ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
68833
|
Tue Aug 14 06:04:53 2018 |
| Stefan Ritt | stefan.ritt@psi.ch | Question | Linux | Other | 3.1.2 | Re: Reverse proxy of Elog using Docker and Nginx? |
Have you tried the "URL = ..." statement? This determines you elog redirects if you log in. If you reach elog through a proxy, the URL is a different one that if you access it directly. In your case the proxy URL might be necessary.
Stefan
Andrew Wade wrote: |
I've been trying to configured a Synology NAS to run my personal elog with a reverse proxy to the outside world. The best way seems to be running Elog in a Docker instance and then running a separate connected Docker running a nginx-proxy (in this case jwilder/nginx-proxy). This second container manages the certificates to letsencrypt and mapping URL requests to relevant containers so that connection is secured properly.
It worked great in the initial test. However, I have an issue with authentication. When I password protect the elog it goes to a login page. When I give an correct password it loops back to the login page (incidentally when I give an incorrect password it gives an 'Invalid user name or password!' warning). So I know that its getting the correct password but there is some issue that is resetting or ignoring the authentication. I am never able to actually get to the protected content.
Does anyone have any experience in using Nginx to setup a secure reverse proxy? Any insights into why this would mess with the authentication of elog?
Side note: I have tried using Apache to do the same and authentication worked fine. But the pre-canned jwilder/nginx-proxy docker manages all the certificates automatically and seamlessly and allows me to have multiple services running on the same outward facing port on my router. There is no equivalent (as far as I know) that uses Apache for proxying with letsencrypt.
|
|
68835
|
Fri Aug 17 22:07:41 2018 |
| Andrew Wade | awade@caltech.edu | Question | Linux | Other | 3.1.2 | Re: Reverse proxy of Elog using Docker and Nginx? |
Yes, I tried setting the URL parameter to the url used by the proxy. It goes to the correct address but that landing is the login page.
Andrew
Stefan Ritt wrote: |
Have you tried the "URL = ..." statement? This determines you elog redirects if you log in. If you reach elog through a proxy, the URL is a different one that if you access it directly. In your case the proxy URL might be necessary.
Stefan
Andrew Wade wrote: |
I've been trying to configured a Synology NAS to run my personal elog with a reverse proxy to the outside world. The best way seems to be running Elog in a Docker instance and then running a separate connected Docker running a nginx-proxy (in this case jwilder/nginx-proxy). This second container manages the certificates to letsencrypt and mapping URL requests to relevant containers so that connection is secured properly.
It worked great in the initial test. However, I have an issue with authentication. When I password protect the elog it goes to a login page. When I give an correct password it loops back to the login page (incidentally when I give an incorrect password it gives an 'Invalid user name or password!' warning). So I know that its getting the correct password but there is some issue that is resetting or ignoring the authentication. I am never able to actually get to the protected content.
Does anyone have any experience in using Nginx to setup a secure reverse proxy? Any insights into why this would mess with the authentication of elog?
Side note: I have tried using Apache to do the same and authentication worked fine. But the pre-canned jwilder/nginx-proxy docker manages all the certificates automatically and seamlessly and allows me to have multiple services running on the same outward facing port on my router. There is no equivalent (as far as I know) that uses Apache for proxying with letsencrypt.
|
|
|
68836
|
Mon Aug 20 12:42:24 2018 |
| Stefan Ritt | stefan.ritt@psi.ch | Question | Linux | Other | 3.1.2 | Re: Reverse proxy of Elog using Docker and Nginx? |
Actually this forum works through an Apache reverse proxy with authentication and it works, so I suspect that the problem has to do with jwilder/nginx-proxy. Since we don't have this here, all I can propose is that you do debugging yourself. Run elogd with the -v flag so that you see all requests coming from the user through the proxy. Compare the requests through Apache and Nginx to see if any argumets are stripped or mangled. Upon successful login, elog sets a cookie with a unique session-ID (the cookie name is "sid") to the browser. If you proxy strips that cookie, you would land on the login page. Maybe look in that direction.
Stefan
Andrew Wade wrote: |
Yes, I tried setting the URL parameter to the url used by the proxy. It goes to the correct address but that landing is the login page.
Andrew
Stefan Ritt wrote: |
Have you tried the "URL = ..." statement? This determines you elog redirects if you log in. If you reach elog through a proxy, the URL is a different one that if you access it directly. In your case the proxy URL might be necessary.
Stefan
Andrew Wade wrote: |
I've been trying to configured a Synology NAS to run my personal elog with a reverse proxy to the outside world. The best way seems to be running Elog in a Docker instance and then running a separate connected Docker running a nginx-proxy (in this case jwilder/nginx-proxy). This second container manages the certificates to letsencrypt and mapping URL requests to relevant containers so that connection is secured properly.
It worked great in the initial test. However, I have an issue with authentication. When I password protect the elog it goes to a login page. When I give an correct password it loops back to the login page (incidentally when I give an incorrect password it gives an 'Invalid user name or password!' warning). So I know that its getting the correct password but there is some issue that is resetting or ignoring the authentication. I am never able to actually get to the protected content.
Does anyone have any experience in using Nginx to setup a secure reverse proxy? Any insights into why this would mess with the authentication of elog?
Side note: I have tried using Apache to do the same and authentication worked fine. But the pre-canned jwilder/nginx-proxy docker manages all the certificates automatically and seamlessly and allows me to have multiple services running on the same outward facing port on my router. There is no equivalent (as far as I know) that uses Apache for proxying with letsencrypt.
|
|
|
|
68838
|
Tue Aug 28 23:38:55 2018 |
| Andrew Wade | awade@caltech.edu | Question | Linux | Other | 3.1.2 | Re: Reverse proxy of Elog using Docker and Nginx? |
It does indeed seem to be a cookie stripping issue. I just need to figure out how to get Nginx to forward these properly.
