subdomains donot load wile nginx

[vhp1360]

Hello, guys. I could run Sandstorm and use it, but when I tried to protect it with Nginx, the Only main page loaded and apps did not load. sandstorm.conf file is:

SERVER_USER=sandstorm PORT=6080 MONGO_PORT=6081 BIND_IP=127.0.0.1 BASE_URL=http://officeapps.shomar.com:6080 WILDCARD_HOST=*.officeapps.shomar.com:6080 UPDATE_CHANNEL=dev ALLOW_DEV_ACCOUNTS=false SMTP_LISTEN_PORT=30025 SANDCATS_BASE_DOMAIN=officeapps.shomar.com

and nginx config is:

map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 6090; server_name officeapps.shomar.com *.officeapps.shomar.com; ssl on; ssl_certificate /.../Ngnx.crt; ssl_certificate_key /.../Ngnx.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE- RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128- SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA- AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128- SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE- RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256- SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3- SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3- SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=31536000; location / { auth_basic "Restricted"; auth_basic_user_file /.../htpasswdSand; proxy_pass http://127.0.0.1:6080; proxy_set_header Host $http_host; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Real-IP $remote_addr; } client_max_body_size 1024m; }

could you please help me?

Thanks.

[ocdtrekkie]

I am not particularly good at this stuff, but hopefully someone else will step in. The first thing I can definitely say is that you should remove the SANDCATS_BASE_DOMAIN line if you aren't using a Sandcats domain. Sandstorm uses the presence of that line to determine whether or not your Sandstorm server is using Sandcats.

I also notice your Nginx config is listening on 6090, not 6080? Don't know if that's intentional for something I don't understand, I don't know Nginx.

[vhp1360]

hello, @ocdtrekkie thanks for quick reply. I removed that, but actually, it was not my problem. regarding 6080 and 6090: our 443 port is busy and location port(6080) should different from server port in Nginx.

[zenhack]

Can you be more specific re: apps "not loading?" What happens instead? 404, 500? Does the whole page not load, or just the app's iframe?

[zenhack]

Ack, didn't see the screenshot, was looking at this via email. Does anything interesting show up on the debug log?

[vhp1360]

thank for reply. the main page loaded but apps remain in the loading state. ping is OK, ping anythings.shomar.com is ok, as you know it meant DNS is correct, and I could use apps without Nginx http://officeapps.shomar.com:6080 but with https://officeapps.shomar.com:6090 did not load any apps and remained in the loading state. as I experience with this state, this issue related to DNS issue but at this time every this is OK and as I told I could use Sandstom without Nginx without any problem.

[vhp1360]

is it clear image?

[kentonv]

Apps failing to load like this usually means the wildcard host isn't working. Try going to some random subdomain, like:

https://foo.officeapps.shomar.com:6090

And see what it says. If everything is working, you should see No such grain for public ID: foo [404]; if you see anything else, that's the problem.

One possibility: Do you have a wildcard TLS certificate? If not, that would cause the problem. Your certificate needs to include *.officeapps.shomar.com in the SAN field, in addition to officeapps.shomar.com.

[zenhack]

Another thing to check: I'm noticing several of the usual icons are missing from the top bar. Is this a grain that you are the owner of? if not, can you (1) create a grain, and (2) see what's in the debug log (monitor icon on the top bar)?

[kentonv]

Given that it works when accessed directly over HTTP (port 6080) but not through nginx / over HTTPS (port 6090), I doubt that there's anything wrong with the grains. It's most likely a problem with the wildcard host at the nginx level.

[zenhack]

Point.

[vhp1360]

actually the main page without nginx can load all icons and pictures. but when I used Nginx, they did not appear.

[zenhack]

My hunch (and @kentonv would be able to confirm) is that sandstorm is serving static assets from a dedicated subdomain, in which case it makes sense that those icons are having the same problem as the grains.

[ocdtrekkie]

@zenhack I could confirm that for you. Sandstorm Alpha, for example, is serving it's app icons at alpha-static.sandstorm.io. It's wildcard is alpha-*.

[vhp1360]

@zenhack , as my experience it occurred because of Nginx issue.

[zenhack]

@vhp1360, have you tried the things that @kentonv suggested?

[vhp1360]

@zarvox did you mean:

I am not particularly good at this stuff, but hopefully someone else will step in. The first thing I can definitely say is that you should remove the SANDCATS_BASE_DOMAIN line if you aren't using a Sandcats domain. Sandstorm uses the presence of that line to determine whether or not your Sandstorm server is using Sandcats.

