Signing in times out

[sdfg2]

I set up everything as in the wonderful documentation. I'm using my own nginx as a reverse proxy. All the containers start correctly, and my nginx proxying works (the sign up page shows up).

When I get to the sign in page, I put my email address in and hit the button and it just spins and times out. The browser console shows these errors:

Content Security Policy: Not supporting directive ‘script-src-attr’. Directive and values will be ignored. 2
WebChannel error: No Such Channel logger.js:72:35
WebChannel error: No Such Channel logger.js:72:35
WebChannel error: No Such Channel logger.js:72:35
    error logger.js:72
    _reportError web-channel.js:89
    receiveMessage web-channel.js:72
Working… logger.js:69:29
    error logger.js:69
    captureError error-utils.js:63
    logError base.js:786
    O base.js:80
    Underscore 2
    _workingTimeout notify_delayed_request.js:21
    i timer-mixin.js:29
    (Async: setTimeout handler)
    setTimeout timer-mixin.js:27
    default notify_delayed_request.js:19
    validateAndSubmit form.js:217
    (Async: promise callback)
    validateAndSubmit form.js:197
    invokeHandler base.js:1071
    default allow_only_one_submit.js:24
    (Async: promise callback)
    default allow_only_one_submit.js:24
    onFormSubmit form.js:152
    invokeHandler base.js:1071
    default prevent_default_then.js:19
    jQuery 8
    Backbone 2
    _attachEvents form.js:256
    constructor form.js:59
    M app.bundle.en_US.js:9
    o index.js:40
    createView app.js:14
    showView app.js:103
    (Async: promise callback)
    showView app.js:83
    delegateNotifications notifier-mixin.js:70
    Backbone 4
    showView app-start.js:207
    es user.js:107
    (Async: promise callback)
    es user.js:107
    Backbone 3
    Me Underscore
    Backbone 2
    allResourcesReady app.js:14
    startApp app.js:14
    (Async: promise callback)
    startApp app.js:14
    <anonymous> app.js:14
    (Async: promise callback)
    <anonymous> app.js:14
    Webpack 4
Response not received for: fxaccounts:can_link_account logger.js:72:35
    error logger.js:72
    timeout duplex.js:35
    add duplex.js:33
    request duplex.js:152
    request duplex.js:142
    request app.bundle.en_US.js:9
    (Async: promise callback)
    request app.bundle.en_US.js:9
    beforeSignIn state-machine.js:22
    invokeBrokerMethod base.js:1113
    value index.js:234
    value index.js:143
    _submitForm form.js:239
    (Async: promise callback)
    _submitForm form.js:236
    invokeHandler base.js:1071
    default progress_indicator.js:42
    (Async: promise callback)
    default progress_indicator.js:42
    invokeHandler base.js:1071
    default notify_delayed_request.js:25
    (Async: promise callback)
    default notify_delayed_request.js:25
    validateAndSubmit form.js:217
    (Async: promise callback)
    validateAndSubmit form.js:197
    invokeHandler base.js:1071
    default allow_only_one_submit.js:24
    (Async: promise callback)
    default allow_only_one_submit.js:24
    onFormSubmit form.js:152
    invokeHandler base.js:1071
    default prevent_default_then.js:19
    jQuery 8

I tried working around this to get the nginx logs, but even after setting every logging driver to json-file in docker-compose.yml I always just get Error response from daemon: configured logging driver does not support reading when running docker-compose logs. I don't run docker usually, but this is one of the few projects where docker makes sense. Unfortunately, that means I have no idea how to track down problems!

Any advice?

[jackyzy823]

Hello , can you provide the HTTP request and its body( error message) from client ( from browser developer console -> Network) especially non-200 requests.

On server side, can you provide fxa-auth-server's logs?

[sdfg2]

Well, in the wonderful way of these things, it now no longer times out! It spits out an error this time though, 500, which is progress!

The request is https://api.fxa.mydomain.tld/v1/account/status (where mydomain is my actual domain). The response is just a bog standard 500 internal server error. I checked my reverse proxy, and it's not there. The fxa-auth-server log shows :

dest-fxa-auth-server-1  | {"Timestamp":1664744953015000000,"Logger":"fxa-auth-server","Type":"request.summary","Severity":2,"Pid":30,"EnvVersion":"2.0","Fields":{"status":500,"errno":999,"path":"/v1/account/status","lang":"en-US,en;q=0.5","agent":"Mozilla/5.0 (Windows NT 10.0; rv:105.0) Gecko/20100101 Firefox/105.0","remoteAddressChain":"[\"10.1.2.3\",\"10.1.0.1\",\"172.19.0.12\"]","t":39,"uid":"00","keys":false,"method":"post","email":"theuser@mydomain.tld"}}
dest-fxa-auth-server-1  | {"Timestamp":1664744953015000000,"Logger":"fxa-auth-server","Type":"metricsEvents.emitFlowEvent","Severity":2,"Pid":30,"EnvVersion":"2.0","Fields":{"event":"route./account/status.500.999","missingFlowId":true}}

I've only just come back to Firefox after what feels like a thousand years, so apologies if I'm not copying the correct information across. Also there is still this error happening with every logging driver set to json-file, so I'm not sure how much else I can give you from the docker logs, but I'll try!

[jackyzy823]

It's quite wired. v1/account/status only checks if domain is valid (not applied here maybe) and whether account is in the db.

I guess the question maybe db related.

Maybe a full fxa-auth-server log will help.

[sdfg2]

How do I go about getting a full log? I'm very new to trying to debug docker stuff

Edit: Just realised, I haven't actually got an account yet. I presumed it would check the db, then go 'oops, you don't have an account yet, sign up now'. I don't know how else to sign up.

