Truecharts & Nginx

Super_Jojo

Hi, I am currently trying to deploy Cryptpad on Truenas Scale. I managed to make all work except the sandboxing domain and I struggle a lot with that because I don't know Nginx well. I am also using Nginx Proxy Manager on truenas scale (app).

I tried to reproduce the basic nginx conf given but can't add some parameters seen in this config because the gui of Nginx has no such fields and editing the file myself results in Nginx errors.

Here is my Nginx conf for the moment (I tried to implement all I could from the basic conf but my knowledge is quite limited here )

# ------------------------------------------------------------
# jojo-cryptpad.duckdns.org, jojo-sandbox-cryptpad.org
# ------------------------------------------------------------


server {
  set $forward_scheme http;
  set $server         "192.168.1.126";
  set $port           3000;

  listen 80;
#listen [::]:80;

listen 443 ssl http2;
#listen [::]:443;


  server_name jojo-cryptpad.duckdns.org jojo-sandbox-cryptpad.org;


  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-10/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-10/privkey.pem;






  # Block Exploits
  include conf.d/include/block-exploits.conf;



  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always;





    # Force SSL
    include conf.d/include/force-ssl.conf;





  access_log /data/logs/proxy-host-11_access.log proxy;
  error_log /data/logs/proxy-host-11_error.log warn;



  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header X-Real-IP          $remote_addr;
    proxy_pass       http://192.168.1.126:3000;

    

    
    
  # Block Exploits
  include conf.d/include/block-exploits.conf;

    
    # Force SSL
    include conf.d/include/force-ssl.conf;


    

  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always;





    


    proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size  150m;
        proxy_set_header      Upgrade $http_upgrade;
        proxy_set_header      Connection upgrade;
  }





  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}```

Here is the config.js :


/*  DISCLAIMER:

    There are two recommended methods of running a CryptPad instance:

    1. Using a standalone nodejs server without HTTPS (suitable for local development)
    2. Using NGINX to serve static assets and to handle HTTPS for API server's websocket traffic

    We do not officially recommend or support Apache, Docker, Kubernetes, Traefik, or any other configuration.
    Support requests for such setups should be directed to their authors.

    If you're having difficulty difficulty configuring your instance
    we suggest that you join the project's Matrix channel.

    If you don't have any difficulty configuring your instance and you'd like to
    support us for the work that went into making it pain-free we are quite happy
    to accept donations via our opencollective page: https://opencollective.com/cryptpad

*/
module.exports = {
/*  CryptPad is designed to serve its content over two domains.
 *  Account passwords and cryptographic content is handled on the 'main' domain,
 *  while the user interface is loaded on a 'sandbox' domain
 *  which can only access information which the main domain willingly shares.
 *
 *  In the event of an XSS vulnerability in the UI (that's bad)
 *  this system prevents attackers from gaining access to your account (that's good).
 *
 *  Most problems with new instances are related to this system blocking access
 *  because of incorrectly configured sandboxes. If you only see a white screen
 *  when you try to load CryptPad, this is probably the cause.
 *
 *  PLEASE READ THE FOLLOWING COMMENTS CAREFULLY.
 *
 */

/*  httpUnsafeOrigin is the URL that clients will enter to load your instance.
 *  Any other URL that somehow points to your instance is supposed to be blocked.
 *  The default provided below assumes you are loading CryptPad from a server
 *  which is running on the same machine, using port 3000.
 *
 *  In a production instance this should be available ONLY over HTTPS
 *  using the default port for HTTPS (443) ie. https://cryptpad.fr
 *  In such a case this should be also handled by NGINX, as documented in
 *  cryptpad/docs/example.nginx.conf (see the $main_domain variable)
 *
 */
    httpUnsafeOrigin: 'https://jojo-cryptpad.duckdns.org',

/*  httpSafeOrigin is the URL that is used for the 'sandbox' described above.
 *  If you're testing or developing with CryptPad on your local machine then
 *  it is appropriate to leave this blank. The default behaviour is to serve
 *  the main domain over port 3000 and to serve the sandbox content over port 3001.
 *
 *  This is not appropriate in a production environment where invasive networks
 *  may filter traffic going over abnormal ports.
 *  To correctly configure your production instance you must provide a URL
 *  with a different domain (a subdomain is sufficient).
 *  It will be used to load the UI in our 'sandbox' system.
 *
 *  This value corresponds to the $sandbox_domain variable
 *  in the example nginx file.
 *
 *  Note that in order for the sandboxing system to be effective
 *  httpSafeOrigin must be different from httpUnsafeOrigin.
 *
 *  CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
 */
  httpSafeOrigin: 'https://jojo-sandbox-cryptpad.duckdns.org',

/*  httpAddress specifies the address on which the nodejs server
 *  should be accessible. By default it will listen on 127.0.0.1
 *  (IPv4 localhost on most systems). If you want it to listen on
 *  all addresses, including IPv6, set this to '::'.
 *
 */
   httpAddress: '0.0.0.0',

/*  httpPort specifies on which port the nodejs server should listen.
 *  By default it will serve content over port 3000, which is suitable
 *  for both local development and for use with the provided nginx example,
 *  which will proxy websocket traffic to your node server.
 *
 */
  httpPort: 3000,

/*  httpSafePort allows you to specify an alternative port from which
 *  the node process should serve sandboxed assets. The default value is
 *  that of your httpPort + 1. You probably don't need to change this.
 *
 */
 // httpSafePort: 3001,

/*  CryptPad will launch a child process for every core available
 *  in order to perform CPU-intensive tasks in parallel.
 *  Some host environments may have a very large number of cores available
 *  or you may want to limit how much computing power CryptPad can take.
 *  If so, set 'maxWorkers' to a positive integer.
 */
    // maxWorkers: 4,

