Behind Nginx Reverse-proxy
1,226 views
Skip to first unread message
Дмитрий Вербецкий
Mar 1, 2021, 10:40:59 AM3/1/21
to taigaio
Hello
I'm trying to set up taiga behind Nginx reverse-proxy
What I have:
1. VW behind NAT so I use connect to my VPN...
I have my public VPN-server where I use Nginx as Front-end load balancer and can easily create Virtul Host to my any connected VPN client (which behind NAT)
2.On Those VM I installed taiga-docker "30 min Setup"
3. Change Host name in docker-compose.yml to may taiga.domain.com also set https and change web-socket too = wss.
4. Set up my Front-end Nginx (10.50.0.2:90 is my vpn ip and port)
server {
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
proxy_pass http://10.50.0.2:90/;
}
# Events
location /events {
proxy_pass http://10.50.0.2:90/events;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_connect_timeout 7d;
proxy_send_timeout 7d;
proxy_read_timeout 7d;
}
5. I can open my taiga.domain.com . It work fine
But I can reset my password and send invite to a new people
It seems like I need somehow set proxy to /api
In console I have error when trying click "forgot password"
elements.js:1 POST https://taiga.blinddate.vip/api/v1/users/password_recovery 400
also there is Web-socket error
WebSocket connection to 'wss://taiga.blinddate.vip/events' failed: Error during
WebSocket handshake: Unexpected response code: 502
angular.js:14195 WebSocket error: [object Event]
So my main question is how I generally set up taiga to work with External Nginx-proxy?
Дмитрий Вербецкий
Mar 2, 2021, 8:05:46 AM3/2/21
to taigaio
ok, I gues to test on clear VPS
So I trying install taiga-docker (30 min setup guide)
It seems to work BUT I have WebSocket error in console:
WebSocket connection to 'wss://taiga.domain.com/events' failed: Error during WebSocket handshake: Unexpected response code: 502
Also if I go to https:taiga.domai.com/admin/then page paper without css style - they can't load due to console error
What I have done:
1. Setting Nginx
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
proxy_pass http://localhost:9000/;
}
# Events
location /events {
proxy_pass http://localhost:9000/events;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_connect_timeout 7d;
proxy_send_timeout 7d;
proxy_read_timeout 7d;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = taiga.mydomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name taiga.mydomain.com;
listen [::]:80 ;
listen 80 ;
return 404; # managed by Certbot
}
2. a little change docker-compose.yml
just set my domain, HTTPS, + domain, WebSocket and SMTP
docker-compose.yml:
# Email settings. Uncomment following lines and configure your SMTP server
EMAIL_BACKEND: "django.core.mail.backends.smtp.EmailBackend"
DEFAULT_FROM_EMAIL: "m...@mail.com"
EMAIL_USE_TLS: "False"
EMAIL_USE_SSL: "True"
EMAIL_HOST: "smtp.my.com"
EMAIL_PORT: 465
EMAIL_HOST_USER: "my"
EMAIL_HOST_PASSWORD: "my"
version: "3.5"
x-environment:
&default-back-environment
# Database settings
POSTGRES_DB: taiga
POSTGRES_USER: taiga
POSTGRES_PASSWORD: taiga
POSTGRES_HOST: taiga-db
# Taiga settings
TAIGA_SECRET_KEY: "taiga-back-secret-key"
TAIGA_SITES_DOMAIN: "taiga.mydomain.com"
TAIGA_SITES_SCHEME: "https"
# Email settings. Uncomment following lines and configure your SMTP server
EMAIL_BACKEND: "django.core.mail.backends.smtp.EmailBackend"
DEFAULT_FROM_EMAIL: "m...@mail.com"
EMAIL_USE_TLS: "False"
EMAIL_USE_SSL: "True"
EMAIL_HOST: "smtp.my.com"
EMAIL_PORT: 465
EMAIL_HOST_USER: "my"
EMAIL_HOST_PASSWORD: "my"
RABBITMQ_USER: taiga
RABBITMQ_PASS: taiga
# Telemetry settings
ENABLE_TELEMETRY: "True"
x-volumes:
