search

photonixapp / photonix

A modern, web-based photo management server. Run it on your home server and it will let you find the right photo from your collection on any device. Smart filtering is made possible by object recognition, face recognition, location awareness, color analysis and other ML algorithms.
https://photonix.org/
GNU Affero General Public License v3.0
1.85k stars 127 forks source link

Can't pass login screen through nginx-proxy #313

Open phirestalker opened 3 years ago

phirestalker commented 3 years ago

Describe the bug I am unable to get past the login screen when accessing photonix through my nginx-proxy. Both photonix and nginx-proxy are docker containers. I have set up multiple other containers for other services that work. I guess photonix might need some extra parameters for the proxy.

To Reproduce Set up new photonix docker container. Do setup on local address and port. Create new subdomain certificate set up nginx-proxy for new container visit the public address of the new photonix container and try to log in. Login screen stays with a "loading" message indefinitely

Expected behavior I expect it to log in sucessfully as it does on the local address and port.

Screenshots

Screen Shot 2021-08-02 at 5 26 31 PM

Server (please complete the following information):

Desktop (please complete the following information):

phirestalker commented 3 years ago

I noticed in the logs for the nginx-proxy that it is requesting with http 2.0. In the nginx-prd.conf file for the photonix container it has proxy_http_version set at http 1.1 for the admin, graphql, and thumbnailer endpoints Would this possibly be the issue? If so, short of mounting the conf file as a volume and editing it, what are my other options?

EDIT: I could swear there was nothing in the logs before, but here is an excerpt from the photonix container logs.

2021/08/12 07:46:15 [warn] 52#52: *31 upstream server temporarily disabled while connecting to upstream, client: 192.168.208.2, server: , request: "POST /graphql HTTP/1.1", upstream: "http://127.0.0.1:8000/graphql", host: "photonix.computeraccess.icu", referrer: "https://photonix.mydomain.com/login"
2021/08/12 07:46:15 [error] 52#52: *31 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.208.2, server: , request: "POST /graphql HTTP/1.1", upstream: "http://127.0.0.1:8000/graphql", host: "photonix.computeraccess.icu", referrer: "https://photonix.mydomain.com/login"
2021/08/12 07:46:15 [warn] 52#52: *31 upstream server temporarily disabled while connecting to upstream, client: 192.168.208.2, server: , request: "POST /graphql HTTP/1.1", upstream: "http://127.0.0.1:8000/graphql", host: "photonix.computeraccess.icu", referrer: "https://photonix.mydomain.com/login"

EDIT (again): No this is a new problem in the logs because I can no longer bring up the site through its local IP address and port.

phirestalker commented 3 years ago

OK, redis was down, so now I am back to the original problem. There are some juicy bits in the log this time after all though.

2021-08-12 15:02:46,683 ERROR    Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/promise/promise.py", line 489, in _resolve_from_executor
    executor(resolve, reject)
  File "/usr/local/lib/python3.8/site-packages/promise/promise.py", line 756, in executor
    return resolve(f(*args, **kwargs))
  File "/usr/local/lib/python3.8/site-packages/graphql/execution/middleware.py", line 75, in make_it_promise
    return next(*args, **kwargs)
  File "/srv/photonix/photos/schema.py", line 258, in resolve_all_libraries
    return Library.objects.filter(users__user=user)
  File "/usr/local/lib/python3.8/site-packages/django/db/models/manager.py", line 85, in manager_method
    return getattr(self.get_queryset(), name)(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/db/models/query.py", line 941, in filter
    return self._filter_or_exclude(False, args, kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/db/models/query.py", line 961, in _filter_or_exclude
    clone._filter_or_exclude_inplace(negate, args, kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/db/models/query.py", line 968, in _filter_or_exclude_inplace
    self._query.add_q(Q(*args, **kwargs))
  File "/usr/local/lib/python3.8/site-packages/django/db/models/sql/query.py", line 1391, in add_q
    clause, _ = self._add_q(q_object, self.used_aliases)
  File "/usr/local/lib/python3.8/site-packages/django/db/models/sql/query.py", line 1410, in _add_q
    child_clause, needed_inner = self.build_filter(
  File "/usr/local/lib/python3.8/site-packages/django/db/models/sql/query.py", line 1318, in build_filter
    self.check_related_objects(join_info.final_field, value, join_info.opts)
  File "/usr/local/lib/python3.8/site-packages/django/db/models/sql/query.py", line 1147, in check_related_objects
    for v in value:
  File "/usr/local/lib/python3.8/site-packages/django/utils/functional.py", line 247, in inner
    return func(self._wrapped, *args)
graphql.error.located_error.GraphQLLocatedError: 'AnonymousUser' object is not iterable

2021-08-12 15:02:46,690 ERROR    Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/promise/promise.py", line 489, in _resolve_from_executor
    executor(resolve, reject)
  File "/usr/local/lib/python3.8/site-packages/promise/promise.py", line 756, in executor
    return resolve(f(*args, **kwargs))
  File "/usr/local/lib/python3.8/site-packages/graphql/execution/middleware.py", line 75, in make_it_promise
    return next(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/graphene_django/fields.py", line 171, in connection_resolver
    iterable = resolver(root, info, **args)
  File "/usr/local/lib/python3.8/site-packages/graphql_jwt/decorators.py", line 30, in wrapper
    return func(info.context, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/graphql_jwt/decorators.py", line 42, in wrapper
    raise exc
graphql.error.located_error.GraphQLLocatedError: You do not have permission to perform this action