Edit 2: Just tried to sign up for actual firefox sync, and it says 'sign in or sign up'. Mine just says 'sign in'. So maybe that's what the problem is after all? In which case, how do I sign up to my own server? XD

[jackyzy823]

you can docker-compose logs fxa-auth-server > /tmp/somepath.log and check /tmp/somepath.log

I presumed it would check the db, then go 'oops, you don't have an account yet, sign up now'. I don't know how else to sign up. You're right. In the main page , Enter the email address, then click "Continue" ,fxa will check if the account exists, and let you login (account exists) / sign up (account not exists)

[sdfg2]

Doing that, the only thing that shows up for the activity is this:

dest-fxa-auth-server-1  | Connection Error: Error: Connection lost: The server closed the connection.
dest-fxa-auth-server-1  | {"Timestamp":1664892338394000000,"Logger":"fxa-auth-server","Type":"request.summary","Severity":2,"Pid":30,"EnvVersion":"2.0","Fields":{"status":500,"errno":999,"path":"/v1/account/status","lang":"en-US,en;q=0.5","agent":"Mozilla/5.0 (Windows NT 10.0; rv:105.0) Gecko/20100101 Firefox/105.0","remoteAddressChain":"[\"10.1.2.3\",\"10.1.0.1\",\"172.19.0.12\"]","t":39,"uid":"00","keys":false,"method":"post","email":"me@myemail.tld"}}
dest-fxa-auth-server-1  | {"Timestamp":1664892338395000000,"Logger":"fxa-auth-server","Type":"metricsEvents.emitFlowEvent","Severity":2,"Pid":30,"EnvVersion":"2.0","Fields":{"event":"route./account/status.500.999","missingFlowId":true}}

[jackyzy823]

Well, that doesn't help more.

Could you provide the generated docker-compose.yml and/or config.yml. (Remember to redact your info).

[sdfg2]

Sure!