&default-back-volumes
- ./taiga-static-data:/taiga-back/static
- ./taiga-media-data:/taiga-back/media
# - ./config.py:/taiga-back/settings/config.py
services:
taiga-db:
image: postgres:12.3
environment:
POSTGRES_DB: taiga
POSTGRES_USER: taiga
POSTGRES_PASSWORD: taiga
volumes:
- taiga-db-data:/var/lib/postgresql/data
networks:
- taiga
taiga-back:
image: taigaio/taiga-back:latest
environment: *default-back-environment
volumes: *default-back-volumes
networks:
- taiga
depends_on:
- taiga-db
- taiga-events-rabbitmq
- taiga-async-rabbitmq
taiga-async:
image: taigaio/taiga-back:latest
entrypoint: ["/taiga-back/docker/async_entrypoint.sh"]
environment: *default-back-environment
volumes: *default-back-volumes
networks:
- taiga
depends_on:
- taiga-db
- taiga-back
- taiga-async-rabbitmq
taiga-async-rabbitmq:
image: rabbitmq:3-management-alpine
environment:
RABBITMQ_ERLANG_COOKIE: secret-erlang-cookie
RABBITMQ_DEFAULT_USER: taiga
RABBITMQ_DEFAULT_PASS: taiga
RABBITMQ_DEFAULT_VHOST: taiga
networks:
- taiga
taiga-front:
image: taigaio/taiga-front:latest
environment:
TAIGA_URL: "https://taiga.mydomain.com"
TAIGA_WEBSOCKETS_URL: "wss://taiga.mydomain.com"
networks:
- taiga
# volumes:
# - ./conf.json:/usr/share/nginx/html/conf.json
taiga-events:
image: taigaio/taiga-events:latest
environment:
RABBITMQ_USER: taiga
RABBITMQ_PASS: taiga
TAIGA_SECRET_KEY: "taiga-back-secret-key"
networks:
- taiga
depends_on:
- taiga-events-rabbitmq
taiga-events-rabbitmq:
image: rabbitmq:3-management-alpine
environment:
RABBITMQ_ERLANG_COOKIE: secret-erlang-cookie
RABBITMQ_DEFAULT_USER: taiga
RABBITMQ_DEFAULT_PASS: taiga
RABBITMQ_DEFAULT_VHOST: taiga
networks:
- taiga
taiga-protected:
image: taigaio/taiga-protected:latest
environment:
MAX_AGE: 360
SECRET_KEY: "taiga-back-secret-key"
networks:
- taiga
taiga-gateway:
image: nginx:1.19-alpine
ports:
- "9000:80"
volumes:
- ./taiga-gateway/taiga.conf:/etc/nginx/conf.d/default.conf
- ./taiga-static-data:/taiga/static
- ./taiga-media-data:/taiga/media
networks:
- taiga
depends_on:
- taiga-front
- taiga-back
- taiga-events
networks:
taiga:
3. docker ps
6ac6c50336fe nginx:1.19-alpine "/docker-entrypoint.…" 14 minutes ago Up 14 minutes 0.0.0.0:9000->80/tcp taiga-docker_taiga-gateway_1
5f8c980567da taigaio/taiga-back:latest "/taiga-back/docker/…" 14 minutes ago Up 14 minutes 8000/tcp taiga-docker_taiga-async_1
a9ce789e76bf taigaio/taiga-back:latest "./docker/entrypoint…" 14 minutes ago Up 14 minutes 8000/tcp taiga-docker_taiga-back_1
b9f91b3810da taigaio/taiga-protected:latest "./docker/entrypoint…" 14 minutes ago Up 14 minutes 8003/tcp taiga-docker_taiga-protected_1
371320d2dd79 rabbitmq:3-management-alpine "docker-entrypoint.s…" 14 minutes ago Up 14 minutes 4369/tcp, 5671-5672/tcp, 15671-15672/tcp, 15691-15692/tcp, 25672/tcp taiga-docker_taiga-events-rabbitmq_1
225acc23be6c rabbitmq:3-management-alpine "docker-entrypoint.s…" 14 minutes ago Up 14 minutes 4369/tcp, 5671-5672/tcp, 15671-15672/tcp, 15691-15692/tcp, 25672/tcp taiga-docker_taiga-async-rabbitmq_1
dfbdc01b50e0 taigaio/taiga-front:latest "/docker-entrypoint.…" 14 minutes ago Up 14 minutes 80/tcp taiga-docker_taiga-front_1
8f0131b978a0 postgres:12.3 "docker-entrypoint.s…" 14 minutes ago Up 14 minutes 5432/tcp taiga-docker_taiga-db_1
понедельник, 1 марта 2021 г. в 17:40:59 UTC+2, Дмитрий Вербецкий:
David Barragán
Mar 2, 2021, 9:15:58 AM3/2/21
to Дмитрий Вербецкий, taigaio
Hi Дмитрий
It seems that you don't have any users on the platform yet so you can't access taiga. Something in the setup process could fail and the admin user is not created (and the static admin files don't be generated too).