2021-08-12 15:02:46,696 ERROR    Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/promise/promise.py", line 489, in _resolve_from_executor
    executor(resolve, reject)
  File "/usr/local/lib/python3.8/site-packages/promise/promise.py", line 756, in executor
    return resolve(f(*args, **kwargs))
  File "/usr/local/lib/python3.8/site-packages/graphql/execution/middleware.py", line 75, in make_it_promise
    return next(*args, **kwargs)
  File "/srv/photonix/accounts/schema.py", line 72, in resolve_profile
    raise GraphQLError('Not logged in')
graphql.error.located_error.GraphQLLocatedError: Not logged in

2021-08-12 15:02:46,705 ERROR    Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/promise/promise.py", line 489, in _resolve_from_executor
    executor(resolve, reject)
  File "/usr/local/lib/python3.8/site-packages/promise/promise.py", line 756, in executor
    return resolve(f(*args, **kwargs))
  File "/usr/local/lib/python3.8/site-packages/graphql/execution/middleware.py", line 75, in make_it_promise
    return next(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/graphene_django/fields.py", line 171, in connection_resolver
    iterable = resolver(root, info, **args)
  File "/usr/local/lib/python3.8/site-packages/graphql_jwt/decorators.py", line 30, in wrapper
    return func(info.context, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/graphql_jwt/decorators.py", line 42, in wrapper
    raise exc
graphql.error.located_error.GraphQLLocatedError: You do not have permission to perform this action

and now I am getting 400 errors only on the public address instead of those errors.

photonix.example.com 192.168.133.1 - - [12/Aug/2021:09:08:11 -0700] "POST /graphql HTTP/2.0" 400 149 "https://photonix.example.com/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36" "192.168.208.3:80"
damianmoore commented 3 years ago

Hi @phirestalker. Thanks for reporting this and sorry to hear you've had problems getting it running under your reverse proxy.

If I understand correctly, you are using Nginx in front of this container. Could you attach the config file you are using please?

I have a page on reverse proxies at https://photonix.org/docs/reverse_proxies/ but unfortunately haven't added an Nginx example there yet (which I need to do). You could try the Traefik one though. I know Nginx works as I have this in front of the https://demo.photonix.org/ site.

Could you also confirm that you have ALLOWED_HOSTS: '*' environment variable set also please?

phirestalker commented 3 years ago

Yes, I am using a docker image known as nginx-proxy. I have found the configuration that it generated for Photonix.

# photonix.example.com
upstream 6ea8a677d3d00e0406e4bc2391e2ff4c495316f5 {
    # Cannot connect to network 'photonix_default' of this container
    # Cannot connect to network 'postgres_net' of this container
    # Cannot connect to network 'redis_net' of this container
    # Cannot connect to network 'photonix_default' of this container
    # Cannot connect to network 'postgres_net' of this container
    # Cannot connect to network 'redis_net' of this container
    # Cannot connect to network 'photonix_default' of this container
    # Cannot connect to network 'postgres_net' of this container
    # Cannot connect to network 'redis_net' of this container
    # Cannot connect to network 'photonix_default' of this container
    # Cannot connect to network 'postgres_net' of this container
    # Cannot connect to network 'redis_net' of this container
    # Cannot connect to network 'photonix_default' of this container
    # Cannot connect to network 'postgres_net' of this container
    # Cannot connect to network 'redis_net' of this container
    ## Can be connected with "photonix_default" network
    # photonix
    server 192.168.208.3:80;
    # Cannot connect to network 'postgres_net' of this container
    # Cannot connect to network 'redis_net' of this container
}
server {
    server_name photonix.example.com;
    listen 80 ;
    access_log /var/log/nginx/access.log vhost;
    # Do not HTTPS redirect Let'sEncrypt ACME challenge
    location ^~ /.well-known/acme-challenge/ {
        auth_basic off;
        auth_request off;
        allow all;
        root /usr/share/nginx/html;
        try_files $uri =404;
        break;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}
server {
    server_name photonix.example.com;
    listen 443 ssl http2 ;
    access_log /var/log/nginx/access.log vhost;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_certificate /etc/nginx/certs/photonix.example.com.crt;
    ssl_certificate_key /etc/nginx/certs/photonix.example.com.key;
    add_header Strict-Transport-Security "max-age=31536000" always;
    location / {
        proxy_pass http://6ea8a677d3d00e0406e4bc2391e2ff4c495316f5;
    }
}

I do have the allowed hosts line you mentioned in my docker-compose.yml file.

cnelson-pdx commented 3 years ago

I'm also seeing this issue. two things i've tried are:

  1. adding external URL to ALLOWED_HOSTS in settings.py
  2. added following lines to settings.py: SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') SECURE_SSL_REDIRECT = True USE_X_FORWARDED_HOST = True

So far im still not having any luck but feeling like this is a django issue with how its building full URLs or what URLs its allowing requests from.

Maybe this will help us crowdsource a solution a bit faster.... Thank you for the app

phirestalker commented 3 years ago

I found out a lot about traefik while trying to search for settings that I could translate to Nginx. The features of traefik will make some of my future docker projects easier and have also automated my letsencypt certs which use DNS verification. I have switched to traefik and it works flawlessly now.

Thank you for looking into it.

audioscavenger commented 3 years ago

same issue here using nginx swag proxy from linuxserver.io - and not service http2 - and even if i did it's the proxy end so photonix being backend has no say in how i proxy the requests. the proxy works perfectly with piwigo, phpmyadmin and other stuff.

anthonyma94 commented 2 years ago

@audioscavenger this config worked for me:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name photonix.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for Authelia
    include /config/nginx/authelia-server.conf;

    location / {
        # enable for Authelia
        include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        set $upstream_app 192.168.10.10;
        set $upstream_port 8888;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location ~ /.+ {
        set $upstream_app 192.168.10.10;
        set $upstream_port 8888;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

the second location block removes any proxy headers for any other paths other than the root path.