    /* =====================
     *         Admin
     * ===================== */

    /*
     *  CryptPad contains an administration panel. Its access is restricted to specific
     *  users using the following list.
     *  To give access to the admin panel to a user account, just add their public signing
     *  key, which can be found on the settings page for registered users.
     *  Entries should be strings separated by a comma.
     *  adminKeys: [
     *      "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
     *      "[cryptpad-user2@my.awesome.website/jA-9c5iNuG7SyxzGCjwJXVnk5NPfAOO8fQuQ0dC83RE=]",
     *  ]
     *
     */
    adminKeys: [
        "[super_jojo@jojo-cryptpad.duckdns.org/LFkXztqZ8BgK2YpZHsPCxSHAHFKnDXwXhjSiwP1RQlc=]",
    ],

    /* =====================
     *        STORAGE
     * ===================== */

    /*  Pads that are not 'pinned' by any registered user can be set to expire
     *  after a configurable number of days of inactivity (default 90 days).
     *  The value can be changed or set to false to remove expiration.
     *  Expired pads can then be removed using a cron job calling the
     *  `evict-inactive.js` script with node
     *
     *  defaults to 90 days if nothing is provided
     */
    //inactiveTime: 90, // days

    /*  CryptPad archives some data instead of deleting it outright.
     *  This archived data still takes up space and so you'll probably still want to
     *  remove these files after a brief period.
     *
     *  cryptpad/scripts/evict-inactive.js is intended to be run daily
     *  from a crontab or similar scheduling service.
     *
     *  The intent with this feature is to provide a safety net in case of accidental
     *  deletion. Set this value to the number of days you'd like to retain
     *  archived data before it's removed permanently.
     *
     *  defaults to 15 days if nothing is provided
     */
    //archiveRetentionTime: 15,

    /*  It's possible to configure your instance to remove data
     *  stored on behalf of inactive accounts. Set 'accountRetentionTime'
     *  to the number of days an account can remain idle before its
     *  documents and other account data is removed.
     *
     *  Leave this value commented out to preserve all data stored
     *  by user accounts regardless of inactivity.
     */
     //accountRetentionTime: 365,

    /*  Starting with CryptPad 3.23.0, the server automatically runs
     *  the script responsible for removing inactive data according to
     *  your configured definition of inactivity. Set this value to `true`
     *  if you prefer not to remove inactive data, or if you prefer to
     *  do so manually using `scripts/evict-inactive.js`.
     */
    //disableIntegratedEviction: true,


    /*  Max Upload Size (bytes)
     *  this sets the maximum size of any one file uploaded to the server.
     *  anything larger than this size will be rejected
     *  defaults to 20MB if no value is provided
     */
    //maxUploadSize: 20 * 1024 * 1024,

    /*  Users with premium accounts (those with a plan included in their customLimit)
     *  can benefit from an increased upload size limit. By default they are restricted to the same
     *  upload size as any other registered user.
     *
     */
    //premiumUploadSize: 100 * 1024 * 1024,

    /* =====================
     *   DATABASE VOLUMES
     * ===================== */

    /*
     *  CryptPad stores each document in an individual file on your hard drive.
     *  Specify a directory where files should be stored.
     *  It will be created automatically if it does not already exist.
     */
    filePath: './datastore/',

    /*  CryptPad offers the ability to archive data for a configurable period
     *  before deleting it, allowing a means of recovering data in the event
     *  that it was deleted accidentally.
     *
     *  To set the location of this archive directory to a custom value, change
     *  the path below:
     */
    archivePath: './data/archive',

    /*  CryptPad allows logged in users to request that particular documents be
     *  stored by the server indefinitely. This is called 'pinning'.
     *  Pin requests are stored in a pin-store. The location of this store is
     *  defined here.
     */
    pinPath: './data/pins',

    /*  if you would like the list of scheduled tasks to be stored in
        a custom location, change the path below:
    */
    taskPath: './data/tasks',

    /*  if you would like users' authenticated blocks to be stored in
        a custom location, change the path below:
    */
    blockPath: './block',

    /*  CryptPad allows logged in users to upload encrypted files. Files/blobs
     *  are stored in a 'blob-store'. Set its location here.
     */
    blobPath: './blob',

    /*  CryptPad stores incomplete blobs in a 'staging' area until they are
     *  fully uploaded. Set its location here.
     */
    blobStagingPath: './data/blobstage',

    decreePath: './data/decrees',

    /* CryptPad supports logging events directly to the disk in a 'logs' directory
     * Set its location here, or set it to false (or nothing) if you'd rather not log
     */
    logPath: './data/logs',

    /* =====================
     *       Debugging
     * ===================== */

    /*  CryptPad can log activity to stdout
     *  This may be useful for debugging
     */
    logToStdout: false,

    /* CryptPad can be configured to log more or less
     * the various settings are listed below by order of importance
     *
     * silly, verbose, debug, feedback, info, warn, error
     *
     * Choose the least important level of logging you wish to see.
     * For example, a 'silly' logLevel will display everything,
     * while 'info' will display 'info', 'warn', and 'error' logs
     *
     * This will affect both logging to the console and the disk.
     */
    logLevel: 'info',

    /*  clients can use the /settings/ app to opt out of usage feedback
     *  which informs the server of things like how much each app is being
     *  used, and whether certain clientside features are supported by
     *  the client's browser. The intent is to provide feedback to the admin
     *  such that the service can be improved. Enable this with `true`
     *  and ignore feedback with `false` or by commenting the attribute
     *
     *  You will need to set your logLevel to include 'feedback'. Set this
     *  to false if you'd like to exclude feedback from your logs.
     */
    logFeedback: false,

    /*  CryptPad supports verbose logging
     *  (false by default)
     */
    verbose: false,

    /*  Surplus information:
     *
     *  'installMethod' is included in server telemetry to voluntarily
     *  indicate how many instances are using unofficial installation methods
     *  such as Docker.
     *
     */
    installMethod: 'docker',
};```

I know I doing this wrong but I am really willing to learn. What should I do to have the sandboxing domain working ? Thanks a lot.

