zorn-v
commented
6 months ago Seems auth.MY_DOMAIN.COM is not accessible from docker container with nextcloud
Open NotGael opened 7 months ago
zorn-v
commented
6 months ago Seems auth.MY_DOMAIN.COM is not accessible from docker container with nextcloud
NotGael
commented
6 months ago Seems auth.MY_DOMAIN.COM is not accessible from docker container with nextcloud
I can successfully ping the auth.MY_DOMAIN from the nextcloud container
// From the Nextcloud container
USER@HOSTNAME:~$ docker exec -it NEXTCLOUD_CONTAINER_NAME /bin/bash
// PING CONTAINER NAME
root@CONTAINER_ID:/var/www/html# ping KEYCLOAK_CONTAINER_NAME
PING keycloak (172.19.0.5) 56(84) bytes of data.
64 bytes from KEYCLOAK_CONTAINER_NAME.DOCKER_NETWORK (x.x.x.x): icmp_seq=1 ttl=64 time=0.110 ms
64 bytes from KEYCLOAK_CONTAINER_NAME.DOCKER_NETWORK (x.x.x.x): icmp_seq=2 ttl=64 time=0.094 ms
64 bytes from KEYCLOAK_CONTAINER_NAME.DOCKER_NETWORK (x.x.x.x): icmp_seq=3 ttl=64 time=0.141 ms
64 bytes from KEYCLOAK_CONTAINER_NAME.DOCKER_NETWORK (x.x.x.x): icmp_seq=4 ttl=64 time=0.118 ms
64 bytes from KEYCLOAK_CONTAINER_NAME.DOCKER_NETWORK (x.x.x.x): icmp_seq=5 ttl=64 time=0.094 ms
^C
--- keycloak ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4062ms
rtt min/avg/max/mdev = 0.094/0.111/0.141/0.017 ms
root@CONTAINER_TAG:/var/www/html#
// PING auth.MY_DOMAIN
root@CONTAINER_ID:/var/www/html# ping auth.MY_DOMAIN.COM
PING auth.MY_DOMAIN.COM (x.x.x.x) 56(84) bytes of data.
64 bytes from ....com (x.x.x.x): icmp_seq=1 ttl=64 time=0.093 ms
64 bytes from ....com (x.x.x.x): icmp_seq=2 ttl=64 time=0.077 ms
64 bytes from ....com (x.x.x.x): icmp_seq=3 ttl=64 time=0.092 ms
64 bytes from ....com (x.x.x.x): icmp_seq=4 ttl=64 time=0.080 ms
64 bytes from ....com (x.x.x.x): icmp_seq=5 ttl=64 time=0.105 ms
^X^C
--- auth.MY_DOMAIN.COM ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.077/0.089/0.105/0.010 ms
// PING www.auth.MY_DOMAIN
root@CONTAINER_ID:/var/www/html# ping auth.MY_DOMAIN.COM
PING www.auth.MY_DOMAIN.COM (x.x.x.x) 56(84) bytes of data.
64 bytes from ....com (x.x.x.x): icmp_seq=1 ttl=64 time=0.087 ms
64 bytes from ....com (x.x.x.x): icmp_seq=2 ttl=64 time=0.085 ms
64 bytes from ....com (x.x.x.x): icmp_seq=3 ttl=64 time=0.069 ms
64 bytes from ....com (x.x.x.x): icmp_seq=4 ttl=64 time=0.076 ms
64 bytes from ....com (x.x.x.x): icmp_seq=5 ttl=64 time=0.089 ms
64 bytes from ....com (x.x.x.x): icmp_seq=6 ttl=64 time=0.087 msAuthorize url and token url are copy paste from
How token url is looks like ? Is it accessible too from nextcloud container ?
NotGael
commented
6 months ago The url for the token is auth.MY_DOMAIN.com/realms/MY_REALM/protocol/openid-connect/token
So your guess was right auth.MY_DOMAIN.com is reachable but not auth.MY_DOMAIN.com/realms/MY_REALM/protocol/openid-connect/token
root@NEXTCLOUD_CONTAINER_TAG:/var/www/html# ping auth.MY_DOMAIN.com/realms/MY_REALM/protocol/openid-connect/token ping: auth.MY_DOMAIN.com/realms/MY_REALM/protocol/openid-connect/token: Name or service not known
But I still don't really understand what may cause this lock. But I will start investigate.
