search

sablierapp / sablier

Start your containers on demand, shut them down automatically when there's no activity. Docker, Docker Swarm Mode and Kubernetes compatible.
https://sablierapp.dev/
GNU Affero General Public License v3.0
1.46k stars 50 forks source link

Caddy with SSL does not work for dynamic loading screen #293

Open valankar opened 7 months ago

valankar commented 7 months ago

Describe the bug When using HTTPS endpoint, it seems the dynamic loading screen does not work. Here is the curl output:

valankar@debian ~/caddy> curl -v https://valankar.ftp.sh/accounts_plotly/
*   Trying [2a01:4f9:c011:8a49::1]:443...
* Connected to valankar.ftp.sh (2a01:4f9:c011:8a49::1) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=valankar.ftp.sh
*  start date: Apr 20 10:31:25 2024 GMT
*  expire date: Jul 19 10:31:24 2024 GMT
*  subjectAltName: host "valankar.ftp.sh" matched cert's "valankar.ftp.sh"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /accounts_plotly/]
* h2h3 [:scheme: https]
* h2h3 [:authority: valankar.ftp.sh]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55b2107d0400)
> GET /accounts_plotly/ HTTP/2
> Host: valankar.ftp.sh
> user-agent: curl/7.88.1
> accept: */*                                                                                                                                                                                                                                                                              >
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)
* Connection #0 to host valankar.ftp.sh left intact
curl: (92) HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)

And when I use the HTTP endpoint, it works:

valankar@debian ~/caddy> curl -v http://valankar.ftp.sh/accounts_plotly/
...
<div class="terminal">
    <h1><span>Starting </span> <span class="error_code">Accounts</span>...</h1>
    <p class="output"><span>Your instance(s) will stop after 1 minutes of inactivity</span>.</p>

    <div class="details">
        <p class="output small command"><span>sablier status <span class="error_code">accounts</span></span></code></p>
        <p class="output small success"><span>accounts</span> is not-ready <code>(0/1)</code></p>
    </div>

</div>
</body>

Context

Expected behavior Working via HTTPS.

valankar commented 7 months ago

Here is the relevant Caddyfile config:

valankar.ftp.sh, valankar.ftp.sh:80 {
        log
        route {
                sablier http://localhost:10000 {
                        names accounts
                        session_duration 1m
                        dynamic {
                                display_name Accounts
                        }
                }
                reverse_proxy localhost:8050
        }
}
acouvreur commented 6 months ago

Maybe HTTP2 is the issue, can you try without HTTP2 ?

valankar commented 6 months ago

I switched to using Cloudflare tunnels and don't need SSL in Caddy anymore. It works great in that case.

Feel free to close. But might want to verify whether it works via SSL in your end-to-end test.

cheats-py commented 3 months ago

I'm having loads of trouble getting sablier to work with TLS. I've tried with traefik and caddy, as soon as I add TLS to the route it stops working. It would be nice to see some examples in the documentation on how to use TLS both with caddy and traefik reverse proxies.

acouvreur commented 3 months ago

I'm having loads of trouble getting sablier to work with TLS. I've tried with traefik and caddy, as soon as I add TLS to the route it stops working. It would be nice to see some examples in the documentation on how to use TLS both with caddy and traefik reverse proxies.

Hello, can you please share your setup ?

I have no issue with Traefik and TLS.

cheats-py commented 3 months ago

I just revisited this and now its working LOL, sorry. The only thing i changed in my compose is the treafik version and sablier version. I originally had traefik:v2.10 and acouvreur/sablier:1.6.0. I changed both to latest and now its working. I spent hours trying to get this to work about a month ago.

freezurbern commented 1 month ago

Caddy with SSL does not work for me with this Caddyfile:

*.example.com {
    tls {
        dns cloudflare KEY
        resolvers 1.1.1.1
    }

    @foo host foo.example.com
    handle @foo {
        respond "Foo!"
    }

    @host_int_whoami host whoami.example.com
    handle @host_int_whoami {
        sablier {
            group whoami
            blocking {
                timeout 1m
            }
            session_duration 30s
        }
        reverse_proxy whoami:80
    }
    # Fallback for unhandled subdomains
    handle {
        abort
    }
}

I noticed the request goes directly to the container before starting it. Therefore it is refused, and a blank page is shown.