Super_Jojo

So I made progress, here is now my nginx config :

# ------------------------------------------------------------
# jojo-cryptpad.duckdns.org jojo-sandbox-cryptpad.duckdns.org
# ------------------------------------------------------------


server {
    listen 443 ssl http2;
    #listen [::]:443 ssl http2;

    # Let's Encrypt webroot
    #include letsencrypt-webroot;

    # CryptPad serves static assets over these two domains.
    # `your-main-domain` is what users will enter in their address bar.
    # Privileged computation such as key management is handled in this scope
    # UI content is loaded via the `your-sandbox-domain`.
    # "Content Security Policy" headers prevent content loaded via the sandbox
    # from accessing privileged information.
    # This setup allows to take advantage of CryptPad's sandboxing techniques.
    # In the event of an XSS vulnerability in CryptPad's front-end code
    # this will limit the amount of information accessible to attackers.
    server_name jojo-cryptpad.duckdns.org jojo-sandbox-cryptpad.duckdns.org;

    # You'll need to Set the path to your certificates and keys here
    # IMPORTANT: this config is intended to serve assets for at least two domains
    # (your main domain and your sandbox domain). As such, you'll need to generate a single SSL certificate
    # that includes both domains in order for things to work as expected.
    include conf.d/include/letsencrypt-acme-challenge.conf;
    include conf.d/include/ssl-ciphers.conf;
    ssl_certificate /etc/letsencrypt/live/npm-10/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/npm-10/privkey.pem;

    # diffie-hellman parameters are used to negotiate keys for your session
    # generate strong parameters using the following command
   # ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096

    # Speeds things up a little bit when resuming a session
    #ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;

    #ssl_protocols TLSv1.2 TLSv1.3;
    #ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    #ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

    # replace with the IP address of your resolver
    resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 208.67.222.222 208.67.220.220;

    location / {
        proxy_pass            http://192.168.1.126:3000;
        proxy_set_header      X-Real-IP $remote_addr;
        proxy_set_header      Host $host;
        proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
        client_max_body_size  150m;

        proxy_http_version    1.1;
        proxy_set_header      Upgrade $http_upgrade;
        proxy_set_header      Connection upgrade;
    }
}

Some of the parameters from the default config where already included in both includes so I commented them, but one is missing because I don't seem to have the file dhparam.pem. I don't really know if it is the cause of the following errors.

The site now (seems to) work with the sandboxing but I am now getting some errors on the checkup page :
the tests 9,12,13,24,25,27 are flagged as failed. I notice most of them are mentioning "incorrect Content-Security-Policy headers". What have I made wrong ?

Mathilde

That's some progress, congrats for fixing these issues. Now you need to figure out what is happening with your reverse proxy.

The websocket errors showing up in your /checkup/ page could indicate a problem with your Nginx Proxy Manager configuration. The settings you made there seems correct:

Super_Jojo

If they still are, what about the application itself? Is CryptPad properly running? What are your machine logs are telling you? CryptPad is also logging information in the data/logs directory.

Mathilde

Hello @Super_Jojo,

Welcome to our community forum!

Accessing your instance I realized that you are running CryptPad version 5.2.1. Most (if not all) errors you are facing now have been fixed in recent releases.

v5.2.1 is not supported, it's outdated, very likely unsecure and shouldn't be used. Please deploy our latest version instead. But as indicated in our release notes, follow the upgrade instructions for precedent versions as well:

Begin with v5.3.0
Continue with v5.4.0
Same for v5.4.1
And then apply v5.5.0

Hope this helps!

Super_Jojo

Mathilde Thanks a lot, I noticed that my version was way behind. Currently, I use truecharts to deploy this app, so I might be stuck with this version because it is the latest available there. I will investigate if it is possible for me to upgrade manually without breaking everything.

Mathilde

Thank you for mentioning it, I wasn't aware of this CryptPad distribution:

In its current state it should indeed be considered broken and insecure. Using CryptPad based on this shouldn't be recommended to anyone except for local testing.

Super_Jojo

Mathilde Hello, I mentioned to the Truecharts team that the version was out of date and they updated it to version 5.5.0. In order to test it, I created a fresh new instance with only basic config. While I can access the main page and the checkup page tells me the version is the right one, I get stuck when creating an account or any document.

Here is the config.js actually in use in the new test instance :

root@cryptpadserver-5b5cd84747-5lqbd:/cryptpad/config# cat config.js 
/* globals module */

/*  DISCLAIMER:

    There are two recommended methods of running a CryptPad instance:

    1. Using a standalone nodejs server without HTTPS (suitable for local development)
    2. Using NGINX to serve static assets and to handle HTTPS for API server's websocket traffic

    We do not officially recommend or support Apache, Docker, Kubernetes, Traefik, or any other configuration.
    Support requests for such setups should be directed to their authors.

    If you're having difficulty difficulty configuring your instance
    we suggest that you join the project's Matrix channel.

    If you don't have any difficulty configuring your instance and you'd like to
    support us for the work that went into making it pain-free we are quite happy
    to accept donations via our opencollective page: https://opencollective.com/cryptpad

*/
module.exports = {
/*  CryptPad is designed to serve its content over two domains.
 *  Account passwords and cryptographic content is handled on the 'main' domain,
 *  while the user interface is loaded on a 'sandbox' domain
 *  which can only access information which the main domain willingly shares.
 *
 *  In the event of an XSS vulnerability in the UI (that's bad)
 *  this system prevents attackers from gaining access to your account (that's good).
 *
 *  Most problems with new instances are related to this system blocking access
 *  because of incorrectly configured sandboxes. If you only see a white screen
 *  when you try to load CryptPad, this is probably the cause.
 *
 *  PLEASE READ THE FOLLOWING COMMENTS CAREFULLY.
 *
 */

/*  httpUnsafeOrigin is the URL that clients will enter to load your instance.
 *  Any other URL that somehow points to your instance is supposed to be blocked.
 *  The default provided below assumes you are loading CryptPad from a server
 *  which is running on the same machine, using port 3000.
 *
 *  In a production instance this should be available ONLY over HTTPS
 *  using the default port for HTTPS (443) ie. https://cryptpad.fr
 *  In such a case this should be also handled by NGINX, as documented in
 *  cryptpad/docs/example.nginx.conf (see the $main_domain variable)
 *
 */
    httpUnsafeOrigin: 'http://192.168.1.126:3000',