zorn-v
commented
6 months ago You can not ping url )
Try curl
NotGael
commented
6 months ago Yes of course, sorry www-data@NEXTCLOUD_CONTAINER_ID:~/html$ curl https://www.auth.MY_DOMAIN.COM/realms/MY_REALM/protocol/openid-connect/token curl: (28) Failed to connect to www.auth.MY_DOMAIN.COM port 443 after 129469 ms: Couldn't connect to server
www-data@NEXTCLOUD_CONTAINER_ID:~/html$ curl \
-d "client_id=MY_CLIENT" \
-d "client_secret=MY_CLIENT_PWD" \
-d "grant_type=client_credentials" \
"https://www.auth.MY_DOMAIN.COM/realms/MY_REALM/protocol/openid-connect/token"
curl: (28) Failed to connect to www.auth.MY_DOMAIN.COM port 443 after 130892 ms: Couldn't connect to server
www-data@NEXTCLOUD_CONTAINER_ID:~/html$ curl \ -d "username=MY_USER" \ -d "password=MY_PWD" \ -d "client_id=MY_CLIENT" \ -d "client_secret=MY_CLIENT_PWD" \ -d "grant_type=password" \ "https://www.auth.MY_DOMAIN.COM/realms/MY_REALM/protocol/openid-connect/token" curl: (28) Failed to connect to www.auth.MY_DOMAIN.COM port 443 after 130208 ms: Couldn't connect to server
zorn-v
commented
6 months ago www.auth.MY_DOMAIN.COM in not the same as auth.MY_DOMAIN.COM
NotGael
commented
6 months ago Traefik is configured ton transform every non www url to a https://www.somethingUrl using middelware
traefik.http.routers.keycloak.rule=Host(${KEYCLOAK_HOSTNAME}) || Host(${KEYCLOAK_WWW_HOSTNAME})
traefik.http.middlewares.www-redirect.redirectregex.regex=^https://(?:www.)?(.*)
traefik.http.middlewares.www-redirect.redirectregex.replacement=https://www.$${1}
It's the case for all containers
NotGael
commented
6 months ago Trying to simplify everything in a testing environment removing all www. redirection & stuff and using only non www. domain with only traefik, nextcloud and keycloak containers up => Same error
My Config in details
// =====
// DOCKER COMPOSE TRAEFIK
// =====
services:
traefik:
image: ${TRAEFIK_IMAGE_TAG}
container_name: traefik
command:
- --api.dashboard=true
- --log.level=INFO
- --accesslog=true
- --providers.docker.network=traefik-network
- --providers.docker.exposedByDefault=false
- --ping=true
- --ping.entrypoint=ping
- --entryPoints.ping.address=:8082
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entryPoints.web.http.redirections.entrypoint.scheme=https
- --certificatesresolvers.myresolver.acme.email=${MAIL}
- --certificatesresolvers.myresolver.acme.tlschallenge=true
- --certificatesresolvers.myresolver.acme.storage=/etc/traefik/acme/acme.json
- --entrypoints.websecure.http.tls.certresolver=myresolver
- --entryPoints.zabbix-tcp.address=:10051
- --entryPoints.zabbix-udp.address=:10051/udp
- --entryPoints.graylog-syslog-tcp.address=:1514
- --entryPoints.graylog-syslog-udp.address=:1514/udp
- --entryPoints.graylog-gelf-tcp.address=:12201
- --entryPoints.graylog-gelf-udp.address=:12201/udp
- --global.checknewversion=true
- --global.sendanonymoususage=false
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/traefik/acme:/etc/traefik/acme
networks:
- traefik-network
ports:
- 80:80
- 443:443
- 10051:10051
healthcheck:
test: ["CMD", "wget", "http://localhost:8082/ping","--spider"]
interval: 10s
timeout: 5s
retries: 3
start_period: 5s
labels:
- traefik.enable=true
- traefik.http.routers.mydashboard.rule=Host(`${TRAEFIK_HOSTNAME}`)
- traefik.http.routers.mydashboard.service=api@internal
- traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_BASIC_AUTH}
- traefik.http.routers.mydashboard.middlewares=auth
restart: unless-stopped
networks:
traefik-network:
external: true
// =====
// DOCKER COMPOSE KEYCLOAK
// =====
version: '3.9'
services:
postgres-keycloak:
image: ${KEYCLOAK_POSTGRES_IMAGE_TAG}
container_name: postgres-keycloak
environment:
POSTGRES_DB: ${KEYCLOAK_DB_NAME}
POSTGRES_USER: ${KEYCLOAK_DB_USER}
POSTGRES_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
volumes:
- keycloak-data:/var/lib/postgresql/data
- /var/log/keycloak/postgres:/var/lib/postgresql/logs
networks:
- keycloak-network
ports:
- ":5432"
healthcheck:
test: [ "CMD", "pg_isready", "-q", "-d", "keycloak", "-U", "keycloak" ]
interval: 10s
timeout: 5s
retries: 3
start_period: 60s
restart: unless-stopped
logging:
driver: gelf
options:
gelf-address: ${KEYCLOAK_LOG_ADDRESS}
tag: ${KEYCLOAK_POSTGRES_LOG_TAG}
keycloak:
build:
context: .
