Oauth with Forgejo: broken pipe

renich commented 3 days ago

Hello,

I'm trying to integrate Forgejo and Opengist.

I am getting the following:

Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: Opengist v1.8.2
Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: Using YAML config file: /etc/opengist/config.yml
Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: No environment variables config specified.
Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: 15:43:15 DBG internal/config/config.go:195 Logging to stdout
Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: 15:43:15 INF internal/cli/main.go:100 Data directory: /var/lib/opengist
Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: 15:43:15 INF internal/db/db.go:100 Setting up a SQLite database connection
Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: 15:43:15 INF internal/db/db.go:119 Database connection established
Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: 15:43:15 INF internal/cli/main.go:133 Index directory: /var/lib/opengist/opengist.index
Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: 15:43:15 INF internal/index/bleve.go:38 Indexer initialized
Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: 15:43:15 INF internal/web/server.go:386 Starting HTTP server on http://127.0.0.1:6157
Nov 26 15:43:28 git.softwarelibre.mx opengist[22123]: 15:43:28 INF internal/web/server.go:195 HTTP duration=1.546971 ip=189.192.49.171 method=GET status=307 uri=/oauth/gitea
Nov 26 15:44:42 git.softwarelibre.mx opengist[22123]: 15:44:42 INF internal/web/server.go:195 HTTP duration=60001.615121 ip=189.192.49.171 method=GET status=400 uri=/oauth/gitea/callback?code=gta_723sqbjyqpos3da4prqveqh6rvher3shzjvl4xdfejj5yroombna&state=5GghQkl79ocDEqUU3T5tIN-4FcLwCgqF4Gc2bs4myBGv9a1eqREbPVtcs-_AylS9FG_t3YEHKX6ok_PUl4Qokg%3D%3D
Nov 26 15:44:42 git.softwarelibre.mx opengist[22123]: 15:44:42 FTL internal/web/server.go:229 error="write tcp 127.0.0.1:6157->127.0.0.1:50734: write: broken pipe"
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: Opengist v1.8.2
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: Using YAML config file: /etc/opengist/config.yml
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: No environment variables config specified.
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: 15:44:42 DBG internal/config/config.go:195 Logging to stdout
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: 15:44:42 INF internal/cli/main.go:100 Data directory: /var/lib/opengist
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: 15:44:42 INF internal/db/db.go:100 Setting up a SQLite database connection
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: 15:44:42 INF internal/db/db.go:119 Database connection established
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: 15:44:42 INF internal/cli/main.go:133 Index directory: /var/lib/opengist/opengist.index
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: 15:44:42 INF internal/index/bleve.go:38 Indexer initialized
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: 15:44:42 INF internal/web/server.go:386 Starting HTTP server on http://127.0.0.1:6157

Here's what I do to trigger the error.

Right after installing Opengist, I configure oAuth for gitea:

# Learn more about Opengist configuration here:
# https://github.com/thomiceli/opengist/blob/master/docs/configuration/configure.md
# https://github.com/thomiceli/opengist/blob/master/docs/configuration/cheat-sheet.md

# Set the log level to one of the following: debug, info, warn, error, fatal. Default: warn
log-level: debug

# Set the log output to one or more of the following: `stdout`, `file`. Default: stdout,file
log-output: stdout

# Public URL to access to Opengist
external-url: https://paste.softwarelibre.mx

# Directory where Opengist will store its data. Default: ~/.opengist/
opengist-home: /var/lib/opengist

# Secret key used for session store & encrypt MFA data on database. Default: <randomized 32 bytes>
secret-key:

# URI of the database. Default: opengist.db (SQLite) is placed in opengist-home
# SQLite:        file:/path/to/database
# PostgreSQL:    postgres://user:password@host:port/database
# MySQL/MariaDB: mysql://user:password@host:port/database
db-uri: opengist.db

# Enable or disable the code search index (either `true` or `false`). Default: true
index.enabled: true

# Name of the directory where the code search index is stored. Default: opengist.index
index.dirname: opengist.index

# Default branch name used by Opengist when initializing Git repositories.
# If not set, uses the Git default branch name. See https://git-scm.com/book/en/v2/Getting-Started-First-Time-Git-Setup#_new_default_branch
git.default-branch: master