/*  httpSafeOrigin is the URL that is used for the 'sandbox' described above.
 *  If you're testing or developing with CryptPad on your local machine then
 *  it is appropriate to leave this blank. The default behaviour is to serve
 *  the main domain over port 3000 and to serve the sandbox content over port 3001.
 *
 *  This is not appropriate in a production environment where invasive networks
 *  may filter traffic going over abnormal ports.
 *  To correctly configure your production instance you must provide a URL
 *  with a different domain (a subdomain is sufficient).
 *  It will be used to load the UI in our 'sandbox' system.
 *
 *  This value corresponds to the $sandbox_domain variable
 *  in the example nginx file.
 *
 *  Note that in order for the sandboxing system to be effective
 *  httpSafeOrigin must be different from httpUnsafeOrigin.
 *
 *  CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
 */
    // httpSafeOrigin: "https://some-other-domain.xyz",

/*  httpAddress specifies the address on which the nodejs server
 *  should be accessible. By default it will listen on 127.0.0.1
 *  (IPv4 localhost on most systems). If you want it to listen on
 *  all addresses, including IPv6, set this to '::'.
 *
 */
    httpAddress: '0.0.0.0',

/*  httpPort specifies on which port the nodejs server should listen.
 *  By default it will serve content over port 3000, which is suitable
 *  for both local development and for use with the provided nginx example,
 *  which will proxy websocket traffic to your node server.
 *
 */
    httpPort: 3000,

/*  httpSafePort allows you to specify an alternative port from which
 *  the node process should serve sandboxed assets. The default value is
 *  that of your httpPort + 1. You probably don't need to change this.
 *
 */
    //httpSafePort: 3001,

/*  Websockets need to be exposed on a separate port from the rest of
 *  the platform's HTTP traffic. Port 3003 is used by default.
 *  You can change this to a different port if it is in use by a
 *  different service, but under most circumstances you can leave this
 *  commented and it will work.
 *
 *  In production environments, your reverse proxy (usually NGINX)
 *  will need to forward websocket traffic (/cryptpad_websocket)
 *  to this port.
 *
 */
    // websocketPort: 3003,

/*  CryptPad will launch a child process for every core available
 *  in order to perform CPU-intensive tasks in parallel.
 *  Some host environments may have a very large number of cores available
 *  or you may want to limit how much computing power CryptPad can take.
 *  If so, set 'maxWorkers' to a positive integer.
 */
    // maxWorkers: 4,

    /* =====================
     *         Admin
     * ===================== */

    /*
     *  CryptPad contains an administration panel. Its access is restricted to specific
     *  users using the following list.
     *  To give access to the admin panel to a user account, just add their public signing
     *  key, which can be found on the settings page for registered users.
     *  Entries should be strings separated by a comma.
     *  adminKeys: [
     *      "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
     *      "[cryptpad-user2@my.awesome.website/jA-9c5iNuG7SyxzGCjwJXVnk5NPfAOO8fQuQ0dC83RE=]",
     *  ]
     *
     */
    adminKeys: [

    ],

    /* =====================
     *        STORAGE
     * ===================== */

    /*  Pads that are not 'pinned' by any registered user can be set to expire
     *  after a configurable number of days of inactivity (default 90 days).
     *  The value can be changed or set to false to remove expiration.
     *  Expired pads can then be removed using a cron job calling the
     *  `evict-inactive.js` script with node
     *
     *  defaults to 90 days if nothing is provided
     */
    //inactiveTime: 90, // days

    /*  CryptPad archives some data instead of deleting it outright.
     *  This archived data still takes up space and so you'll probably still want to
     *  remove these files after a brief period.
     *
     *  cryptpad/scripts/evict-inactive.js is intended to be run daily
     *  from a crontab or similar scheduling service.
     *
     *  The intent with this feature is to provide a safety net in case of accidental
     *  deletion. Set this value to the number of days you'd like to retain
     *  archived data before it's removed permanently.
     *
     *  defaults to 15 days if nothing is provided
     */
    //archiveRetentionTime: 15,

    /*  It's possible to configure your instance to remove data
     *  stored on behalf of inactive accounts. Set 'accountRetentionTime'
     *  to the number of days an account can remain idle before its
     *  documents and other account data is removed.
     *
     *  Leave this value commented out to preserve all data stored
     *  by user accounts regardless of inactivity.
     */
     //accountRetentionTime: 365,

    /*  Starting with CryptPad 3.23.0, the server automatically runs
     *  the script responsible for removing inactive data according to
     *  your configured definition of inactivity. Set this value to `true`
     *  if you prefer not to remove inactive data, or if you prefer to
     *  do so manually using `scripts/evict-inactive.js`.
     */
    //disableIntegratedEviction: true,


    /*  Max Upload Size (bytes)
     *  this sets the maximum size of any one file uploaded to the server.
     *  anything larger than this size will be rejected
     *  defaults to 20MB if no value is provided
     */
    //maxUploadSize: 20 * 1024 * 1024,

    /*  Users with premium accounts (those with a plan included in their customLimit)
     *  can benefit from an increased upload size limit. By default they are restricted to the same
     *  upload size as any other registered user.
     *
     */
    //premiumUploadSize: 100 * 1024 * 1024,

    /* =====================
     *   DATABASE VOLUMES
     * ===================== */

    /*
     *  CryptPad stores each document in an individual file on your hard drive.
     *  Specify a directory where files should be stored.
     *  It will be created automatically if it does not already exist.
     */
    filePath: './datastore/',

    /*  CryptPad offers the ability to archive data for a configurable period
     *  before deleting it, allowing a means of recovering data in the event
     *  that it was deleted accidentally.
     *
     *  To set the location of this archive directory to a custom value, change
     *  the path below:
     */
    archivePath: './data/archive',

