search

tobybatch / kimai2

Docker containers for the kimai2 web application including docker-compose and kubernetes/helm deployment.
MIT License
183 stars 97 forks source link

[BUG] TOTP QR Code is not visible via tobybatch/nginx-fpm-reverse-proxy #506

Closed DunklerPhoenix closed 1 year ago

DunklerPhoenix commented 1 year ago

Describe the bug Heho I opened this issue here https://github.com/kimai/kimai/issues/3983 The TOTP QR Code for the user is missing. @kevinpapst tested it in the Demo system and the QR Code works. So the only possible point where the problem comes from should be this container.

To Reproduce Steps to reproduce the behaviour:

  1. Throw the docker compose on host (with kimai/kimai2:fpm-2.0.14-prod)
  2. go into kimai2 -> Profile -> TOTP
  3. see the missing QR Code

Desktop (please complete the following information):

Docker compose file (with passwords redacted)

version: '3.8'
services:

  nginx:
    image: tobybatch/nginx-fpm-reverse-proxy
    hostname: 'kimai_proxy'
    ports:
      - "3308:80"
    volumes:
      - type: bind
        source: /home/user/_files/kimai/public
        target: /opt/kimai/public
        read_only: true
    restart: unless-stopped
    depends_on:
      - kimai
    healthcheck:
      test:  wget --spider http://nginx/health || exit 1
      interval: 20s
      start_period: 10s
      timeout: 10s
      retries: 3
    labels: 
      traefik.enable: "true"
      traefik.docker.network: "network"
      traefik.http.routers.kimai.entrypoints: "https"
      traefik.http.routers.kimai.middlewares: "authelia@file"
      traefik.http.routers.kimai.rule: "Host(`domain`)"
      traefik.http.routers.kimai.tls.certresolver: "letsencrypt-tls"
      traefik.http.routers.kimai.tls: "true"
      traefik.http.routers.kimai-api.entrypoints: "https"
      traefik.http.routers.kimai-api.tls: "true"
      traefik.http.routers.kimai-api.tls.certresolver: "letsencrypt-tls"
      traefik.http.routers.kimai-api.rule: "Host(`domain`) && PathPrefix(`/api`)"
      traefik.http.services.kimai.loadbalancer.server.port: "80"

  kimai: # This is the latest FPM image of kimai
    image: kimai/kimai2:fpm-2.0.14-prod
    hostname: 'kimai'
    environment:
      - MAILER_URL=smtp://postfix:25?encryption=&auth_mode=
      - MAILER_FROM=bardogs@kartoffel.email
      - DATABASE_URL=mysql://kimai:PASSSSSS@mysql/kimai
      - TRUSTED_HOSTS=nginx,localhost,127.0.0.1,domain
    restart: unless-stopped
    volumes:
      - type: bind
        source: /home/user/_files/kimai/var
        target: /opt/kimai/var
      - type: bind
        source: /home/user/_files/kimai/public
        target: /opt/kimai/public
      # - ./ldap.conf:/etc/openldap/ldap.conf:z
      # - ./ROOT-CA.pem:/etc/ssl/certs/ROOT-CA.pem:z

networks:
  default:
    name: network
    external: true

Additional context CqzEjPizZD

kevinpapst commented 1 year ago

My thoughts: maybe there is some webserver rule that tries to cache static assets like PNG files?

In that case I should probably rename the route and use a different file extension.

Can you change this line from

#[Route(path: '/{username}/totp.png', name: 'user_profile_2fa_image', methods: ['GET'])]

to 

#[Route(path: '/{username}/totp', name: 'user_profile_2fa_image', methods: ['GET'])]

then reload the Kimai cache (maybe even restart PHP-FPM to clear the bytecode cache) and try to open the URL afterwards @DunklerPhoenix ?

Maybe we can find out if it depends on the filename or if something else is wrong.

DunklerPhoenix commented 1 year ago

Sorry for the late answer. Yes this works

DunklerPhoenix commented 1 year ago

The funny thing is also: before the change of that line I get under '/{username}/totp.png' an nginx 404 error, but under every other address like '/{username}/totp' an kimai 404 error. So it really seems that this nginx image has a problem with the .png ending here.

kevinpapst commented 1 year ago

I assume this rule is conflicting @tobybatch : https://github.com/tobybatch/nginx-fpm-reverse-proxy/blob/main/nginx_default.conf#L9

Can you change it in a way, that only existing directories under /public/ are cached ?

tobybatch commented 1 year ago

TBH I don't know, I'll l;eave this open and look when I get time.

kevinpapst commented 1 year ago

I could create a fixed path prefix, where all "on-the-fly generated" assets are hosted at if that is simpler.

So instead of /{username}/totp.png it would be /dynamic/{username}/totp.png and the cache rule only needs to skip everything below /dynamic/ directory.

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.