config.yml

``` #! THIS FILE USING YTT(https://github.com/k14s/ytt/) FORMAT #! this is a general config for all related stuffs #@data/values --- #! Once config.yml changed you should rerun ./init.sh to regenerate `dest`/docker-compose.yml #! if PERSISTENCEPATH is relative, it relate with `dest`/docker-compose.yml persistencepath: . #! [WARNING] DO NOT DOWNGRADE WITHOUT A CLEAN DB SINCE SCHEMA CANNOT DOWNGRADE. #! latest tested version is : v1.235.1 #! [WORKAROUND] we use method to to resolve below issue #! [ISSUE] cannot change avatar due to https://github.com/mozilla/fxa/pull/7972 -> checkAvatar -> we have same domain with monogramUrl's one. issue: https://github.com/mozilla/fxa/issues/12426 #! so either 1. use different domain like profile-img or 2. patch it #! [WORKAROUND] add LASTACCESSTIME_UPDATES_SAMPLE_RATE=1 to make sync api/v1/account/devices not return 500. see https://github.com/mozilla/fxa/issues/12373 #! [ISSUE][RESOLVED] v1.222.0 db-migration db connection need not workaround now. #! [WORKAROUD] v1.219.5 require smtp.user and smtp.pass (even not used) to make fxa-auth-server not send mail by AWS SES. (will cause a crash if AWS_ACCESS_KEY not set) #! [WORKAROUD] v1.215.4 workaround for 1. graphql-api's internal connection to fxa-auth-server (see debug.full_self_sign_workaround) and 2. db-migration db connection. #! [NOTE] from v1.215.2 mysql version upgrade to 5.7 . docker-compose requires supporting `service_completed_successfully` #! [ISSUE][RESOLVED] v1.196.0 oauth.domain.local/config return 404 causing syncserver fail to start.; fixed in https://github.com/mozilla/fxa/pull/7204 #! [NOTE]from v1.192.0 all fxa docker's image are merge into mozilla/fxa-mono so it's a breaking change! #! [ISSUE][RESOLVED] v1.172.0 500 error after new-signup connect-another-device page maybe caused by https://github.com/mozilla/fxa/commit/2f9729154 ; fixed in https://github.com/mozilla/fxa/pull/5477 #! [NOTE] v1.173+ change base docker image . missing key_*.json in fxa-auth-server so we change to branch br-v1.174.0 to apply breaking changes #! by default we use tested version , using latest at your own risk. fxa_version: "v1.235.1" option: sync: #! set true to keep all your sync items not expired neverexpire: false #! for device pairing channelserver: enable: true #! Since send is EOL , so use it at your own risk send: enable: false settings: #! settings are upperize to send ENV #! [TODO] send android , client_id 20f7931c9054d833 fxa_client_id: "fced6b5e3f4c66b9" #![TODO] file_dir need volumes or not or .... max_file_size: #! for security and network bandwith/traffic sake , you'd better not allow annoymous user to use your send in the internet #! see : https://www.zdnet.com/article/mozilla-suspends-firefox-send-service-while-it-addresses-malware-abuse/ #! see https://portswigger.net/daily-swig/firefox-send-suspended-amid-concern-over-malware-abuse #! [NOTE] number 0 will be treated as false anon_max_file_size: "0" #! expire_times_seconds array format "a,b,c" expire_times_seconds: default_expire_seconds: max_expire_seconds: anon_max_expire_seconds: max_downloads: anon_max_downloads: max_files_per_archive: max_archives_per_user: #! download_counts array format "a,b,c" download_counts: notes: enable: false settings: #! client_id is a must , depends on what you set in https://github.com/mozilla/notes/src/background.js #! client_id should equal to _init/auth/oauthserver-prod client_id: webext: #! sample: "a3dbd8c5a6fd93e2" android: #! sample: "7f368c6886429f19" #! According to https://blog.mozilla.org/addons/2020/07/09/changes-to-storage-sync-in-firefox-79/ #! since Firefox 79 ,it will use syncserver to replace kinto in webextension storage.sync API, so disabled by default #! if you still want to use this , make about:config webextensions.storage.sync.kinto : true and webextensions.storage.sync.serverURL point to kinto domain name below webext_storagesync: enable: false settings: #! you shall not change this , "5882386c6d801776" means firefox client_id: "5882386c6d801776" #! [deprecated] fxa-oauth.clients.storagesync.client_id: "5882386c6d801776" #! last tested 13.6.3 kinto_version: "latest" #! [TODO] intergate with kinto #! both with_notes and with_webext_storagesync need kinto server and it's postgres #! see kinto usage https://wiki.mozilla.org/Firefox/Kinto #! https://testpilot.settings.services.mozilla.com/v1/ #! client_id 5882386c6d801776 == firefox #! https://webextensions.settings.services.mozilla.com/v1/ #! [TODO] make docker-compose.tmp.yml data.values.domain.name and etc reusable via define #! domain name related stuff domain: #! base name name: "fxa.mydomain.tld" #! for content-server content: "www" auth: "api" oauth: "oauth" #! for profile server profile: "profile" #! for syncserver sync: "token" #! for graphql-api graphql: "graphql" #! must if option.channelserver.enable == true channelserver: "channelserver" #! for firefox send #! must if option.send.enable == true send: "send" #! for notes and webextension storage.sync kinto: "kinto" nginx: #! port or ip/port or unix socket folder #! for those who want to reverse proxy ( and then we do not a host resolver ,because we just proxy_pass ip/port ) #! can be a folder contains unix socket like "/var/run/fxa-selfhosing" with ssl = false and unix_socket = true-> socket filename is nginx.sock #! make sure your reverse proxy have permission to access the folder. listener: "10.1.2.3:1234" #! set to true is `listener` is a unix socket unix_socket: false #! if false certs are not required and another fxa_nossl.conf is used #! set to false is `listener` is a unix socket ssl: false #! used if `ssl` is true certs: #! wild will only be used if detailed cert is not specified. #! certs location is absoulte or related to `dest`/docker-compose.yml #! cert can be self-signed with debug.full_self_sign_workaround: true. see more examples/full_selfsign. wild: cert: "./cert/wild.cer" key: "./cert/wild.key" content: cert: "./cert/content.cer" key: "./cert/content.key" auth: cert: key: oauth: cert: key: profile: cert: key: sync: cert: key: channelserver: cert: key: graphql: cert: key: send: cert: key: kinto: cert: key: mail: #! types are "localhelper" , "localrelay" ,"3rd" #! smtp_user/smtp_pass is required (can be any non-null string) even not used. #! "localhelper" uses fxa-auth-local-mail-helper which self sending and receiving and smtp_host/smtp_port/smtp_user/smtp_pass/smtp_secure do not affect. #! "localrelay" use exim-sender and smtp_host/smtp_port/smtp_user/smtp_pass/smtp_secure do not affect. #! "3rd" send mail to 3rd (like gmail etc) type: "localrelay" #! for "3rd": refer to your mail service provider smtp_host: smtp_port: smtp_user: smtp_pass: smtp_secure: #! if smtp_sender empty use "Firefox Accounts " default smtp_sender: #! only for "localhelper" #! web api localhelper: web: "127.0.0.1:9001" #! Here we can add some custom OAuth Client #! for example we add a OAuth Client which can read / write your sync data after granted by you oauth: clients: #! [NOTE] DELETE BELOW IF NOT USED #! - id: deadbeafdeadbeaf #! #! hex secret 0b2b91549678167e4870d76e2b94024b2954cb8605e4a2e8179ab80ecf40b287 #! hashedSecret: b88d5613f75ed5362ecb8c263be5b918aafbb23aac39f817eac44cbe4df7cda3 #! name: SyncManager #! imageUri: '' #! #! if generate_redirectUri will automatic generate redircturi : https://{content}.{domain_name}/oauth/success/{id} #! generate_redirectUri: true #! redirectUri: #! trusted: true #! #! some explain https://github.com/mozilla/fxa/blob/96cbbccfaed1de93d556a2259554acfabeb4cbe5/packages/fxa-auth-server/lib/oauth/authorized_clients.js#L55 #! canGrant: true #! publicClient: true #! #! redirecturi will be add to contetserver.prod.tmp.yml if scope matches #! #! allowedScopes is a space-seperated string #! allowedScopes: https://identity.mozilla.com/apps/oldsync secrets: authsecret: "0foI8mXfRNNfOvH082Ll" pushboxkey: "rs7sicRJd4BKzoxDlXcm" flowidkey: "qaJ9toy6jQ0f2yWXNU8A" profileserver_authsecret_bearertoken: "QNW74kv6WzZgPMAntkWH" supportpanel_authsecret_bearertoken: "58smtPA7WeCYHbNPYiXN" debug: #! for register preverifed account , we need to set fxa-auth-server 's NODE_ENV not to be `prod` #! see fxa-auth-server/lib/routes/account.js `delete routes[0].options.validate.payload.preVerified;` auth_server_preverifed: false deps_logs: false #! make a e2e test compose file #! require mail.type == localhelper e2e_test: enable: false #! only used when full_self_sign_workaroud == true root_cert: #! workaroud for fxa-graphql-api with full self sign #! if you want fxa-graphql-api communicate with fxa-auth-server internally , turn this `true` #! [WARN] browserid-verifier will not work. Since BrowserID is deprecated, just do not use old browser or python `syncclient` full_self_sign_workaround: false ```

docker-compose.yml

