I've been trying to configured a Synology NAS to run my personal elog with a reverse proxy to the outside world.  The best way seems to be running Elog in a Docker instance and then running a separate connected Docker running a nginx-proxy (in this case jwilder/nginx-proxy). This second container manages the certificates to letsencrypt and mapping URL requests to relevant containers so that connection is secured properly.  

It worked great in the initial test. However, I have an issue with authentication.  When I password protect the elog it goes to a login page.  When I give an correct password it loops back to the login page (incidentally when I give an incorrect password it gives an 'Invalid user name or password!' warning).  So I know that its getting the correct password but there is some issue that is resetting or ignoring the authentication.  I am never able to actually get to the protected content. 

Does anyone have any experience in using Nginx to setup a secure reverse proxy? Any insights into why this would mess with the authentication of elog?

Side note: I have tried using Apache to do the same and authentication worked fine.  But the pre-canned jwilder/nginx-proxy docker manages all the certificates automatically and seamlessly and allows me to have multiple services running on the same outward facing port on my router.  There is no equivalent (as far as I know) that uses Apache for proxying with letsencrypt​.

Have you tried the "URL = ..." statement? This determines you elog redirects if you log in. If you reach elog through a proxy, the URL is a different one that if you access it directly. In your case the proxy URL might be necessary.

Stefan

Yes, I tried setting the URL parameter to the url used by the proxy.  It goes to the correct address but that landing is the login page.

Andrew

Actually this forum works through an Apache reverse proxy with authentication and it works, so I suspect that the problem has to do with jwilder/nginx-proxy. Since we don't have this here, all I can propose is that you do debugging yourself. Run elogd with the -v flag so that you see all requests coming from the user through the proxy. Compare the requests through Apache and Nginx to see if any argumets are stripped or mangled. Upon successful login, elog sets a cookie with a unique session-ID (the cookie name is "sid") to the browser. If you proxy strips that cookie, you would land on the login page. Maybe look in that direction.

Stefan

It does indeed seem to be a cookie stripping issue.  I just need to figure out how to get Nginx to forward these properly.

Thanks for the help.

I have the same problem -- did you find a solution in using the nginx revese proxy with user login?

Hi All,

I am using elog to track technical changes in an experiment but also to log what experimentalist are doing during an experiment. For the latter, I would like to be able to lock those entries from being further edited after the expertiment if finished. Is there a way to do that?

Thanks,

Manoel

You can either lock all entries or none. So I would propose you set up two logbooks, one for technical changes which is not locked and one for what experimentalists are doing which is locked. Locking can be done a certain time after an entry has been made (like 1h, 1d, 1 month etc.). Or you simply make the logbook read-only.

Stefan

Can the size of the application log file affect performance?

If the logbook files are getting big, searching text in entries can take quite some time. But if you have a log file logging all activities, that should not slow down elog since the server just appends at the end of that file which is a quick operation.

Is there any way to log child events on the detail pages for a fixed number of entries on the main page? For example, I have 15 vehicles to enter on the main page, ID'd by Vehicle Number. Within each of those entries I will be logging ongoing repair service entries with certain attributes.

So how might I design this concept without having repeating vehicle entries on the main page for every service event, and preferably without splitting the information between two linked logbook tabs?

Hi, 

I have a logbook with guest access and guest can also enter a new entry (in config: Guest List Menu commands = New, Find, Select, Login). For other reason in a global section, I put 

Deny New = account1, account2

This somehow invalidates Guest List Menu commands, since as guest I don't see New button anymore. Is this behaviour desired? Otherwise, I would need to move Deny option to plenty of individual logbook configs. Just to explain the reason, those accounts are set up to only read entries and not to create new ones. Or maybe you can suggest a different solution?

Best

The function of "Drop attachments here..." is only for root user? I'd like it could be used by all users.

I can't confirm this behavoiur. In our instance, every user can use the attachment function of the elog.
Either through "Drag&Drop" or "Browse&Upload" in the entry editor.

What do you mean by "root" user?
The elog can have serveral admin users, but this behaviour is equal for admin and non-admin users.
You should not run the elog server as user "root" of the machine for security reason, but also for issues with file permissions.

I just used my own account to test the "Drag&Drop" function in this forum ,  and it failed.  In our case, we need to upload ten more images into logbook at once, it's more effective to use "Drag&Drop" than "Browse&Upload" feature for "Browse&Upload" only can choose one attachment at once, but "Drag&Drop" can choose several attachments at once. The admin user can use this feature, but non-admin user not in our site. I did run the elog server as  user "root". I'm not sure it is related to the problem.

In my testings I didn't found this behaviour, but my collegues also reported this issue.
So I searched for the difference between my test setup and the production logbooks.

I believe the "restrict edit = 1" config option may be responsible for this behaviour.
I had the browser console running in the background and "Drag&Drop" send an XHR request,
which failed with the message: "Only user can edit this entry".
This message is tied to the "restrict edit" option as far as I know.
So I tried removing the option and upload via "Drag&Drop" started to work as intended.
This behaviour only occurs for non-admin users, as admin users are not affected by

Can you verify this?
I can verify to get the same error message in this elog forum in the browser console.

I could figure out the bug. A fix can be found in this commit.
https://bitbucket.org/merrx/elog/commits/c3e3c4af9666006558aaf26d8f4841800e69f9af

Looks good, I merged the pull request.

Thanks for the merge.
I found a more general solution, as there could be the posibility to have the author as "select" or "radio box" input in the form, where the fix breaks.
But I think in most of the cases the author is a preset input, if used with "restrict edit = 1", so the merged fix should be fine.
https://bitbucket.org/merrx/elog/commits/7aacfbcac43b1192e5271fa7b2c80f4825c94d23

Today we ran into this issue again, but this time the curpit was encoding...
The author name in the password file was differently encoded as the author name from the xhr request.
For this instance there was a umlaut in the name.

I haven't got a good solution for this at the moment.
The workaround is to check the encording in the password file and make it matching.
But as for automated logins / user generation e.g. via LDAP (in our case) one should be aware of this issue.

Excellent, Thanks!

Good afternoon!

The elog does not see the time zone. It displays UTC + 0. When I transfer old entries to a new compiled log, they are displayed 3 hours earlier (my time zone is UTC + 3). When creating a new record, it creates them in the UTC + 0.

Compilation occurs in Cygwin.

Version elog – 3.1.4-3.

Please help solve this problem.