search

meeb / tubesync

Syncs YouTube channels and playlists to a locally hosted media server
GNU Affero General Public License v3.0
1.9k stars 121 forks source link

Problem while behind Reverse Proxy [NGINX] #273

Closed ghost closed 2 months ago

ghost commented 1 year ago

I have both TubeSync and NGINX as containers [as well as other apss - plex, sonarr, etc.], and everything works except for TubeSync where I get "Bad Request Contradictory scheme headers"

With some research I found out [https://github.com/benoitc/gunicorn/issues/1857] that when the header X-Forwarded-Protocol for gunicorn [a component of TubeSync] are set to 'https' it will error out and it needs to be set to 'ssl' [https://panel.djangoeurope.com/support/doc/http2https].

Here, https://github.com/benoitc/gunicorn/issues/1857#issuecomment-673925947, They mention that this can be fixed i nthe gunicorn config - is this something that can be fixed in the TubeSync docker?

meeb commented 1 year ago

If you can get a change working for you that doesn't disrupt anyone else's deployments I'm happy to tweak any required settings to get this to work properly for you. You will likely need to test this yourself as I can't easily replicate your setup. Can you please drop into the container shell:

docker exec -ti tubesync bash

Then install your shell editor of choice, for example:

apt update && apt install nano

Then you can edit the gunicorn config file in your container:

nano /app/tubesync/gunicorn.py

From the gunicorn issue you linked above, try appending the discussed line to the gunicorn config file:

secure_scheme_headers = {'X-FORWARDED-PROTOCOL': 'https', 'X-FORWARDED-PROTO': 'https', 'X-FORWARDED-SSL': 'on'}

Then restarting the TubeSync container and see if that fixes it for you. If it does, I'll give the change a wider test to see if it breaks anything before committing.

ghost commented 1 year ago

I added that line and restarted the container and I get the same message in the browser, and the log from the container shows:

XXX.YYY.0.ZZZ - - [07/Oct/2022:13:44:57 -0300] "GET /favicon.ico HTTP/1.1" 400 149 "https://tubesync.DOMAIN.TLD/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.37"

Any other thoughts on making this work or do I need to modify the container for NGINX?

meeb commented 1 year ago

You can use the same commands above and then edit the embedded nginx config as well:

nano /etc/nginx/nginx.conf

You can modify all the nginx proxy commands there including where the x-forwarded-proto etc. are set. Try tweaking those.

zpz5HAU-tgc3fgw2xwr commented 1 year ago

@microSCOPED

IDK if this is your exact problem, but I know I had a lot of issues getting TubeSync to work behind NGINX awhile back. Assuming you're using SWAG and our configs are similar, I had to comment out this line in my location

        include /config/nginx/proxy.conf;

and replace it with this version where I commented out the "X-Forwarded-Ssl" line

# include /config/nginx/proxy.conf;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Proxy Connection Settings
proxy_buffers 32 4k;
proxy_connect_timeout 240;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_http_version 1.1;
proxy_read_timeout 240;
proxy_redirect  http://  $scheme://;
proxy_send_timeout 240;

# Proxy Cache and Cookie Settings
proxy_cache_bypass $cookie_session;
#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
proxy_no_cache $cookie_session;

# Proxy Header Settings
proxy_set_header Connection $connection_upgrade;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
# proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Real-IP $remote_addr;

Besides that change, it looks exactly like all my other configs. Haven't had problems since.

wtfreely commented 1 year ago

@microSCOPED

IDK if this is your exact problem, but I know I had a lot of issues getting TubeSync to work behind NGINX awhile back. Assuming you're using SWAG and our configs are similar, I had to comment out this line in my location

        include /config/nginx/proxy.conf;

and replace it with this version where I commented out the "X-Forwarded-Ssl" line

# include /config/nginx/proxy.conf;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Proxy Connection Settings
proxy_buffers 32 4k;
proxy_connect_timeout 240;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_http_version 1.1;
proxy_read_timeout 240;
proxy_redirect  http://  $scheme://;
proxy_send_timeout 240;

# Proxy Cache and Cookie Settings
proxy_cache_bypass $cookie_session;
#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
proxy_no_cache $cookie_session;

# Proxy Header Settings
proxy_set_header Connection $connection_upgrade;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
# proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Real-IP $remote_addr;

Besides that change, it looks exactly like all my other configs. Haven't had problems since.

My GOD I have spent days trying to fix this - THANK you.

meeb commented 1 year ago

Just to confirm this fix is for an upstream nginx reverse proxy, correct? To mention again if anyone does tweak TubeSync to work with their specific reverse proxy setup (that doesn't break anything else) I'm happy to edit the embeded nginx config in TubeSync to include it.

Thanks @ngInit for the issue support, most appreciated.

djismgaming commented 3 months ago

Amazing! I used @wtfreely 's proposed change on a NGINX proxy using linuxserver/nginx and it worked perfectly.

Vintodrimmer commented 3 months ago

Does it still work for you? I couldn't copy everything due to the way my NGINX is set up, but pasting # Proxy Cache and Cookie Settings and # Proxy Header Settings results in 400 error for me with the following log from tubesync:

172.20.0.34 - - [29/Jun/2024:20:02:28 +0200] "GET / HTTP/1.1" 400 150 "-" "-"
djismgaming commented 2 months ago

Does it still work for you? I couldn't copy everything due to the way my NGINX is set up, but pasting # Proxy Cache and Cookie Settings and # Proxy Header Settings results in 400 error for me with the following log from tubesync:

172.20.0.34 - - [29/Jun/2024:20:02:28 +0200] "GET / HTTP/1.1" 400 150 "-" "-"

Yes, it still works. I do have this behind a local-only nginx reverse proxy using linuxserver/nginx with the mod linuxserver/mods:nginx-proxy-confs. I don't need to access tubesync outside home, but like all things behind SSL.

Local-only nginx reverse proxy

networks:
  default:
    name: linuxserver
    external: true
services:
  swag-local:
    restart: unless-stopped
    container_name: swag-local
    environment:
      - UMASK=022
      - TZ=$TZ
      - DOCKER_MODS=linuxserver/mods:swag-auto-reload|linuxserver/mods:nginx-proxy-confs
      - PUID=$PUID
      - PGID=$PGID
    ports:
      - 443:443
      - 80:80
    image: lscr.io/linuxserver/nginx:latest # https://github.com/linuxserver/docker-nginx/releases
    volumes:
      - ./data-swag-local:/config
      - ./data-swag/:/swag-ssl

This is my proxy config (just removed the comments added to the template by linuxserver.io that they add to all SWAG/nginx mod proxy-confs).

Current proxy-conf for tubesync

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    http2 on;

    server_name tubesync.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {

        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

        # Proxy Connection Settings
        proxy_buffers 32 4k;
        proxy_connect_timeout 240;
        proxy_headers_hash_bucket_size 128;
        proxy_headers_hash_max_size 1024;
        proxy_http_version 1.1;
        proxy_read_timeout 240;
        proxy_redirect  http://  $scheme://;
        proxy_send_timeout 240;

        # Proxy Cache and Cookie Settings
        proxy_cache_bypass $cookie_session;
        #proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
        proxy_no_cache $cookie_session;

        # Proxy Header Settings
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Early-Data $ssl_early_data;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Proto https;
        # proxy_set_header X-Forwarded-Ssl on;
        proxy_set_header X-Real-IP $remote_addr;

        include /config/nginx/resolver.conf;
        set $upstream_app tubesync;
        set $upstream_port 4848;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}
meeb commented 2 months ago

As this seems generally resolved I'll close the issue for now. Free free to create a new issue and reference this one if you still experience this problem.