FF sync server with nginx and https fails with "egg:gunicorn" method

[Nixbligger]

Hello,

I tried to setup ffsync server in my nginx webserver environment using a https address. I followed the official howto and got it setup and running to a certain degree with the "use = egg:Paste#http" method. When pointing my browser to the respective webaddress I get the expected empty page stating "It works". The log say something like:

INFO:mozsvc.metrics:{"code": 200, "request_time": 0.016633987426757812, "remoteAddressChain": ["::ffff:85.177.202.8", "127.0.0.1"], "agent": "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0", "path": "http://my-server.net/ffsync/", "method": "GET"}

But when I try to configure the appropriate variable "services.sync.tokenServerURI" in FF and Sign in (to mozilla account server) sync fails with an authentication error and the following log message:

INFO:mozsvc.metrics:{"code": 401, "request_time": 1.8790898323059082, "remoteAddressChain": ["::ffff:85.177.202.8", "127.0.0.1"], "agent": "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0", "token.assertion.audience_mismatch_error": 1, "token.assertion.verify_failure": 1, "tokenserver.assertion.verify": 1.8432259559631348, "path": "http://my-server.net/ffsync/token/1.0/sync/1.5", "method": "GET"}

I am aware that the howto states I should use the "use = egg:gunicorn" method after installing it via local/bin/easy_install gunicorn (states it installed version 19.1.1), however I was not able to make it work that way at all, as it always fails with the following error message:

!!! !!! WARNING: This command is deprecated. !!! !!! You should now use the --paste option. Ex.: !!! !!! gunicorn --paste development.ini !!!
!!!

Config error: invalid literal for int() with base 0: '2\xe2\x80\xa8' Exiting 1 (-v to see traceback)

What am I doing wrong? Any help would be highly appreciated! Does it probably have to do with the nginx https incompatibilities I read about here?

Thank you for your help! Cheers, Nix

---

PS: Here are the respective config excepts:

1. syncserver.ini:

[server:main] use = egg:gunicorn host = 127.0.0.1 port = 8070 workers = 2 timeout = 60

[syncserver] public_url = http://my-server.net/ffsync/

2.nginx:

location /ffsync/ { access_log /var/log/nginx/ffsync.access.log; error_log /var/log/nginx/ffsync.error.log; rewrite ^/ffsync(.+)$ $1 break; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; proxy_read_timeout 120; proxy_connect_timeout 10; proxy_pass http://127.0.0.1:8070/ffsync; }

[rfk]

I recommend getting everything working with paste before switching to gunicorn, if possible.

The "audience_mismatch_error" usuall indicates that there's a mis-match between your public_url setting and what is seen by the browser. Can you confirm that everything is using plain http and not https? Does the server console show any warnings or errors about the public_url setting?

One quick-but-hacky thing you could try, is adding some debug printing to this file:

local/lib/python2.7/site-packages/tokenserver/verifiers.py

In the definition of the verify method on line 88, try adding the following to print out the audience value from the assertion:

from browserid.utils import get_assertion_info
print get_assertion_info(assertion)

There should be an "audience" field in the printed result, which should match the hostname in your public_url. If it doesn't that will give a clue as to what's going wrong.

[Nixbligger]

Thanks for the reply, rfk! No, I cannot confirm that because my nginx configuration is https only and translates via the proxy-pass setting. I thought that this "translation" from https to local http sort of is the purpose of the gunicorn module use but that was a just a shot into the blue and probably wrong. However, as I followed the same setup as in the official howto, there it is a https server setup proxying to a local http too, I thought I would be on the right track. And, yesterday I wasn't able to make it work via http on my setup either, and gave up on it later. But so much for now. Unfortunately, i'll not be able to try your suggestions until next week as I'm leaving home for a few days tomorrow morning. I'll get back when I did. Thanks again! Cheers, Nix

[Nixbligger]

Sorry, didn't realised that I obviously closed this issue last week. That was clearly not my intention. Feedback and tips are still very welcome.

@rfk: Before I try your suggestions above, would you please help me understand the purpose of gunicorn in a few words? And is it a wrong approach to use nginx to proxy-pass an external syncserver https call to the configured local http port?

Cheers and thx, Nix

PS: Aaargh, now I know how I closed it. Sorry guys. Still have to familiarize with Git terminology and usage.

[rfk]

So gunicorn and paste both do basically the same thing here - they run a http service on a local port, which you can use nginx to proxy-pass to to provide https support. Gunicorn is just a little more "production friendly", e.g. able to handle more load, cope better with errors, etc.

And is it a wrong approach to use nginx to proxy-pass an external syncserver https call to the configured local http port?

No, this is a fine approach and is quite standard. But it can be a little bit tricky to set up correctly, as you need to get just the right headers to tell the python app that it's being serve on https rather than http.

One setting you could try is the forwarded-allow-ips setting for gunicorn, which affects whether certain https->http forwarding headers are respected:

http://gunicorn-docs.readthedocs.org/en/latest/settings.html#forwarded-allow-ips

Try setting it to * in your gunicorn config.

[rfk]

Closing due to inactivity