I also notice your Nginx config is listening on 6090, not 6080? Don't know if that's intentional for something I don't understand, I don't know Nginx.

if yes, I could not find any technical issue on this except commenting _SANDCATS_BASEDOMAIN line, am i wrong?

[vhp1360]

Hello All, I'll appreciate if anyone assists me on this issue, shall I wait or should I change configs? does it need your team activity or not?

Thanks.

[kentonv]

@vhp1360 See my previous comment:

Apps failing to load like this usually means the wildcard host isn't working. Try going to some random subdomain, like:

https://foo.officeapps.shomar.com:6090

And see what it says. If everything is working, you should see No such grain for public ID: foo [404]; if you see anything else, that's the problem.

One possibility: Do you have a wildcard TLS certificate? If not, that would cause the problem. Your certificate needs to include *.officeapps.shomar.com in the SAN field, in addition to officeapps.shomar.com.

Did you try this?

[vhp1360]

Thaks @kentonv , yes, I did:

[kentonv]

@vhp1360 In the config file you posted, you have:

BASE_URL=http://officeapps.shomar.com:6080 WILDCARD_HOST=*.officeapps.shomar.com:6080

These lines need to match where the browser is connecting, so when you have things configured to go through nginx, you'll need to change them to:

BASE_URL=https://officeapps.shomar.com:6090 WILDCARD_HOST=*.officeapps.shomar.com:6090

(Change the port number, and change http -> https.)

Then restart with sudo sandstorm restart.

Does that help?

[vhp1360]

thanks man for following you up :-) I changed and the same result and https://foo.officeapps.shomar.com:6090 too. may it do due to Nginx issue and shall I contact them?

[kentonv]

The sandstorm.conf problem would definitely explain what you're seeing. Maybe your changes didn't take effect. Can you check again that you correctly updated those two values to 6090 and changed BASE_URL from HTTP to HTTPS? Then can you maybe reboot the server, or do sudo sandstorm stop followed by sudo sandstorm start to make sure it's really restarting fully? Also refresh your browser, of course.

If it still doesn't work: If I could get access to your server, then I could probably figure it out. I don't need to log in or see any data, I just need to be able to access over HTTP/HTTPS. Maybe you could temporarily open the port publicly?

[vhp1360]

Hello, below is my conf file: ` SERVER_USER=sandstorm PORT=6080

HTTPS_PORT=6090

MONGO_PORT=6081 BIND_IP=0.0.0.0

BIND_IP=127.0.0.1

BASE_URL=https://officeapps.shomar.com:6090 WILDCARD_HOST=*.officeapps.shomar.com:6090 UPDATE_CHANNEL=dev ALLOW_DEV_ACCOUNTS=false SMTP_LISTEN_PORT=30025

SANDCATS_BASE_DOMAIN=officeapps.shomar.com

regarding restart a sandstorm, I used: /opt/sandstorm/sandstorm stop && ... ` regarding server reboot I could test it but I do think so. and regarding access, because our ip is public but the address is not define in valid DNS, for more information, I setup a DNS in this server and in LAN anythings.officeapps.shomar.com is valid.do you know any way?(this is my personal mail,I could send IP to you:vhp1360@gmail.com) I guessed this issue due Nginx, because if I openned 6080 port we could browse Sandstorm without any problem and the same time with 6090 port we faced the problem. Ping is OK for both port for any subdomain of officeapps.shomar.com , May we need add new property in Nginx Config.

[vhp1360]

hello @kentonv , could please give me any news?

[zenhack]

@vhp1360, fyi, @kentonv is mostly active on the weekends, what with having a full time job doing other stuff, so you might not hear for a couple more days.

[kentonv]

Sorry but I don't have any ideas.

I suggest checking the server log (/opt/sandstorm/var/log/sandstorm.log) to see if there are any errors when you try to open a grain. Otherwise I don't know. The usual problem is the wildcard domain, but it sounds like it's working correctly.

Just to make sure: You aren't clicking through invalid certificate warnings, right? If the subhosts give you a certificate warning that you have to click through, you won't be able to open Sandstorm apps at all, because the browser won't show the warning in an iframe.

[vhp1360]

there is not any error in log file, but regarding certificate, you are right, maybe this is the reason of the problem. I tried to find it and I'm telling the result.

thanks.

[ocdtrekkie]

Were you able to resolve this or identify the issue? (I know it's been like three years, I am trying to clean up the issues list.)