``` version: "3.7" x-logging: options: max-size: 5m max-file: "3" driver: json-file services: mysqldb: image: mysql:5.7 environment: - MYSQL_ALLOW_EMPTY_PASSWORD=true - MYSQL_ROOT_HOST=% expose: - "3306" volumes: - ./mysql_data:/var/lib/mysql/ - ./_init/mysql/init.sql:/tmp/common_init.sql:ro logging: driver: json-file restart: unless-stopped command: - --event-scheduler=ON - --init-file=/tmp/common_init.sql redis: image: redis:6.0-alpine expose: - "6379" logging: driver: json-file volumes: - type: tmpfs target: /data restart: unless-stopped browseridverifier.local: image: mozilla/fxa-mono:v1.235.1 working_dir: /fxa/packages/browserid-verifier expose: - "5050" environment: - PORT=5050 - IP_ADDRESS=0.0.0.0 - FORCE_INSECURE_LOOKUP_OVER_HTTP=false - HTTP_TIMEOUT=60 restart: unless-stopped logging: options: max-size: 5m max-file: "3" driver: json-file entrypoint: node command: server.js syncserver: image: mozilla/syncserver@sha256:016162bf39d8486d5710b4ae5bcaaebd8bd60b55db6cf468b8f720b526bd68b7 expose: - "5000" environment: - WAIT_HOSTS=mysqldb:3306,fxa-auth-server:9000,fxa-content-server:3030 - WAIT_HOSTS_TIMEOUT=120 - SYNCSERVER_PUBLIC_URL=https://token.fxa.mydomain.tld - SYNCSERVER_BROWSERID_VERIFIER=http://browseridverifier.local:5050 - SYNCSERVER_SQLURI=mysql+pymysql://root@mysqldb/sync - SYNCSERVER_BATCH_UPLOAD_ENABLED=true - SYNCSERVER_FORCE_WSGI_ENVIRON=true - PORT=5000 - SYNCSERVER_OAUTH_VERIFIER=http://fxa-auth-server:9000 - SYNCSERVER_IDENTITY_PROVIDER=http://fxa-content-server:3030 depends_on: - mysqldb - fxa-auth-server - fxa-content-server volumes: - ./wait:/wait entrypoint: sh -c "/wait && /usr/bin/dumb-init /app/docker-entrypoint.sh server" restart: unless-stopped logging: options: max-size: 5m max-file: "3" driver: json-file pushbox.local: image: mozilla/pushbox:0.3.0 expose: - "8002" environment: - ROCKET_ENV=prod - ROCKET_PORT=8002 - ROCKET_SERVER_TOKEN=rs7sicRJd4BKzoxDlXcm - ROCKET_DATABASE_URL=mysql://root@mysqldb/pushbox - WAIT_HOSTS=mysqldb:3306 - WAIT_HOSTS_TIMEOUT=120 depends_on: - mysqldb volumes: - ./wait:/wait command: sh -c "/wait && /app/bin/pushbox" restart: unless-stopped logging: options: max-size: 5m max-file: "3" driver: json-file fxa-db-migrations: image: mozilla/fxa-mono:v1.235.1 working_dir: /fxa/packages/db-migrations depends_on: - mysqldb volumes: - ./wait:/wait command: sh -c "/wait && node ./bin/patcher.mjs" environment: - WAIT_HOSTS=mysqldb:3306 - WAIT_HOSTS_TIMEOUT=120 - AUTH_MYSQL_HOST=mysqldb - PROFILE_MYSQL_HOST=mysqldb - OAUTH_MYSQL_HOST=mysqldb restart: "no" logging: options: max-size: 5m max-file: "3" driver: json-file exim-sender: image: elsdoerfer/exim-sender environment: - ALLOWED_HOSTS="192.168.0.0/16;172.16.0.0/12;10.0.0.0/8" - PRIMARY_HOST=fxa.mydomain.tld expose: - "25" volumes: - type: tmpfs target: /var/spool/exim4 restart: unless-stopped logging: options: max-size: 5m max-file: "3" driver: json-file fxa-auth-server: image: mozilla/fxa-mono:v1.235.1 working_dir: /fxa/packages/fxa-auth-server/dist/fxa-auth-server expose: - "9000" depends_on: redis: condition: service_started mysqldb: condition: service_started fxa-db-migrations: condition: service_completed_successfully volumes: - ./wait:/wait - ./_init/auth/oauthserver-prod.json:/fxa/packages/fxa-auth-server/dist/fxa-auth-server/config/prod.json environment: - OAUTH_SERVER_SECRET_KEY=0foI8mXfRNNfOvH082Ll - OAUTH_SERVER_SECRETS=0foI8mXfRNNfOvH082Ll - AUTH_SERVER_SHARED_SECRET=0foI8mXfRNNfOvH082Ll - AUTH_SERVER_SECRETS=0foI8mXfRNNfOvH082Ll,realwhatever - SUPPORT_PANEL_AUTH_SECRET_BEARER_TOKEN=58smtPA7WeCYHbNPYiXN - PROFILE_SERVER_AUTH_SECRET_BEARER_TOKEN=QNW74kv6WzZgPMAntkWH - FLOW_ID_KEY=qaJ9toy6jQ0f2yWXNU8A - REDIS_HOST=redis - ACCESS_TOKEN_REDIS_HOST=redis - REFRESH_TOKEN_REDIS_HOST=redis - SNS_TOPIC_ARN=disabled - MEMCACHE_METRICS_CONTEXT_ADDRESS=none - DB=mysql - MYSQL_HOST=mysqldb - AUTH_MYSQL_HOST=mysqldb - IP_ADDRESS=0.0.0.0 - SIGNIN_UNBLOCK_FORCED_EMAILS=^block.*@restmail\\.net$$ - SIGNIN_CONFIRMATION_ENABLED=true - SIGNIN_CONFIRMATION_FORCE_EMAIL_REGEX=^sync.*@restmail\\.net$$ - ISSUER=api.fxa.mydomain.tld - PUBLIC_URL=https://api.fxa.mydomain.tld - OAUTH_URL=https://oauth.fxa.mydomain.tld - CONTENT_URL=https://www.fxa.mydomain.tld - CONTENT_SERVER_URL=https://www.fxa.mydomain.tld - SYNC_TOKENSERVER_URL=https://token.fxa.mydomain.tld/token - PROFILE_SERVER_URL=http://fxa-profile-server:1111 - FXA_OPENID_ISSUER=https://www.fxa.mydomain.tld - VERIFICATION_URL=http://browseridverifier.local:5050/v2 - PUSHBOX_KEY=rs7sicRJd4BKzoxDlXcm - PUSHBOX_URL=http://pushbox.local:8002 - PUSHBOX_ENABLED=true - CUSTOMS_SERVER_URL=none - FXA_OPENID_KEYFILE=config/key.json - FXA_OPENID_NEWKEYFILE=config/newKey.json - FXA_OPENID_OLDKEYFILE=config/oldKey.json - SMTP_SENDER=Firefox Accounts - SMTP_HOST=exim-sender - SMTP_PORT=25 - SMTP_USER=local - SMTP_PASS=local - GEODB_ENABLED=false - WAIT_HOSTS=redis:6379,mysqldb:3306 - WAIT_HOSTS_TIMEOUT=120 - LOG_LEVEL=WARN - LASTACCESSTIME_UPDATES_SAMPLE_RATE=1 command: sh -c "node scripts/gen_keys.js; node scripts/oauth_gen_keys.js ; node