Truy to run
$ ./taiga-manage.sh createsuperuser
$ ./taiga-manage.sh collectstaticsThe first line is for creation an admin user and the second line is for regenerating the static files for the superadmin panel.
About the wss error, it's a strange error, we usually use an nginx to serve Taiga (sometimes even behind another nginx) and we have not had that problem using a similar configuration. Could the VPN have something to do with it? I don't think so but I'm not sure, try checking the log files, info and error messages, to detect which part the error comes from: from your nginx, from taiga-gateway, from taiga-everts...
maybe there is more useful information there.
Best regards
--
Please help us keep the Taiga.io Community open and inclusive, follow our Code of Conduct:
https://github.com/taigaio/code-of-conduct/blob/master/CODE_OF_CONDUCT.md
---
You received this message because you are subscribed to the Google Groups "taigaio" group.
To unsubscribe from this group and stop receiving emails from it, send an email to taigaio+u...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/taigaio/2dc8ec28-49d1-4ce6-928d-b189efd7a1ffn%40googlegroups.com.
--
 | David Barragán Merino Engineer & Co-founder kaleidos.net/FFF8E7 |
    |
Este mensaje y sus archivos adjuntos van dirigidos exclusivamente a su destinatario, y pudiendo contener información confidencial sometida a secreto profesional, o cuya divulgación esté legalmente prohibida. Cualquier opinión en él contenida es exclusiva de su autor y no representa necesariamente la opinión de la empresa. Si ha recibido este mensaje por error, le rogamos nos lo comunique de forma inmediata por esta misma vía y proceda a su eliminación, así como a la de cualquier documento adjunto al mismo. El correo electrónico vía Internet no es seguro y no se puede garantizar que no haya errores ya que puede ser interceptado, modificado, perdido o destruido, o contener virus. Cualquier persona que se ponga en contacto con nosotros por correo electrónico se considerará que asume estos riesgos. KALEIDOS OPEN SOURCE se reserva las acciones legales que le correspondan contra todo tercero que acceda de forma ilegítima al contenido de cualquier mensaje externo procedente del mismo. INFORMACIÓN PROTECCIÓN DE DATOS. Responsable: KALEIDOS OPEN SOURCE (B86241973) Le informamos que sus datos identificativos y los contenidos en los correos electrónicos y ficheros adjuntos pueden ser incorporados a nuestras bases de datos con la finalidad de mantener relaciones profesionales y/o comerciales y, que serán conservados mientras se mantenga la relación. Si lo desea, puede ejercer su derecho a acceder, rectificar y suprimir sus datos y demás reconocidos normativamente dirigiéndose al correo emisor o en los datos del responsable. Para información y consultas visite nuestra web https://kaleidos.net |
Дмитрий Вербецкий
Mar 2, 2021, 9:31:32 AM3/2/21
to taigaio
hi,
thanks for reply
in my first post, I have a little modified docker-compose.yml where define volume's path. I add ./ to all volumes
Now I change it back and /admin/ is working correctly.