Thanks for the help.
Stefan Ritt wrote: |
Actually this forum works through an Apache reverse proxy with authentication and it works, so I suspect that the problem has to do with jwilder/nginx-proxy. Since we don't have this here, all I can propose is that you do debugging yourself. Run elogd with the -v flag so that you see all requests coming from the user through the proxy. Compare the requests through Apache and Nginx to see if any argumets are stripped or mangled. Upon successful login, elog sets a cookie with a unique session-ID (the cookie name is "sid") to the browser. If you proxy strips that cookie, you would land on the login page. Maybe look in that direction.
Stefan
Andrew Wade wrote: |
Yes, I tried setting the URL parameter to the url used by the proxy. It goes to the correct address but that landing is the login page.
Andrew
Stefan Ritt wrote: |
Have you tried the "URL = ..." statement? This determines you elog redirects if you log in. If you reach elog through a proxy, the URL is a different one that if you access it directly. In your case the proxy URL might be necessary.
Stefan
Andrew Wade wrote: |
I've been trying to configured a Synology NAS to run my personal elog with a reverse proxy to the outside world. The best way seems to be running Elog in a Docker instance and then running a separate connected Docker running a nginx-proxy (in this case jwilder/nginx-proxy). This second container manages the certificates to letsencrypt and mapping URL requests to relevant containers so that connection is secured properly.
It worked great in the initial test. However, I have an issue with authentication. When I password protect the elog it goes to a login page. When I give an correct password it loops back to the login page (incidentally when I give an incorrect password it gives an 'Invalid user name or password!' warning). So I know that its getting the correct password but there is some issue that is resetting or ignoring the authentication. I am never able to actually get to the protected content.
Does anyone have any experience in using Nginx to setup a secure reverse proxy? Any insights into why this would mess with the authentication of elog?
Side note: I have tried using Apache to do the same and authentication worked fine. But the pre-canned jwilder/nginx-proxy docker manages all the certificates automatically and seamlessly and allows me to have multiple services running on the same outward facing port on my router. There is no equivalent (as far as I know) that uses Apache for proxying with letsencrypt.
|
|
|
|
|
68858
|
Mon Nov 26 17:32:31 2018 |
| Yanick Vachon | yvachon@materiauxblanchet.ca | Request | Windows | 3.1.2 | Need to change port 25 |
Hi,
We've made changes in our network and now we have to use port 587 instead of port 25, how can i edit that parameter?
Thanks |
68859
|
Tue Nov 27 08:19:11 2018 |
| Andreas Luedeke | andreas.luedeke@psi.ch | Request | Windows | 3.1.2 | Re: Need to change port 25 |
This is nicely explained in the documentation: https://elog.psi.ch/elog/config.html#global
The following options are specific to the [global] section:
Port = <port>
Specifies the TCP port under which the server is listening. Default is 80. Can be superseeded via the '-p' command line flag.
Yanick Vachon wrote: |
Hi,
We've made changes in our network and now we have to use port 587 instead of port 25, how can i edit that parameter?
Thanks
|
|
68860
|
Tue Nov 27 08:59:45 2018 |
| Stefan Ritt | stefan.ritt@psi.ch | Request | Windows | 3.1.2 | Re: Need to change port 25 |
I believe Yanick means the SMTP port, not the port under which elogd is listening. The SMPT port is hard wired to 25, because port 587 was not yet defiend when I wrote that code. I can make this a variable, but only if it works. So Yanick can you test if port 587 accepts normal SMTP commands? We don't have such a new server at our lab and I cannot test it. Under Windows you can open a command prompt and telnet to the mail server:
telnet <server> 587
HELO test
MAIL FROM: test
your server should then reply with "220 ..." and "250 ..." messages. Once this works, I will implement the variable SMTP port.
Stefan
Andreas Luedeke wrote: |
This is nicely explained in the documentation: https://elog.psi.ch/elog/config.html#global
The following options are specific to the [global] section:
Port = <port>
Specifies the TCP port under which the server is listening. Default is 80. Can be superseeded via the '-p' command line flag.
Yanick Vachon wrote: |
Hi,
We've made changes in our network and now we have to use port 587 instead of port 25, how can i edit that parameter?
Thanks
|
|
|
68861
|
Tue Nov 27 15:21:31 2018 |
| Yanick Vachon | yvachon@materiauxblanchet.ca | Request | Windows | 3.1.2 | Re: Need to change port 25 |
I Stefan, it works with the 587 port.
Stefan Ritt wrote: |
I believe Yanick means the SMTP port, not the port under which elogd is listening. The SMPT port is hard wired to 25, because port 587 was not yet defiend when I wrote that code. I can make this a variable, but only if it works. So Yanick can you test if port 587 accepts normal SMTP commands? We don't have such a new server at our lab and I cannot test it. Under Windows you can open a command prompt and telnet to the mail server:
telnet <server> 587
HELO test
MAIL FROM: test
your server should then reply with "220 ..." and "250 ..." messages. Once this works, I will implement the variable SMTP port.
Stefan
Andreas Luedeke wrote: |
This is nicely explained in the documentation: https://elog.psi.ch/elog/config.html#global
The following options are specific to the [global] section:
Port = <port>
Specifies the TCP port under which the server is listening. Default is 80. Can be superseeded via the '-p' command line flag.
Yanick Vachon wrote: |
Hi,
We've made changes in our network and now we have to use port 587 instead of port 25, how can i edit that parameter?
Thanks
|
|
|
|
Attachment 1: Port_587.png
|
|