    /*  CryptPad allows logged in users to request that particular documents be
     *  stored by the server indefinitely. This is called 'pinning'.
     *  Pin requests are stored in a pin-store. The location of this store is
     *  defined here.
     */
    pinPath: './data/pins',

    /*  if you would like the list of scheduled tasks to be stored in
        a custom location, change the path below:
    */
    taskPath: './data/tasks',

    /*  if you would like users' authenticated blocks to be stored in
        a custom location, change the path below:
    */
    blockPath: './block',

    /*  CryptPad allows logged in users to upload encrypted files. Files/blobs
     *  are stored in a 'blob-store'. Set its location here.
     */
    blobPath: './blob',

    /*  CryptPad stores incomplete blobs in a 'staging' area until they are
     *  fully uploaded. Set its location here.
     */
    blobStagingPath: './data/blobstage',

    decreePath: './data/decrees',

    /* CryptPad supports logging events directly to the disk in a 'logs' directory
     * Set its location here, or set it to false (or nothing) if you'd rather not log
     */
    logPath: './data/logs',

    /* =====================
     *       Debugging
     * ===================== */

    /*  CryptPad can log activity to stdout
     *  This may be useful for debugging
     */
    logToStdout: false,

    /* CryptPad can be configured to log more or less
     * the various settings are listed below by order of importance
     *
     * silly, verbose, debug, feedback, info, warn, error
     *
     * Choose the least important level of logging you wish to see.
     * For example, a 'silly' logLevel will display everything,
     * while 'info' will display 'info', 'warn', and 'error' logs
     *
     * This will affect both logging to the console and the disk.
     */
    logLevel: 'info',

    /*  clients can use the /settings/ app to opt out of usage feedback
     *  which informs the server of things like how much each app is being
     *  used, and whether certain clientside features are supported by
     *  the client's browser. The intent is to provide feedback to the admin
     *  such that the service can be improved. Enable this with `true`
     *  and ignore feedback with `false` or by commenting the attribute
     *
     *  You will need to set your logLevel to include 'feedback'. Set this
     *  to false if you'd like to exclude feedback from your logs.
     */
    logFeedback: false,

    /*  CryptPad supports verbose logging
     *  (false by default)
     */
    verbose: false,

    /*  Surplus information:
     *
     *  'installMethod' is included in server telemetry to voluntarily
     *  indicate how many instances are using unofficial installation methods
     *  such as Docker.
     *
     */
    installMethod: 'docker',
};

Here is where I get stuck : Image description

I dont know if this is useful : Image description

I don't know if the issue is with my cryptpad config or with the update itself, is there anything I can do ? Thanks a lot.

Mathilde

Hello,

Accessing your instance is working, it gets me to this page:

Screenshot of Jojo's instance

However, your instance is misconfigured. Try creating a Rich Text document by clicking on its icon on the right:

Create a Rich Text document on Jojo's instance

You'll see the quite self explanatory error:

Error message of Jojo's instance, this page can only be accessed by http://192.168.1.126:3000

Reading our administrator guide's configuration section you'll see that you must specify two domains in the config.js file.

It's also explained directly into the file itself, lines 43 to 46:

In a production instance this should be available ONLY over HTTPS
using the default port for HTTPS (443) ie. https://cryptpad.fr
In such a case this should be also handled by NGINX, as documented in
cryptpad/docs/example.nginx.conf (see the $main_domain variable)

In your case, the httpUnsafeOrigin value should be: https://jojo-cryptpad.duckdns.org. This without any port mentioned, it's handled by your reverse proxy.

Note that as indicated in the administrator guide and the configuration file itself it's required to have a second domain for the sandboxing functionality of the app. Otherwise your instance is insecure and it makes no sense to use a privacy solution like CryptPad in the end.

Also, as mentioned in the domain section of our administration guide, take good care of "generate one TLS certificate that covers both domains". jojo-cryptpad.duckdns.org, and (for example)jojo-cryptpad-sandbox.duckdns.org should be on the same single TLS certificate.

Hope this helps!

Super_Jojo

Mathilde Yeah I know, but I wanted to created a basic not production instance to test why it didn't work. Here on this instance I have now put the same config.js than before but the issue is still the same. It might be that I missconfigured it but it was working-ish with the previous version and is now not working anymore.

Just to clarify, here is the current config.js :

super_jojo@truenas:/mnt/Safe/Apps_Data/CryptPadServer/config$ cat config.js 
/* globals module */

/*  DISCLAIMER:

    There are two recommended methods of running a CryptPad instance:

    1. Using a standalone nodejs server without HTTPS (suitable for local development)
    2. Using NGINX to serve static assets and to handle HTTPS for API server's websocket traffic

    We do not officially recommend or support Apache, Docker, Kubernetes, Traefik, or any other configuration.
    Support requests for such setups should be directed to their authors.

    If you're having difficulty difficulty configuring your instance
    we suggest that you join the project's Matrix channel.

    If you don't have any difficulty configuring your instance and you'd like to
    support us for the work that went into making it pain-free we are quite happy
    to accept donations via our opencollective page: https://opencollective.com/cryptpad

*/
module.exports = {
/*  CryptPad is designed to serve its content over two domains.
 *  Account passwords and cryptographic content is handled on the 'main' domain,
 *  while the user interface is loaded on a 'sandbox' domain
 *  which can only access information which the main domain willingly shares.
 *
 *  In the event of an XSS vulnerability in the UI (that's bad)
 *  this system prevents attackers from gaining access to your account (that's good).
 *
 *  Most problems with new instances are related to this system blocking access
 *  because of incorrectly configured sandboxes. If you only see a white screen
 *  when you try to load CryptPad, this is probably the cause.
 *
 *  PLEASE READ THE FOLLOWING COMMENTS CAREFULLY.
 *
 */

