Nginx reverse proxy for sandstorm

[ad...@jresponse.io]

I would like to be able to access my Sandstorm server as https://example.com/teams rather than http://serverid.sandcats.io.  In order to do this I made the following changes

To my Nginx configuration I added the location block

location ^~ /teamapps/ {

 proxy_set_header Host $host;

   proxy_set_header X-Real-IP $remote_addr;

   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

   proxy_set_header X-Forwarded-Proto $scheme;

   proxy_pass http://127.0.0.1:6080;

 }

 

 and then reloaded the Nginx configuration.  I edited /opt/sandstorm/sandstorm.conf with the changes

BASE_URL=https://example.com/teamapps
WILDCARD_HOST=*.example.com
HTTPS_PORT=443

After restarting the Sandstorm server I secured a fresh admin token which was now read https;//example.com/teamapps/admin/settings/token.  However, browsing to this URL causes Nginx to throw up a 502, Bad Gateway error.  Examining the sandstorm log at /opt/sandstorm/var/log/sandstorm.log reveals

sandstorm/util.c++:845: fatal: *exception = sandstorm/run-bundle.c++:1871: failed: bind(sockFd, reinterpret_cast<sockaddr *>(&sa), sizeof(sockaddr_in)): Address already in use

stack: 0x4f5072 0x4f502a 0x47591e

** Front-end died immediately after starting.

** Sleeping for a bit before trying again...

For good measure I rebooted the server and tried again.

Clearly, I am doing something wrong here but it is not clear what that might be.  I'd much appreciate any help.

[Kenton Varda]

Sorry, Sandstorm doesn't support being mapped at a path -- it needs to be at the root of its host. You'll need to map it to teamapps.example.com, or something like that.

Unfortunately, supporting mapping Sandstorm to a path would likely require a large number of changes to the Sandstorm codebase. Moreover, it would be a security risk -- your Sandstorm server would then be vulnerable to bugs in any non-Sandstorm app mapped at the same host. Additionally, there could easily be interference in things like localStorage. So, while I understand why you want this, I don't think we'll be able to support it. Sorry.

-Kenton

--
You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ad...@jresponse.io]

All I really care about is ensuring that my users can access their Sandstorm apps via a URL that appears to form part of the bigger enterprise of which this particular Sandstorm server is a part.  Something along the lines of team.example.com is acceptable.  I might well end up putting Sandstorm on a server all of its own (so no Port 6080 anymore) in order to avoid degrading the performance of the other apps that run on the example.com server.  So if I do that what is required to keep Sandstorm happy.  I am imagining

• A wildcard SSL cert
• /opt/sandstorm/sandstorm.conf modified to point to the team.example.com server.
• An extra A record that points *.team.example.com to the same IP as the team.example.com.

It is less than 24h since I discovered Sandstorm - in a word:fantastic!  However, the steps to be taken when does not want the server to be accessed via a serverid.sandcats.io URL are less than crystal clear.

[Asheesh Laroia]

On Tue, Mar 22, 2016 at 5:14 AM, <ad...@jresponse.io> wrote:

All I really care about is ensuring that my users can access their Sandstorm apps via a URL that appears to form part of the bigger enterprise of which this particular Sandstorm server is a part.  Something along the lines of team.example.com is acceptable.  I might well end up putting Sandstorm on a server all of its own (so no Port 6080 anymore) in order to avoid degrading the performance of the other apps that run on the example.com server.  So if I do that what is required to keep Sandstorm happy.  I am imagining

• A wildcard SSL cert
• /opt/sandstorm/sandstorm.conf modified to point to the team.example.com server.
• An extra A record that points *.team.example.com to the same IP as the team.example.com.

It is less than 24h since I discovered Sandstorm - in a word:fantastic!  However, the steps to be taken when does not want the server to be accessed via a serverid.sandcats.io URL are less than crystal clear.

Hi there! Thanks for emailing.

https://docs.sandstorm.io/en/latest/administering/reverse-proxy/ is our documentation on putting Sandstorm behind a reverse proxy. I'm curious if you can try reading that and seeing if it helps.

Also, if Sandstorm is going to be behind a reverse proxy, then you should remove the HTTPS_PORT setting. HTTPS_PORT only applies to Sandstorm's built-in HTTPS server. I believe that explains the error message that you got. I'll make a note to document this fact about HTTPS_PORT more carefully, since this misconfiguration is very easy to make. Thanks for (implicitly) bring it to my attention.

Let us know how that goes for you!

-- Asheesh.

[Jan Jambor]

I have a similar issue, see https://stackoverflow.com/questions/33268092/

I was not able to make it work with sandcats.io domain. In this case the sandstorm server needs to check for auto updates of the certificate which doesn't work in http mode. So the sandstorm server needs to be also internally communicate via https and the reverse proxy needs to pass through this connection (purple box in my example on stack overflow). I have read that haproxy is able to do that but I didn't check that yet. You would need haproxy in front of your nginx proxy to separate the traffic to sandstorm from the rest.

But when you have an own custom wild card certificate it definitely works with nginx only (green or red box in my example on stack overflow). I could help you with that if required.

[ad...@jresponse.io]

Thanks, Jan.  I'll check out the stackoverflow thread and get back to you.