But WebSocket error still here
Also right now I installing on another server that has external access and I don't use VPN
but WebSocket error still alive
app.js:3355 WebSocket connection to 'wss://taiga.domain.com/events' failed: Error during WebSocket handshake: Unexpected response code: 502
e.setupConnection @ app.js:3355
e @ lodash.js:4949
value @ elements.js:1
value @ elements.js:1
value @ elements.js:1
invoke @ elements.js:1
t.args.<computed> @ elements.js:1
angular.js:14195 WebSocket error: [object Event]
вторник, 2 марта 2021 г. в 16:15:58 UTC+2, David Barragán:
David Barragán
Mar 2, 2021, 10:11:15 AM3/2/21
to Дмитрий Вербецкий, taigaio
Try to review the logs, I have no idea why (and what) nginx is returning a 502 Bad Gateway error response
Regards
To view this discussion on the web, visit https://groups.google.com/d/msgid/taigaio/4640606c-26e7-4a88-8e5b-92642b1422f3n%40googlegroups.com.
Дмитрий Вербецкий
Mar 5, 2021, 1:24:01 PM3/5/21
to David Barragán, taigaio
In Nginx logs
2021/03/03 09:37:01 [error] 1335542#1335542: *197 connect() failed (111: Connection refused) while connecting to upstream, client: 217.19.215.46, server: taiga.dom.com, request: "GET /events HTTP/1.1", upstream: "http://127.0.0.1:>
2021/03/03 09:37:02 [error] 1335542#1335542: *199 connect() failed (111: Connection refused) while connecting to upstream, client: 217.19.215.46, server: taiga.dom.com, request: "GET /events HTTP/1.1", upstream: "http://127.0.0.1:>
2021/03/03 09:37:02 [error] 1335542#1335542: *201 connect() failed (111: Connection refused) while connecting to upstream, client: 178.212.96.249, server: taiga.dom.com, request: "GET /events HTTP/1.1", upstream: "http://127.0.0.1>
2021/03/03 09:37:02 [error] 1335542#1335542: *199 connect() failed (111: Connection refused) while connecting to upstream, client: 217.19.215.46, server: taiga.dom.com, request: "GET /events HTTP/1.1", upstream: "http://127.0.0.1:>
2021/03/03 09:37:02 [error] 1335542#1335542: *201 connect() failed (111: Connection refused) while connecting to upstream, client: 178.212.96.249, server: taiga.dom.com, request: "GET /events HTTP/1.1", upstream: "http://127.0.0.1>
....
Where
217.19.215.46 my PC IP and
178.212.96.249 AWS instance IP
btw there is a strange moment
If I delete all containers, images volumes and try to fresh install then everything works fine. I can create superuser by CLI, next I can create a new project and wait some minutes to confirm that WebSockets error don't appear in console
But if I type docker-compose Down and start it back by docker-compose up -d I can see
WebSockets error immediately
Is it can relate?
Can anyone conform the same?
Marshalleq
Aug 1, 2021, 2:29:58 AM8/1/21
to taigaio
This sounds like the same kind of problem I'm having. I feel for you. It seems to me that the Taiga folk don't haven't really figured out how to deal with reverse proxy's well yet, despite saying it's a typical setup. I don't know, maybe that's too harsh, but there are an awful lot of questions about this and generally no answers of any substance. I am kinda holding back from saying things because I'm unsure about some stuff but there is really definitely some weirdness. Over and over I can prove it works on port 443 unencrypted, but not on 90 or 9000. I don't know why, it makes no sense. They REALLY REALLY need to draw up an architecture diagram so people can see how it's meant to hang together, but nobody is listening :(. I've only been asking for nearly 2 years, I mean there's no rush.
In summary a fantastic product, with a fantastic commitment by making open source. But for one reason or another, some key things are missing, like clear documentation and a decent support forum. Who uses email support since 1990 anyway?
Yeah, I'm getting a bit grumpy about it all so I'll stop. Sorry Taiga folk, I don't mean to be one of those guys, but I am extremely frustrated by the lack of basic understanding of how your product is supposed to work despite repeated requests from multiple people.
Reply all
Reply to author
Forward
0 new messages