args:
KEYCLOAK_VERSION: ${KEYCLOAK_VERSION}
command: ['start','--optimized']
container_name: keycloak
environment:
JAVA_OPTS_APPEND: -Dkeycloak.profile.feature.upload_scripts=enabled
KC_DB_USERNAME: ${KEYCLOAK_DB_USER}
KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
KC_DB_URL: jdbc:postgresql://postgres-keycloak:5432/${KEYCLOAK_DB_NAME}
KC_HEALTH_ENABLED: 'true'
KC_HTTP_ENABLED: 'true'
KC_METRICS_ENABLED: 'true'
KC_HOSTNAME_STRICT: 'false'
KC_HOSTNAME: ${KEYCLOAK_HOSTNAME}
KC_PROXY: reencrypt
KEYCLOAK_ADMIN: ${KEYCLOAK_USER}
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_PASSWORD}
QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY: true
# KC_LOG_LEVEL: debug
networks:
- keycloak-network
- traefik-network
ports:
- ":8080"
healthcheck:
test: timeout 10s bash -c ':> /dev/tcp/127.0.0.1/8080' || exit 1
interval: 10s
timeout: 5s
retries: 3
start_period: 90s
labels:
- traefik.enable=true
- traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_HOSTNAME}`)
- traefik.http.services.keycloak.loadbalancer.server.port=8080
- traefik.http.services.keycloak.loadbalancer.passhostheader=true
- traefik.http.middlewares.keycloak-headers.headers.customrequestheaders.X-Forwarded-Proto=https
- traefik.http.middlewares.keycloak-headers.headers.customrequestheaders.X-Forwarded-For=127.0.0.1
- traefik.http.middlewares.keycloak-headers.headers.customrequestheaders.X-Forwarded-Host=${KEYCLOAK_HOSTNAME}
- traefik.http.routers.keycloak.middlewares=keycloak-headers
restart: unless-stopped
depends_on:
postgres-keycloak:
condition: service_healthy
logging:
driver: gelf
options:
gelf-address: ${KEYCLOAK_LOG_ADDRESS}
tag: ${KEYCLOAK_LOG_TAG}
keycloak-backups:
image: ${KEYCLOAK_POSTGRES_IMAGE_TAG}
container_name: keycloak-backups
command: >-
sh -c 'sleep $KEYCLOAK_BACKUP_INIT_SLEEP &&
while true; do
pg_dump -h postgres-keycloak -p 5432 -d $KEYCLOAK_DB_NAME -U $KEYCLOAK_DB_USER | gzip > $KEYCLOAK_POSTGRES_BACKUPS_PATH/$KEYCLOAK_POSTGRES_BACKUP_NAME-$(date "+%Y-%m-%d_%H-%M").gz &&
find $KEYCLOAK_POSTGRES_BACKUPS_PATH -type f -mtime +$KEYCLOAK_POSTGRES_BACKUP_PRUNE_DAYS | xargs rm -f &&
sleep $KEYCLOAK_BACKUP_INTERVAL; done'
volumes:
- keycloak-postgres-backup:/var/lib/postgresql/data
- ${KEYCLOAK_POSTGRES_BACKUPS_PATH}:${KEYCLOAK_POSTGRES_BACKUPS_PATH}
- /var/log/keycloak/backups:/var/lib/postgresql/logs # Added volume for backup logs
environment:
KEYCLOAK_DB_NAME: ${KEYCLOAK_DB_NAME}
KEYCLOAK_DB_USER: ${KEYCLOAK_DB_USER}
PGPASSWORD: ${KEYCLOAK_DB_PASSWORD}
KEYCLOAK_BACKUP_INIT_SLEEP: ${KEYCLOAK_BACKUP_INIT_SLEEP}
KEYCLOAK_BACKUP_INTERVAL: ${KEYCLOAK_BACKUP_INTERVAL}
KEYCLOAK_POSTGRES_BACKUP_PRUNE_DAYS: ${KEYCLOAK_POSTGRES_BACKUP_PRUNE_DAYS}
KEYCLOAK_POSTGRES_BACKUPS_PATH: ${KEYCLOAK_POSTGRES_BACKUPS_PATH}
KEYCLOAK_POSTGRES_BACKUP_NAME: ${KEYCLOAK_POSTGRES_BACKUP_NAME}
KEYCLOAK_LOG: console,gelf
KEYCLOAK_LOG_GELF_HOST: localhost
KEYCLOAK_LOG_GELF_PORT: 12201
