thanks! :)