/*  httpUnsafeOrigin is the URL that clients will enter to load your instance.
 *  Any other URL that somehow points to your instance is supposed to be blocked.
 *  The default provided below assumes you are loading CryptPad from a server
 *  which is running on the same machine, using port 3000.
 *
 *  In a production instance this should be available ONLY over HTTPS
 *  using the default port for HTTPS (443) ie. https://cryptpad.fr
 *  In such a case this should be also handled by NGINX, as documented in
 *  cryptpad/docs/example.nginx.conf (see the $main_domain variable)
 *
 */
    httpUnsafeOrigin: 'https://jojo-cryptpad.duckdns.org',

/*  httpSafeOrigin is the URL that is used for the 'sandbox' described above.
 *  If you're testing or developing with CryptPad on your local machine then
 *  it is appropriate to leave this blank. The default behaviour is to serve
 *  the main domain over port 3000 and to serve the sandbox content over port 3001.
 *
 *  This is not appropriate in a production environment where invasive networks
 *  may filter traffic going over abnormal ports.
 *  To correctly configure your production instance you must provide a URL
 *  with a different domain (a subdomain is sufficient).
 *  It will be used to load the UI in our 'sandbox' system.
 *
 *  This value corresponds to the $sandbox_domain variable
 *  in the example nginx file.
 *
 *  Note that in order for the sandboxing system to be effective
 *  httpSafeOrigin must be different from httpUnsafeOrigin.
 *
 *  CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
 */
  httpSafeOrigin: 'https://jojo-sandbox-cryptpad.duckdns.org',

/*  httpAddress specifies the address on which the nodejs server
 *  should be accessible. By default it will listen on 127.0.0.1
 *  (IPv4 localhost on most systems). If you want it to listen on
 *  all addresses, including IPv6, set this to '::'.
 *
 */
   httpAddress: '0.0.0.0',

/*  httpPort specifies on which port the nodejs server should listen.
 *  By default it will serve content over port 3000, which is suitable
 *  for both local development and for use with the provided nginx example,
 *  which will proxy websocket traffic to your node server.
 *
 */
  httpPort: 3000,

/*  httpSafePort allows you to specify an alternative port from which
 *  the node process should serve sandboxed assets. The default value is
 *  that of your httpPort + 1. You probably don't need to change this.
 *
 */
 // httpSafePort: 3001,

/*  CryptPad will launch a child process for every core available
 *  in order to perform CPU-intensive tasks in parallel.
 *  Some host environments may have a very large number of cores available
 *  or you may want to limit how much computing power CryptPad can take.
 *  If so, set 'maxWorkers' to a positive integer.
 */
    // maxWorkers: 4,

    /* =====================
     *         Admin
     * ===================== */

    /*
     *  CryptPad contains an administration panel. Its access is restricted to specific
     *  users using the following list.
     *  To give access to the admin panel to a user account, just add their public signing
     *  key, which can be found on the settings page for registered users.
     *  Entries should be strings separated by a comma.
     *  adminKeys: [
     *      "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
     *      "[cryptpad-user2@my.awesome.website/jA-9c5iNuG7SyxzGCjwJXVnk5NPfAOO8fQuQ0dC83RE=]",
     *  ]
     *
     */
    adminKeys: [
        "[super_jojo@jojo-cryptpad.duckdns.org/LFkXztqZ8BgK2YpZHsPCxSHAHFKnDXwXhjSiwP1RQlc=]",
    ],

    /* =====================
     *        STORAGE
     * ===================== */

    /*  Pads that are not 'pinned' by any registered user can be set to expire
     *  after a configurable number of days of inactivity (default 90 days).
     *  The value can be changed or set to false to remove expiration.
     *  Expired pads can then be removed using a cron job calling the
     *  `evict-inactive.js` script with node
     *
     *  defaults to 90 days if nothing is provided
     */
    //inactiveTime: 90, // days

    /*  CryptPad archives some data instead of deleting it outright.
     *  This archived data still takes up space and so you'll probably still want to
     *  remove these files after a brief period.
     *
     *  cryptpad/scripts/evict-inactive.js is intended to be run daily
     *  from a crontab or similar scheduling service.
     *
     *  The intent with this feature is to provide a safety net in case of accidental
     *  deletion. Set this value to the number of days you'd like to retain
     *  archived data before it's removed permanently.
     *
     *  defaults to 15 days if nothing is provided
     */
    //archiveRetentionTime: 15,

    /*  It's possible to configure your instance to remove data
     *  stored on behalf of inactive accounts. Set 'accountRetentionTime'
     *  to the number of days an account can remain idle before its
     *  documents and other account data is removed.
     *
     *  Leave this value commented out to preserve all data stored
     *  by user accounts regardless of inactivity.
     */
     //accountRetentionTime: 365,

    /*  Starting with CryptPad 3.23.0, the server automatically runs
     *  the script responsible for removing inactive data according to
     *  your configured definition of inactivity. Set this value to `true`
     *  if you prefer not to remove inactive data, or if you prefer to
     *  do so manually using `scripts/evict-inactive.js`.
     */
    //disableIntegratedEviction: true,


    /*  Max Upload Size (bytes)
     *  this sets the maximum size of any one file uploaded to the server.
     *  anything larger than this size will be rejected
     *  defaults to 20MB if no value is provided
     */
    //maxUploadSize: 20 * 1024 * 1024,

    /*  Users with premium accounts (those with a plan included in their customLimit)
     *  can benefit from an increased upload size limit. By default they are restricted to the same
     *  upload size as any other registered user.
     *
     */
    //premiumUploadSize: 100 * 1024 * 1024,

    /* =====================
     *   DATABASE VOLUMES
     * ===================== */

    /*
     *  CryptPad stores each document in an individual file on your hard drive.
     *  Specify a directory where files should be stored.
     *  It will be created automatically if it does not already exist.
     */
    filePath: './datastore/',

    /*  CryptPad offers the ability to archive data for a configurable period
     *  before deleting it, allowing a means of recovering data in the event
     *  that it was deleted accidentally.
     *
     *  To set the location of this archive directory to a custom value, change
     *  the path below:
     */
    archivePath: './data/archive',