scripts/gen_vapid_keys.js && /wait && node bin/key_server.js" restart: unless-stopped logging: options: max-size: 5m max-file: "3" driver: json-file fxa-profile-static: image: mozilla/fxa-mono:v1.235.1 working_dir: /fxa/packages/fxa-profile-server volumes: - ./public:/fxa/packages/fxa-profile-server/var/public/:ro expose: - "1112" environment: - HOST=0.0.0.0 - IMG=local command: - node - bin/_static.js restart: unless-stopped logging: options: max-size: 5m max-file: "3" driver: json-file fxa-profile-worker-make-writable: image: mozilla/fxa-mono:v1.235.1 user: root volumes: - ./public:/fxa/packages/fxa-profile-server/var/public/ command: - chmod - a+w - /fxa/packages/fxa-profile-server/var/public/ restart: "no" logging: options: max-size: 5m max-file: "3" driver: json-file fxa-profile-worker: image: mozilla/fxa-mono:v1.235.1 working_dir: /fxa/packages/fxa-profile-server volumes: - ./public:/fxa/packages/fxa-profile-server/var/public/ expose: - "1113" environment: - WORKER_HOST=0.0.0.0 - IMG=local depends_on: fxa-profile-worker-make-writable: condition: service_completed_successfully command: - node - bin/worker.js restart: unless-stopped logging: options: max-size: 5m max-file: "3" driver: json-file fxa-profile-server: image: mozilla/fxa-mono:v1.235.1 working_dir: /fxa/packages/fxa-profile-server expose: - "1111" depends_on: mysqldb: condition: service_started redis: condition: service_started fxa-db-migrations: condition: service_completed_successfully environment: - WAIT_HOSTS=mysqldb:3306,redis:6379 - WAIT_HOSTS_TIMEOUT=120 - AUTH_SECRET_BEARER_TOKEN=QNW74kv6WzZgPMAntkWH - EVENTS_ENABLED=false - HOST=0.0.0.0 - DB=mysql - IMG_PROVIDERS_FXA=^https://profile.fxa.mydomain.tld/img/a/[0-9a-f]{32}$$ - IMG_URL=https://profile.fxa.mydomain.tld/img/a/{id} - PUBLIC_URL=https://profile.fxa.mydomain.tld - MYSQL_HOST=mysqldb - IMG=local - AUTH_SERVER_URL=http://fxa-auth-server:9000/v1 - OAUTH_SERVER_URL=http://fxa-auth-server:9000/v1 - REDIS_HOST=redis - WORKER_URL=http://fxa-profile-worker:1113 volumes: - ./wait:/wait - ./public:/fxa/packages/fxa-profile-server/var/public/ command: sh -c "sed -i 's|result.avatar.startsWith(monogramUrl)|result.avatar.startsWith(`$${monogramUrl}/v1/avatar/`)|' /fxa/packages/fxa-profile-server/lib/routes/profile.js && /wait && node bin/server.js" restart: unless-stopped logging: options: max-size: 5m max-file: "3" driver: json-file fxa-content-server: image: mozilla/fxa-mono:v1.235.1 working_dir: /fxa/packages/fxa-content-server expose: - "3030" depends_on: - fxa-auth-server - fxa-profile-server - redis volumes: - ./_init/content/contentserver-prod.json:/fxa/packages/fxa-content-server/config/prod.json environment: - CONFIG_FILES=/fxa/packages/fxa-content-server/config/prod.json - FXA_OAUTH_CLIENT_ID=ea3ca969f8c6bb0d - FLOW_ID_KEY=qaJ9toy6jQ0f2yWXNU8A - FEATURE_FLAGS_REDIS_HOST=redis - SYNC_TOKENSERVER_URL=https://token.fxa.mydomain.tld/token - PUBLIC_URL=https://www.fxa.mydomain.tld - FXA_OAUTH_URL=https://oauth.fxa.mydomain.tld - FXA_URL=https://api.fxa.mydomain.tld - FXA_PROFILE_URL=https://profile.fxa.mydomain.tld - FXA_PROFILE_IMAGES_URL=https://profile.fxa.mydomain.tld - PAIRING_SERVER_BASE_URI=wss://channelserver.fxa.mydomain.tld - FXA_MARKETING_EMAIL_ENABLED=false - GEODB_ENABLED=false - LOG_LEVEL=WARN - NODE_ENV=production - STATIC_DIRECTORY=dist - PAGE_TEMPLATE_SUBDIRECTORY=dist - CSP_ENABLED=true - FXA_GQL_URL=https://graphql.fxa.mydomain.tld - REDIRECT_CHECK_ALLOW_LIST=*.fxa.mydomain.tld command: - node - server/bin/fxa-content-server.js restart: unless-stopped logging: options: max-size: 5m max-file: "3" driver: json-file fxa-graphql-api: image: mozilla/fxa-mono:v1.235.1 working_dir: /fxa/packages/fxa-graphql-api expose: - "8290" volumes: - ./wait:/wait depends_on: - fxa-auth-server - fxa-profile-server - redis - mysqldb environment: - WAIT_HOSTS=mysqldb:3306,redis:6379 - WAIT_HOSTS_TIMEOUT=120 - ACCESS_TOKEN_REDIS_HOST=redis - PROFILE_SERVER_URL=http://fxa-profile-server:1111/v1 - CUSTOMS_SERVER_URL=none - CORS_ORIGIN=https://www.fxa.mydomain.tld - AUTH_SERVER_URL=https://api.fxa.mydomain.tld - AUTH_MYSQL_HOST=mysqldb - PROFILE_MYSQL_HOST=mysqldb - OAUTH_MYSQL_HOST=mysqldb command: sh -c "/wait && node dist/main.js" restart: unless-stopped logging: options: max-size: 5m max-file: "3" driver: json-file nginx: image: nginx:1.22.0-alpine ports: - 10.1.2.3:1234:80 depends_on: - fxa-auth-server - fxa-profile-server - syncserver - fxa-content-server - fxa-graphql-api volumes: - ./_init/nginx/fxa_nossl.conf.tmpl:/etc/nginx/templates/fxa.conf.tmpl:ro - ./_init/nginx/channelserver_nossl.conf.tmpl:/etc/nginx/templates/channelserver.conf.tmpl:ro environment: - NGINX_LISTENER=80 - NGINX_ENVSUBST_TEMPLATE_SUFFIX=.tmpl - NGINX_DOMAIN_NAME=fxa.mydomain.tld - CONTENT=www - AUTH=api - OAUTH=oauth - PROFILE=profile - SYNC=token - GRAPHQL=graphql - CHANNELSERVER=channelserver logging: driver: json-file restart: unless-stopped channelserver: image: mozilla/channelserver:latest expose: - "8000" restart: unless-stopped logging: driver: json-file ```