networks:
- keycloak-network
restart: unless-stopped
depends_on:
postgres-keycloak:
condition: service_healthy
logging:
driver: gelf
options:
gelf-address: ${KEYCLOAK_LOG_ADDRESS}
tag: ${KEYCLOAK_BACKUPS_LOG_TAG}
volumes:
keycloak-data:
driver: local
keycloak-postgres-backup:
driver: local
keycloak-database-backups:
driver: local
networks:
traefik-network:
external: true
keycloak-network:
external: true
// =====
// DOCKER COMPOSE NEXTCLOUD
// =====
services:
nextcloud:
image: nextcloud:latest
container_name: nextcloud
environment:
- MYSQL_HOST=nextcloud-mariadb
- MYSQL_DATABASE=${NEXTCLOUD_DB_NAME}
- MYSQL_USER=${NEXTCLOUD_DB_USER}
- MYSQL_PASSWORD=${NEXTCLOUD_DB_PASSWORD}
- NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USERNAME}
- NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD}
- NEXTCLOUD_TRUSTED_DOMAINS=${NEXTCLOUD_URL}
- OVERWRITECLIURL=${NEXTCLOUD_URL}
volumes:
- nextcloud:/var/www/html
networks:
- traefik-network
- nextcloud-network
labels:
- traefik.enable=true
- traefik.http.routers.nextcloud.rule=Host(`${NEXTCLOUD_HOSTNAME}`)
- traefik.http.services.nextcloud.loadbalancer.server.port=80
- traefik.http.services.nextcloud.loadbalancer.passhostheader=true
#- traefik.http.middlewares.nextcloud-header-cors.headers.accesscontrolallowmethods=*
#- traefik.http.middlewares.nextcloud-header-cors.headers.accesscontrolallowheaders=*
#- traefik.http.middlewares.nextcloud-header-cors.headers.accesscontrolalloworiginlist=${NEXTCLOUD_ALLOW_ORIGIN_LIST}
#- traefik.http.middlewares.nextcloud-header-cors.headers.accesscontrolmaxage=100
#- traefik.http.middlewares.nextcloud-header-cors.headers.addvaryheader=true
- traefik.http.middlewares.nextcloud-compress.compress=true
#- traefik.http.middlewares.nextcloud-headers.headers.customrequestheaders.X-Forwarded-Proto=https
#- traefik.http.middlewares.nextcloud-headers.headers.customrequestheaders.X-Forwarded-For=127.0.0.1
#- traefik.http.middlewares.nextcloud-headers.headers.customrequestheaders.X-Forwarded-Host=${NEXTCLOUD_URL}
#- traefik.http.middlewares.nextcloud-headers.headers.customResponseHeaders.Strict-Transport-Security=max-age=15552000; includeSubDomains; preload
#- traefik.http.middlewares.nextcloud-redirectregex.redirectregex.permanent=true
#- traefik.http.middlewares.nextcloud-redirectregex.redirectregex.regex=https://(.*)/.well-known/(?:card|cal)dav
#- traefik.http.middlewares.nextcloud-redirectregex.redirectregex.replacement=https://$${1}/remote.php/dav
- traefik.http.routers.nextcloud.middlewares=nextcloud-compress
restart: unless-stopped
depends_on:
- nextcloud-mariadb
logging:
driver: gelf
options:
gelf-address: ${NEXTCLOUD_LOG_ADDRESS}
tag: ${NEXTCLOUD_LOG_TAG}
nextcloud-mariadb:
image: ${NEXTCLOUD_MARIADB_IMAGE_TAG}
container_name: nextcloud-db
environment:
- MYSQL_ROOT_PASSWORD=${NEXTCLOUD_DB_ROOT_PASSWORD}
- MYSQL_DATABASE=${NEXTCLOUD_DB_NAME}
- MYSQL_USER=${NEXTCLOUD_DB_USER}