# Set the journal mode for SQLite. Default: WAL
# See https://www.sqlite.org/pragma.html#pragma_journal_mode
# For SQLite databases only.
sqlite.journal-mode: WAL

# HTTP server configuration
# Host to bind to. Default: 0.0.0.0
http.host: 127.0.0.1

# Port to bind to. Default: 6157
http.port: 6157

# Enable or disable git operations (clone, pull, push) via HTTP (either `true` or `false`). Default: true
http.git-enabled: true

# SSH built-in server configuration
# Note: it is not using the SSH daemon from your machine (yet)

# Enable or disable SSH built-in server
# for git operations (clone, pull, push) via SSH (either `true` or `false`). Default: true
ssh.git-enabled: false

# Host to bind to. Default: 0.0.0.0
ssh.host: 0.0.0.0

# Port to bind to. Default: 2222
# Note: it cannot be the same port as the SSH daemon if it's currently running
# If you want to use the port 22 for the built-in SSH server,
# you can either change the port of the SSH daemon or stop it
ssh.port: 2222

# Public domain for the Git SSH connection, if it has to be different from the HTTP one.
# If not set, uses the URL from the request
ssh.external-domain:

# Path or alias to ssh-keygen executable. Default: ssh-keygen
ssh.keygen-executable: ssh-keygen

# OAuth2 configuration
# The callback/redirect URL must be http://opengist.url/oauth/<github|gitlab|gitea|openid-connect>/callback

# To create a new OAuth2 application using GitHub : https://github.com/settings/applications/new
github.client-key:
github.secret:

# To create a new OAuth2 application using Gitlab : https://gitlab.com/-/user_settings/applications
gitlab.client-key:
gitlab.secret:
# URL of the Gitlab instance. Default: https://gitlab.com/
gitlab.url: https://gitlab.com/
# The name of the GitLab instance. It is displayed in the OAuth login button. Default: GitLab
gitlab.name: GitLab

# To create a new OAuth2 application using Gitea : https://gitea.domain/user/settings/applications
gitea.client-key: ebeae761-2e24-4df0-8931-e412ec7e7856
gitea.secret: <redacted>
# URL of the Gitea instance. Default: https://gitea.com/
gitea.url: https://git.softwarelibre.mx
# The name of the Gitea instance. It is displayed in the OAuth login button. Default: Gitea
gitea.name: Forgejo

# To create a new OAuth2 application using OpenID Connect:
oidc.client-key:
oidc.secret:
# Discovery endpoint of the OpenID provider. Generally something like http://auth.example.com/.well-known/openid-configuration
oidc.discovery-url:

# Custom assets
# Add your own custom assets, that are files relatives to $opengist-home/custom/
custom.logo:
custom.favicon:

# Static pages in footer (like legal notices, privacy policy, etc.)
# The path can be a URL or a relative path to a file in the $opengist-home/custom/ directory
custom.static-links:
  - name: Software Libre MX
    path: https://git.softwarelibre.mx/
#  - name: Legal notices
#    path: legal.html

Then, I restart Opengist and go to https://paste.softwarelibre.mx/ to Try and login. I choose "Continue with Forgejo account" without typing in a user and password.

I get an authorization prompt.

Screenshot From 2024-11-26 15-43-40

After ~1 minute, I get a "502 Bad Gateway" error on the browser.

Additionally, the logs look like this:

Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: Opengist v1.8.2
Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: Using YAML config file: /etc/opengist/config.yml
Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: No environment variables config specified.
Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: 15:43:15 DBG internal/config/config.go:195 Logging to stdout
Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: 15:43:15 INF internal/cli/main.go:100 Data directory: /var/lib/opengist
Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: 15:43:15 INF internal/db/db.go:100 Setting up a SQLite database connection
Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: 15:43:15 INF internal/db/db.go:119 Database connection established
Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: 15:43:15 INF internal/cli/main.go:133 Index directory: /var/lib/opengist/opengist.index
Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: 15:43:15 INF internal/index/bleve.go:38 Indexer initialized
Nov 26 15:43:15 git.softwarelibre.mx opengist[22123]: 15:43:15 INF internal/web/server.go:386 Starting HTTP server on http://127.0.0.1:6157
Nov 26 15:43:28 git.softwarelibre.mx opengist[22123]: 15:43:28 INF internal/web/server.go:195 HTTP duration=1.546971 ip=189.192.49.171 method=GET status=307 uri=/oauth/gitea
Nov 26 15:44:42 git.softwarelibre.mx opengist[22123]: 15:44:42 INF internal/web/server.go:195 HTTP duration=60001.615121 ip=189.192.49.171 method=GET status=400 uri=/oauth/gitea/callback?code=gta_723sqbjyqpos3da4prqveqh6rvher3shzjvl4xdfejj5yroombna&state=5GghQkl79ocDEqUU3T5tIN-4FcLwCgqF4Gc2bs4myBGv9a1eqREbPVtcs-_AylS9FG_t3YEHKX6ok_PUl4Qokg%3D%3D
Nov 26 15:44:42 git.softwarelibre.mx opengist[22123]: 15:44:42 FTL internal/web/server.go:229 error="write tcp 127.0.0.1:6157->127.0.0.1:50734: write: broken pipe"
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: Opengist v1.8.2
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: Using YAML config file: /etc/opengist/config.yml
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: No environment variables config specified.
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: 15:44:42 DBG internal/config/config.go:195 Logging to stdout
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: 15:44:42 INF internal/cli/main.go:100 Data directory: /var/lib/opengist
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: 15:44:42 INF internal/db/db.go:100 Setting up a SQLite database connection
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: 15:44:42 INF internal/db/db.go:119 Database connection established
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: 15:44:42 INF internal/cli/main.go:133 Index directory: /var/lib/opengist/opengist.index
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: 15:44:42 INF internal/index/bleve.go:38 Indexer initialized
Nov 26 15:44:42 git.softwarelibre.mx opengist[22138]: 15:44:42 INF internal/web/server.go:386 Starting HTTP server on http://127.0.0.1:6157

Everything is behind Nginx. Here's the Opengist snippet:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    listen 80;
    server_name paste.softwarelibre.mx;

    # ssl
    ssl_certificate "/etc/letsencrypt/live/paste.softwarelibre.mx/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/paste.softwarelibre.mx/privkey.pem";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_prefer_server_ciphers on;

    # include
    include include.d/letsencrypt.conf;

    # reverse proxy
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-FORWARDED_PROTO $scheme;
        proxy_set_header Host $host;
        proxy_pass http://localhost:6157;
    }
}

renich commented 3 days ago

Forget it. I had something in my server's /etc/hosts wrong. :S

renich commented 3 days ago

Here's my install script, if interested:

#!/usr/bin/bash

version=${1:-1.8.2}
url="https://github.com/thomiceli/opengist/releases/download/v$version/opengist$version-linux-amd64.tar.gz"
tar_file=${url##*/}
binary="opengist$version-linux-amd64"

# create user
if ! id -u opengist; then
    useradd -mr -d /var/lib/opengist opengist

    ## create config dir
    mkdir -p /etc/opengist

    ## fix perms
    chown -R opengist:opengist /etc/opengist
    chmod 2770 $_
fi

# download
curl -LO "$url"

# extract binary
tar -xavf "$tar_file" -C /usr/local/bin --strip-components=1 --transform="s@\$@1.8.2-linux-amd64@" opengist/opengist

# extract config
tar -xavf "$tar_file" -C /etc/opengist --strip-components=1 opengist/config.yml

# symlink
cd /usr/local/bin
ln -s $binary opengist
cd -

# create systemd service
cat << EOF > /etc/systemd/system/opengist.service
[Unit]
Description=opengist Server
After=network.target
Requires=nginx.service

[Service]
Type=simple
User=opengist
Group=opengist
ExecStart=/usr/local/bin/opengist --config /etc/opengist/config.yml
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

# activate service
systemctl daemon-reload
systemctl enable --now opengist

thomiceli / opengist

Oauth with Forgejo: broken pipe #394