search

linuxserver / docker-mastodon

GNU General Public License v3.0
78 stars 15 forks source link

[invalid] Confused by Traefik instructions #60

Closed TangentFoxy closed 1 year ago

TangentFoxy commented 1 year ago

Is there an existing issue for this?

Current Behavior

In the documentation, there is a link for how to set up Mastodon behind a reverse proxy. It links to the FAQ under #strict-proxy, which opens a guide for Traefik? I don't understand what this is, it hasn't appeared anywhere else in the documentation, or in the swag documentation. It looks like a YAML configuration though, so I tried adding it to the docker-compose file, which results in saying the file is invalid due to http not being a valid directive.

I am unable to access Mastodon because it is behind a reverse proxy, and the instructions for setting this up correctly are incredibly unclear. What am I supposed to be doing?

(Err, results in a 502 bad gateway.)

Expected Behavior

Documentation should explain how to configure Mastodon to work behind a reverse proxy, not how to configure something completely unrelated that I can't find any information about..

Steps To Reproduce

  1. Follow the documentation.

Environment

- OS: Ubuntu 18.04.1 LTS
- How docker service was installed: I have no idea. Probably whatever version of `sudo apt-get install` worked.

CPU architecture

x86-64

Docker creation

The provided docker-compose from the documentation, modified to my hostname and with secrets. Ports changed externally so that reverse proxy could be set up (otherwise they wouldn't be able to be bound at all).

Container logs

N/A
github-actions[bot] commented 1 year ago

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

aptalca commented 1 year ago

It links to the FAQ under #strict-proxy, which opens a guide for Traefik?

It says If you are using a reverse proxy which validates certificates. If you're using SWAG/nginx, you are not using a reverse proxy which validates certificates so that link is not for you.

For SWAG, all you need to do is listed in SWAG's built-in proxy conf for Mastodon: https://github.com/linuxserver/reverse-proxy-confs/blob/master/mastodon.subdomain.conf.sample

For 502, see here: https://docs.linuxserver.io/general/swag#502

Closing as this is not a bug

TangentFoxy commented 1 year ago

Wouldn't it be a good idea to clarify the part that confused me so that others do not run into the same lack of understanding? Is there somewhere I can propose changes to documentation to improve it?

I am using the correct config for SWAG, but I am even more confused by the document you linked to me. The only option under 502 errors that applies to me is "you manually changed the port" but if I don't change the port, the container can't even start because the ports are already bound by SWAG.

I will attempt to figure out how I've misunderstood this, but if you have any ideas, please let me know.

Roxedus commented 1 year ago

The blurb you got caught up in has existed for a while, and this is the first time I have seen someone get tripped up by it. I am not sure how I can make the Traefik section clearer for Traefik.

It seems like you are not using docker networking to its full potential, but I can only guess as you did not provide a compose.

TangentFoxy commented 1 year ago

Perhaps replacing

Strict reverse proxies

This image automatically redirects to https with a self-signed certificate. If you are using a reverse proxy which validates certificates, you need to disable this check for the container.

with something like

Strict reverse proxies

This image automatically redirects to https with a self-signed certificate. If you are using a reverse proxy which validates certificates, you need to disable this check for the container. Instructions for Traefik.

might be better?

Strangely, while searching to come up with what modification to suggest, I find that searching for "strict reverse proxies" only leads to linuxserver documentation, and searching for "strict reverse proxy" is even less helpful. It seems like this term isn't used elsewhere. Searching for "Traefik strict proxy" also doesn't help.

Because this terminology seems to only apply to this specifically, I would further suggest changing the title to Using Traefik or something similar to highlight the specificity. I'm less certain about that suggestion simply because it seems the way it is worded now is to intend for referencing where that comes into play with other software in the future? Or other software does the same thing but doesn't use a term for it?

As for this being the first time seeing someone get tripped up by it.. almost no one speaks up. I know I struggled with projects for almost a decade before I started trying to ask for help and clarify things for others when I saw problems I could solve. Maybe I really am the only one stupid enough to screw this up, but there may be others who just gave up silently. shrug

(If you are curious as to the line of thinking that led to my confusion.. I had never heard of Traefik before, but I do know what a reverse proxy is. The distinction of validating certification being a thing SWAG and my setup doesn't do did not occur to me, and nothing else I run acts like this, so I didn't know the instructions didn't apply to me. Because I had no idea what any of this was and nothing specified where that YAML configuration should go, I tried placing it in the only configuration spot I was already familiar with, which was obviously wrong. Perhaps having this section say something about where these configurations are supposed to be could further alleviate confusion?)

It seems like you are not using docker networking to its full potential, but I can only guess as you did not provide a compose.

It seems I've misunderstood something fundamental about how to use SWAG with other services, but in a way that still functions, which is leading to more complication and confusion. At this point, I figured it would be more helpful for me to re-read things and try to figure out where I misunderstood things before posting more of what I'm doing, as it's likely that my setup is so screwed up that starting over is preferable.

...and since I'm doing that anyhow, is Traefik a better reverse proxy to use? Should I try learning how to use it correctly instead of using SWAG?

Roxedus commented 1 year ago

Perhaps replacing

The FAQ entry is written to be expanded upon, if needed, It just so happen that Traefik is the only common reverse proxy solution that is currently defaulting to validating TLS certificates on the backend, Nginx (and thus SWAG) does not do this. The text on the the image-specific docs page takes time to update, which is why it is written to be generic.

Because this terminology seems to only apply to this...

If you find a terminology, i am all ears.

As for this being the first time...

I get your point, but I also have been scolded for less, so I have grown accustomed to people speaking up for every small thing.

about where these configurations are supposed to be could further alleviate confusion?

That's just the thing, there is no real convention on how to set up Traefik, and every guide does it their own way.

We assume that https://docs.linuxserver.io/general/swag is somewhat understood when using swag (I know we dont make that clear right now), this covers how you can benefit from a custom docker network (and how compose makes that easier).

As for Traefik vs SWAG, it is just preference, but as we have more experience with Nginx, we recommend that, as it makes it easier to support.

TangentFoxy commented 1 year ago

Thank you so much for answering my questions and giving feedback!