- MYSQL_PASSWORD=${NEXTCLOUD_DB_PASSWORD}
volumes:
- nextcloud-mariadb:/var/lib/mysql
- /var/log/nextcloud/mariadb:/var/log/mysql
networks:
- nextcloud-network
restart: unless-stopped
logging:
driver: gelf
options:
gelf-address: ${NEXTCLOUD_LOG_ADDRESS}
tag: ${NEXTCLOUD_MARIADB_LOG_TAG}
nextcloud-backups:
image: ${NEXTCLOUD_MARIADB_IMAGE_TAG}
container_name: nextcloud-backups
command: >-
sh -c 'sleep $NEXTCLOUD_BACKUP_INIT_SLEEP &&
while true; do
mariadb-dump -h nextcloud-mariadb -u $NEXTCLOUD_DB_USER -p$NEXTCLOUD_DB_PASSWORD $NEXTCLOUD_DB_NAME | gzip > $NEXTCLOUD_MARIADB_BACKUPS_PATH/$NEXTCLOUD_MARIADB_BACKUP_NAME->
find $NEXTCLOUD_MARIADB_BACKUPS_PATH -type f -mtime +$NEXTCLOUD_MARIADB_BACKUP_PRUNE_DAYS | xargs rm -f &&
sleep $NEXTCLOUD_BACKUP_INTERVAL; done'
volumes:
- nextcloud-mariadb-backup:/var/lib/mysql
- ${NEXTCLOUD_MARIADB_BACKUPS_PATH}:${NEXTCLOUD_MARIADB_BACKUPS_PATH}
- /var/log/nextcloud/mariadb:/var/log/mysql
environment:
NEXTCLOUD_DB_USER: ${NEXTCLOUD_DB_USER}
NEXTCLOUD_DB_PASSWORD: ${NEXTCLOUD_DB_PASSWORD}
NEXTCLOUD_DB_NAME: ${NEXTCLOUD_DB_NAME}
NEXTCLOUD_BACKUP_INIT_SLEEP: ${NEXTCLOUD_BACKUP_INIT_SLEEP}
NEXTCLOUD_BACKUP_INTERVAL: ${NEXTCLOUD_BACKUP_INTERVAL}
NEXTCLOUD_MARIADB_BACKUP_PRUNE_DAYS: ${NEXTCLOUD_MARIADB_BACKUP_PRUNE_DAYS}
NEXTCLOUD_MARIADB_BACKUPS_PATH: ${NEXTCLOUD_MARIADB_BACKUPS_PATH}
NEXTCLOUD_MARIADB_BACKUP_NAME: ${NEXTCLOUD_MARIADB_BACKUP_NAME}
networks:
- nextcloud-network
restart: unless-stopped
logging:
driver: gelf
options:
gelf-address: ${NEXTCLOUD_LOG_ADDRESS}
tag: ${NEXTCLOUD_BACKUPS_LOG_TAG}
networks:
traefik-network:
external: true
nextcloud-network:
external: true
volumes:
nextcloud:
nextcloud-mariadb:
nextcloud-mariadb-backup:
Unable to exchange code for API access token. HTTP client error: Connection timed out after 30001 milliseconds.
Nextcloud : 29.0.0.19 Social Login : 5.6.4 Keycloak : 22.0.5 Traefik : 2.10.7
====== SET-UP
Everything is running in separate docker container on the same host server, sharing the same docker network. In the Nextcloud - Social Login - UI - Config is :
==== ERROR
=> Nextcloud Login page => Connect with keycloak => Successfull redirect to the keycloak login => Enter user credentials => Click on the Log In button => Redirect taking a while trying from (https://www.auth.MY_DOMAIN.COM/realms/MY_REALM/protocol/openid-connect/auth?response_type=code&client_id=MY_CLIENT_ID&redirect_uri=https%3A%2F%2Fwww.cloud.MY_DOMAIN.COM%2Fapps%2Fsociallogin%2Fcustom_oidc%2Fkeycloak&scope=openid&state=A_STATE) => ERROR PAGE (https://www.cloud.MY_DOMAIN.COM/apps/sociallogin/custom_oidc/keycloak?state=A_STATE&session_state=A_SESSION_STATE&code=A_CODE
Keycloak => No error msg, The logging seem to be a success because if I go from the nextcloud error page to the keycloak admin UI, I'm already connected
I'm stuck with this for a while now, any help would be very appreciated ! Thanks !