    /*  CryptPad allows logged in users to request that particular documents be
     *  stored by the server indefinitely. This is called 'pinning'.
     *  Pin requests are stored in a pin-store. The location of this store is
     *  defined here.
     */
    pinPath: './data/pins',

    /*  if you would like the list of scheduled tasks to be stored in
        a custom location, change the path below:
    */
    taskPath: './data/tasks',

    /*  if you would like users' authenticated blocks to be stored in
        a custom location, change the path below:
    */
    blockPath: './block',

    /*  CryptPad allows logged in users to upload encrypted files. Files/blobs
     *  are stored in a 'blob-store'. Set its location here.
     */
    blobPath: './blob',

    /*  CryptPad stores incomplete blobs in a 'staging' area until they are
     *  fully uploaded. Set its location here.
     */
    blobStagingPath: './data/blobstage',

    decreePath: './data/decrees',

    /* CryptPad supports logging events directly to the disk in a 'logs' directory
     * Set its location here, or set it to false (or nothing) if you'd rather not log
     */
    logPath: './data/logs',

    /* =====================
     *       Debugging
     * ===================== */

    /*  CryptPad can log activity to stdout
     *  This may be useful for debugging
     */
    logToStdout: false,

    /* CryptPad can be configured to log more or less
     * the various settings are listed below by order of importance
     *
     * silly, verbose, debug, feedback, info, warn, error
     *
     * Choose the least important level of logging you wish to see.
     * For example, a 'silly' logLevel will display everything,
     * while 'info' will display 'info', 'warn', and 'error' logs
     *
     * This will affect both logging to the console and the disk.
     */
    logLevel: 'info',

    /*  clients can use the /settings/ app to opt out of usage feedback
     *  which informs the server of things like how much each app is being
     *  used, and whether certain clientside features are supported by
     *  the client's browser. The intent is to provide feedback to the admin
     *  such that the service can be improved. Enable this with `true`
     *  and ignore feedback with `false` or by commenting the attribute
     *
     *  You will need to set your logLevel to include 'feedback'. Set this
     *  to false if you'd like to exclude feedback from your logs.
     */
    logFeedback: false,

    /*  CryptPad supports verbose logging
     *  (false by default)
     */
    verbose: false,

    /*  Surplus information:
     *
     *  'installMethod' is included in server telemetry to voluntarily
     *  indicate how many instances are using unofficial installation methods
     *  such as Docker.
     *
     */
    installMethod: 'docker',
};

Thanks for all your responses.

Super_Jojo

Mathilde Thanks a lot for your response. Here are the logs I have on my app :