For good luck, my nginx conf for fxa:

``` server { ### Logging ### Core listen my.ip.add.ress:443 ssl http2; listen 10.1.0.1:443 ssl http2; server_name www.fxa.mydomain.tld; ### TLS include /etc/nginx/conf/00-tls-base.conf; ssl_certificate /etc/letsencrypt/live/fxa.mydomain.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/fxa.mydomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/fxa.mydomain.tld/fullchain.pem; ### ACL include conf/10-acl-mydomain.tld.conf; deny all; ### Bots include /etc/nginx/bots.d/ddos.conf; include /etc/nginx/bots.d/blockbots.conf; ### Paths location / { proxy_pass http://10.1.2.3:1234/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } server { ### Logging ### Core listen my.ip.add.ress:443 ssl http2; listen 10.1.0.1:443 ssl http2; server_name profile.fxa.mydomain.tld; ### TLS include /etc/nginx/conf/00-tls-base.conf; ssl_certificate /etc/letsencrypt/live/fxa.mydomain.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/fxa.mydomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/fxa.mydomain.tld/fullchain.pem; ### ACL include conf/10-acl-mydomain.tld.conf; deny all; ### Bots include /etc/nginx/bots.d/ddos.conf; include /etc/nginx/bots.d/blockbots.conf; ### Paths location / { proxy_pass http://10.1.2.3:1234/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } server { ### Logging ### Core listen my.ip.add.ress:443 ssl http2; listen 10.1.0.1:443 ssl http2; server_name token.fxa.mydomain.tld; ### TLS include /etc/nginx/conf/00-tls-base.conf; ssl_certificate /etc/letsencrypt/live/fxa.mydomain.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/fxa.mydomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/fxa.mydomain.tld/fullchain.pem; ### ACL include conf/10-acl-mydomain.tld.conf; deny all; ### Bots include /etc/nginx/bots.d/ddos.conf; include /etc/nginx/bots.d/blockbots.conf; ### Paths location / { proxy_pass http://10.1.2.3:1234/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } server { ### Logging ### Core listen my.ip.add.ress:443 ssl http2; listen 10.1.0.1:443 ssl http2; server_name api.fxa.mydomain.tld; ### TLS include /etc/nginx/conf/00-tls-base.conf; ssl_certificate /etc/letsencrypt/live/fxa.mydomain.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/fxa.mydomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/fxa.mydomain.tld/fullchain.pem; ### ACL include conf/10-acl-mydomain.tld.conf; deny all; ### Bots include /etc/nginx/bots.d/ddos.conf; include /etc/nginx/bots.d/blockbots.conf; ### Paths location / { proxy_pass http://10.1.2.3:1234/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } server { ### Logging ### Core listen my.ip.add.ress:443 ssl http2; listen 10.1.0.1:443 ssl http2; server_name oauth.fxa.mydomain.tld; ### TLS include /etc/nginx/conf/00-tls-base.conf; ssl_certificate /etc/letsencrypt/live/fxa.mydomain.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/fxa.mydomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/fxa.mydomain.tld/fullchain.pem; ### ACL include conf/10-acl-mydomain.tld.conf; deny all; ### Bots include /etc/nginx/bots.d/ddos.conf; include /etc/nginx/bots.d/blockbots.conf; ### Paths location / { proxy_pass http://10.1.2.3:1234/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } server { ### Logging ### Core listen my.ip.add.ress:443 ssl http2; listen 10.1.0.1:443 ssl http2; server_name graphql.fxa.mydomain.tld; ### TLS include /etc/nginx/conf/00-tls-base.conf; ssl_certificate /etc/letsencrypt/live/fxa.mydomain.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/fxa.mydomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/fxa.mydomain.tld/fullchain.pem; ### ACL include conf/10-acl-mydomain.tld.conf; deny all; ### Bots include /etc/nginx/bots.d/ddos.conf; include /etc/nginx/bots.d/blockbots.conf; ### Paths location / { proxy_pass http://10.1.2.3:1234/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } server { ### Logging ### Core listen my.ip.add.ress:443 ssl http2; listen 10.1.0.1:443 ssl http2; server_name channelserver.fxa.mydomain.tld; ### TLS include /etc/nginx/conf/00-tls-base.conf; ssl_certificate /etc/letsencrypt/live/fxa.mydomain.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/fxa.mydomain.tld/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/fxa.mydomain.tld/fullchain.pem; ### ACL include conf/10-acl-mydomain.tld.conf; deny all; ### Bots include /etc/nginx/bots.d/ddos.conf; include /etc/nginx/bots.d/blockbots.conf; ### Paths location / { proxy_pass http://10.1.2.3:1234/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } ```

[jackyzy823]

Sadly , i can not reproduce the problem.

(but found another unrelated problem with exim local-relay and fixed)

The old docker-compose (python one) (https://github.com/docker/compose/releases/tag/1.29.2) has no Error response from daemon: configured logging driver does not support reading problem. you can try that.

dest-fxa-auth-server-1 | Connection Error: Error: Connection lost: The server closed the connection.

I found this line. it may indicate that there's connection error between database and fxa-auth-server. Please check your database.

Basically a normal fxa-auth-server starts with log like this:

``` issue13-fxa-auth-server-1 | Generating keypair issue13-fxa-auth-server-1 | (node:9) [DEP0148] DeprecationWarning: Use of deprecated folder mapping "./" in the "exports" field module resolution of the package at /fxa/node_modules/fxa-shared/package.json. issue13-fxa-auth-server-1 | Update this package.json to use a subpath pattern like "./*". issue13-fxa-auth-server-1 | (Use `node --trace-deprecation ...` to show where the warning was created) issue13-fxa-auth-server-1 | Secret Key saved: /fxa/packages/fxa-auth-server/dist/fxa-auth-server/config/secret-key.json issue13-fxa-auth-server-1 | Public Key saved: /fxa/packages/fxa-auth-server/dist/fxa-auth-server/config/public-key.json issue13-fxa-auth-server-1 | Key saved: /fxa/packages/fxa-auth-server/dist/fxa-auth-server/config/key.json issue13-fxa-auth-server-1 | OldKey saved: /fxa/packages/fxa-auth-server/dist/fxa-auth-server/config/oldKey.json issue13-fxa-auth-server-1 | Please restart the server to begin using the new keys issue13-fxa-auth-server-1 | (node:18) [DEP0148] DeprecationWarning: Use of deprecated folder mapping "./" in the "exports" field module resolution of the package at /fxa/node_modules/fxa-shared/package.json. issue13-fxa-auth-server-1 | Update this package.json to use a subpath pattern like "./*". issue13-fxa-auth-server-1 | (Use `node --trace-deprecation ...` to show where the warning was created) issue13-fxa-auth-server-1 | Generating key for VAPID issue13-fxa-auth-server-1 | Done: /fxa/packages/fxa-auth-server/dist/fxa-auth-server/config/vapid-keys.json issue13-fxa-auth-server-1 | (node:25) [DEP0148] DeprecationWarning: Use of deprecated folder mapping "./" in the "exports" field module resolution of the package at /fxa/node_modules/fxa-shared/package.json. issue13-fxa-auth-server-1 | Update this package.json to use a subpath pattern like "./*". issue13-fxa-auth-server-1 | (Use `node --trace-deprecation ...` to show where the warning was created) issue13-fxa-auth-server-1 | -------------------------------------------------------- issue13-fxa-auth-server-1 | docker-compose-wait 2.7.3 issue13-fxa-auth-server-1 | --------------------------- issue13-fxa-auth-server-1 | Starting with configuration: issue13-fxa-auth-server-1 | - Hosts to be waiting for: [redis:6379,mysqldb:3306] issue13-fxa-auth-server-1 | - Timeout before failure: 120 seconds issue13-fxa-auth-server-1 | - TCP connection timeout before retry: 5 seconds issue13-fxa-auth-server-1 | - Sleeping time before checking for hosts availability: 0 seconds issue13-fxa-auth-server-1 | - Sleeping time once all hosts are available: 0 seconds issue13-fxa-auth-server-1 | - Sleeping time between retries: 1 seconds issue13-fxa-auth-server-1 | -------------------------------------------------------- issue13-fxa-auth-server-1 | Checking availability of redis:6379 issue13-fxa-auth-server-1 | Host redis:6379 is now available! issue13-fxa-auth-server-1 | -------------------------------------------------------- issue13-fxa-auth-server-1 | Checking availability of mysqldb:3306 issue13-fxa-auth-server-1 | Host mysqldb:3306 is now available! issue13-fxa-auth-server-1 | -------------------------------------------------------- issue13-fxa-auth-server-1 | docker-compose-wait - Everything's fine, the application can now start! issue13-fxa-auth-server-1 | -------------------------------------------------------- issue13-fxa-auth-server-1 | (node:33) [DEP0148] DeprecationWarning: Use of deprecated folder mapping "./" in the "exports" field module resolution of the package at /fxa/node_modules/fxa-shared/package.json. issue13-fxa-auth-server-1 | Update this package.json to use a subpath pattern like "./*". issue13-fxa-auth-server-1 | (Use `node --trace-deprecation ...` to show where the warning was created) issue13-fxa-auth-server-1 | {"Timestamp":1664967135601000000,"Logger":"fxa-auth-server","Type":"metricsEvents.emitFlowEvent","Severity":2,"Pid":33,"EnvVersion":"2.0","Fields":{"event":"route./account/status.200","missingFlowId":true}} ```

[jackyzy823]

To check db connect you may do as follow to enter fxa-auth-server' shell

docker-compose exec -u root fxa-auth-server /bin/bash

In the container's shell

apt update -y -qq && apt install -y -qq default-mysql-client-core
mysql -h mysqldb -uroot -e 'show databases;'

It should output

+--------------------+
| Database           |
+--------------------+
| information_schema |
| fxa                |
| fxa_oauth          |
| fxa_profile        |
| mysql              |
| performance_schema |
| pushbox            |
| sync               |
| sys                |
+--------------------+

If above is work, then try restart fxa-auth-server by docker-compose restart fxa-auth-server , and check log whether connection is still lost.

[sdfg2]

Ok, mysql just shows the following:

root@a1ff8be257cf:/fxa/packages/fxa-auth-server/dist/fxa-auth-server# mysql -h mysqldb -uroot -e 'show databases;'
+--------------------+
| Database           |
+--------------------+
| information_schema |
| fxa                |
| mysql              |
| performance_schema |
| pushbox            |
| sync               |
| sys                |
+--------------------+

[jackyzy823]

It makes me more confused. Connection is OK , but some database (fxa_profile,fxa_oauth) is missing.

Have you tried a clean restart ? (stop , remove ./mysql_data folder , start).

[sdfg2]

Well, progress! I flattened and reinstalled everything, and all the tables are correct. Then I got a 'failed to send email' error, and 'unexpected error' after that. Refreshing the page to do some network debugging I put my email in and it just asked for a password - so at least it registered an account - but then throws the unexpected error again. The errors it throws are these:

dest-fxa-auth-server-1  | {"Timestamp":1665005140745000000,"Logger":"fxa-auth-server","Type":"mailer.send.error","Severity":2,"Pid":32,"EnvVersion":"2.0","Fields":{"err":"Invalid login: 503 AUTH command used when not advertised","code":"EAUTH","to":"myemail@domain.tld","template":"verifyLoginCode"}}
dest-fxa-auth-server-1  | {"Timestamp":1665005140765000000,"Logger":"fxa-auth-server","Type":"request.summary","Severity":2,"Pid":32,"EnvVersion":"2.0","Fields":{"status":500,"errno":999,"path":"/v1/account/login","lang":"en-US,en;q=0.5","agent":"Mozilla/5.0 (Windows NT 10.0; rv:105.0) Gecko/20100101 Firefox/105.0","remoteAddressChain":"[\"10.1.2.3\",\"10.1.0.1\",\"172.28.0.15\"]","t":280,"uid":"00","service":"sync","reason":"signin","keys":true,"method":"post","email":"myemail@domain.tld"}}

I did read in another set of non-docker instructions that you had to manually set the email verified flag in the database, but that was because it wasn't tied to an MTA, but I see that there is an exim container here.

[jackyzy823]

That's what i said the unrelated-but-fixed problem. (since i do not use exim relay, i haven't tested much on that before)

I fixed this exim issue in the latest commit. Please update this repo and retry , thanks.

[sdfg2]

Hurray! Everything works now. I was wondering though if you could be a bit more specific in the instructions with what to do for fenix based browsers? There's no reference in the _init file to Fenix, just Fennec, and the file itself is very confusing without knowing exactly what to look for. :-(

EDIT: Also

services.sync.syncInterval = 60
services.sync.syncThreshold = 10

are not there in about:config, should I add them? The link you provide gives a 404 for further information.

[jackyzy823]

For fenix. Instruction is generated and outputed by init.sh, may be you missed it , like

Config for Fenix(Firefox android)
Enable "Secret Menu"  See: https://github.com/mozilla-mobile/fenix/pull/8916 
"Custom Firefox Account server":"https://www.example.com",  
"Custom Sync server": "https://token.example.com/token/1.0/sync/1.5", 

Well these configs are optional. You can add if not exists. See https://searchfox.org/mozilla-central/source/services/sync/modules/policies.js#262

The link is https://github.com/mozilla/fxa/blob/main/packages/fxa-dev-launcher/profile.mjs now.

[sdfg2]

I have those instructions for Fenix, I'm referring to the ones in the readme here:

    you need edit /_init/auth/oauthserver-prod.json edit fenix' redirecturi and add scope

"scope": "https://identity.mozilla.com/tokens/session"

    edit _init/content/contentserver-prod.json oldsync redirecturi oauth/success/a2270f727f45f648

[jackyzy823]

I updated the README.By default, you don't need do anything. It's pre-configured, but could be changed by advanced users.

[sdfg2]

Ahh! Good! All done, thank you for your help.

Are you planning on moving to syncstorage_rs at any point?

[jackyzy823]

Currently no. Support the situation that beginning with syncstorage-rs is not hard.

The hard part is to support the situation that converting from old syncserver to syncstorage-rs

Unless the tools/scripts to convert datebase from old syncserver to syncstorage-rs is done (table schema,node assignment and url routes), i will not start supporting.

See comments https://github.com/mozilla-services/syncstorage-rs/issues/1051#issuecomment-924885375 and https://github.com/mozilla-services/syncstorage-rs/issues/1051#issuecomment-924973833

[sdfg2]

Ah, was just wondering. Maybe two projects, one for syncstorage and the current one for syncserver? Then you would be able to let new people use syncstorage until such time as there's a migration path for others on syncserver.