2023-11-22 10:14:00.844118+01:00> cryptpad@5.5.0 build
2023-11-22 10:14:00.844126+01:00> node scripts/build.js
2023-11-22 10:14:00.844132+01:002023-11-22T10:14:00.844132517+01:00
2023-11-22 10:14:00.930786+01:00Creating target directories
2023-11-22 10:14:00.931703+01:00Parsing /cryptpad/www/sheet/index.html
2023-11-22 10:14:00.932604+01:00Creating ./www/sheet/index.html
2023-11-22 10:14:00.933369+01:002023-11-22T10:14:00.933369056+01:00
2023-11-22 10:14:00.933395+01:00Parsing /cryptpad/www/doc/index.html
2023-11-22 10:14:00.933651+01:00Creating ./www/doc/index.html
2023-11-22 10:14:00.933867+01:002023-11-22T10:14:00.933867822+01:00
2023-11-22 10:14:00.933883+01:00Parsing /cryptpad/www/presentation/index.html
2023-11-22 10:14:00.934191+01:00Creating ./www/presentation/index.html
2023-11-22 10:14:00.934408+01:002023-11-22T10:14:00.934408665+01:00
2023-11-22 10:14:00.934424+01:00Parsing /cryptpad/www/pad/index.html
2023-11-22 10:14:00.934639+01:00Creating ./www/pad/index.html
2023-11-22 10:14:00.934835+01:002023-11-22T10:14:00.934835370+01:00
2023-11-22 10:14:00.934855+01:00Parsing /cryptpad/www/kanban/index.html
2023-11-22 10:14:00.935150+01:00Creating ./www/kanban/index.html
2023-11-22 10:14:00.935348+01:002023-11-22T10:14:00.935348829+01:00
2023-11-22 10:14:00.935363+01:00Parsing /cryptpad/www/code/index.html
2023-11-22 10:14:00.935678+01:00Creating ./www/code/index.html
2023-11-22 10:14:00.935888+01:002023-11-22T10:14:00.935888309+01:00
2023-11-22 10:14:00.935924+01:00Parsing /cryptpad/www/form/index.html
2023-11-22 10:14:00.936104+01:00Creating ./www/form/index.html
2023-11-22 10:14:00.936284+01:002023-11-22T10:14:00.936284550+01:00
2023-11-22 10:14:00.936476+01:00Parsing /cryptpad/www/poll/index.html
2023-11-22 10:14:00.936649+01:00Creating ./www/poll/index.html
2023-11-22 10:14:00.936821+01:002023-11-22T10:14:00.936821793+01:00
2023-11-22 10:14:00.936841+01:00Parsing /cryptpad/www/whiteboard/index.html
2023-11-22 10:14:00.937106+01:00Creating ./www/whiteboard/index.html
2023-11-22 10:14:00.937357+01:002023-11-22T10:14:00.937357954+01:00
2023-11-22 10:14:00.937379+01:00Parsing /cryptpad/www/diagram/index.html
2023-11-22 10:14:00.937579+01:00Creating ./www/diagram/index.html
2023-11-22 10:14:00.937833+01:002023-11-22T10:14:00.937833294+01:00
2023-11-22 10:14:00.937845+01:00Parsing /cryptpad/www/slide/index.html
2023-11-22 10:14:00.938103+01:00Creating ./www/slide/index.html
2023-11-22 10:14:00.938263+01:002023-11-22T10:14:00.938263579+01:00
2023-11-22 10:14:00.938371+01:00Parsing /cryptpad/www/file/index.html
2023-11-22 10:14:00.938584+01:00Creating ./www/file/index.html
2023-11-22 10:14:00.938769+01:002023-11-22T10:14:00.938769068+01:00
2023-11-22 10:14:00.938808+01:00Parsing /cryptpad/www/calendar/index.html
2023-11-22 10:14:00.939086+01:00Creating ./www/calendar/index.html
2023-11-22 10:14:00.939280+01:002023-11-22T10:14:00.939280798+01:00
2023-11-22 10:14:00.939302+01:00Parsing /cryptpad/www/drive/index.html
2023-11-22 10:14:00.939473+01:00Creating ./www/drive/index.html
2023-11-22 10:14:00.939660+01:002023-11-22T10:14:00.939660507+01:00
2023-11-22 10:14:00.939689+01:00Parsing /cryptpad/www/teams/index.html
2023-11-22 10:14:00.939874+01:00Creating ./www/teams/index.html
2023-11-22 10:14:00.940024+01:002023-11-22T10:14:00.940024373+01:00
2023-11-22 10:14:00.940044+01:00Parsing /cryptpad/www/contacts/index.html
2023-11-22 10:14:00.940194+01:00Creating ./www/contacts/index.html
2023-11-22 10:14:00.940432+01:002023-11-22T10:14:00.940432900+01:00
2023-11-22 10:14:00.940456+01:00Parsing /cryptpad/www/notifications/index.html
2023-11-22 10:14:00.940617+01:00Creating ./www/notifications/index.html
2023-11-22 10:14:00.940806+01:002023-11-22T10:14:00.940806533+01:00
2023-11-22 10:14:00.940826+01:00Parsing /cryptpad/www/checkup/index.html
2023-11-22 10:14:00.941251+01:00Creating ./www/checkup/index.html
2023-11-22 10:14:00.941416+01:002023-11-22T10:14:00.941416576+01:00
2023-11-22 10:14:00.941438+01:00Parsing /cryptpad/www/file/index.html
2023-11-22 10:14:00.941551+01:00Creating ./www/file/index.html
2023-11-22 10:14:00.942145+01:002023-11-22T10:14:00.942145387+01:00
2023-11-22 10:14:00.942163+01:00Parsing /cryptpad/www/profile/index.html
2023-11-22 10:14:00.942318+01:00Creating ./www/profile/index.html
2023-11-22 10:14:00.942483+01:002023-11-22T10:14:00.942483083+01:00
2023-11-22 10:14:00.942509+01:00Parsing /cryptpad/www/settings/index.html
2023-11-22 10:14:00.942691+01:00Creating ./www/settings/index.html
2023-11-22 10:14:00.942877+01:002023-11-22T10:14:00.942877320+01:00
2023-11-22 10:14:00.942895+01:00Parsing /cryptpad/www/support/index.html
2023-11-22 10:14:00.943057+01:00Creating ./www/support/index.html
2023-11-22 10:14:00.943219+01:002023-11-22T10:14:00.943219958+01:00
2023-11-22 10:14:00.943508+01:00Parsing ./www/register/index.html
2023-11-22 10:14:00.943772+01:00Creating ./www/register/index.html
2023-11-22 10:14:00.943929+01:002023-11-22T10:14:00.943929916+01:00
2023-11-22 10:14:00.943956+01:00Parsing ./www/login/index.html
2023-11-22 10:14:00.944120+01:00Creating ./www/login/index.html
2023-11-22 10:14:00.944430+01:002023-11-22T10:14:00.944430574+01:00
2023-11-22 10:14:00.944440+01:00Parsing ./customize.dist/contact.html
2023-11-22 10:14:00.944566+01:00Creating ./www/contact.html
2023-11-22 10:14:00.944753+01:002023-11-22T10:14:00.944753176+01:00
2023-11-22 10:14:00.944767+01:00Parsing ./customize.dist/features.html
2023-11-22 10:14:00.944894+01:00Creating ./www/features.html
2023-11-22 10:14:00.945059+01:002023-11-22T10:14:00.945059191+01:00
2023-11-22 10:14:00.945083+01:00Parsing ./customize.dist/index.html
2023-11-22 10:14:00.945189+01:00Creating ./www/index.html
2023-11-22 10:14:00.945355+01:002023-11-22T10:14:00.945355657+01:00
2023-11-22 10:14:00.945373+01:00Copying built files to target directory (/cryptpad/customize)
2023-11-22 10:14:00.952634+01:00Removing temporary build directory (/tmp/CRYPTPAD_TEMP_BUILD/)
2023-11-22 10:14:00.958233+01:00Successfully removed /tmp/CRYPTPAD_TEMP_BUILD/
2023-11-22 10:14:01.303173+01:002023-11-22T10:14:01.303173131+01:00
2023-11-22 10:14:01.303200+01:00> cryptpad@5.5.0 start
2023-11-22 10:14:01.303207+01:00> node server.js
2023-11-22 10:14:01.303213+01:002023-11-22T10:14:01.303213514+01:00

Here are (one of the ) cryptpads logs :

super_jojo@truenas:/mnt/Safe/Apps_Data/CryptPadServer/data/logs/23$ cat 232023-11-22T09\:14\:01.442Z.ndjson
["INFO","2023-11-22T09:14:01.445Z","WEBSERVER_LISTENING",{"origin":"https://jojo-cryptpad.duckdns.org/"}]
["INFO","2023-11-22T09:14:01.447Z","WEBSOCKET_LISTENING",{"port":3003}]
["INFO","2023-11-22T09:14:01.653Z","UPDATING_FRESH_KEY",1700644441653]
["INFO","2023-11-22T09:14:02.089Z","WORKER_ENV_UPDATE","Updating HTTP workers with latest state"]
["INFO","2023-11-22T09:14:02.147Z","WORKER_CACHE_FLUSH","Instructing HTTP workers to flush cache"]
["INFO","2023-11-22T09:14:02.884Z","SERVER_TELEMETRY",{"version":"5.5.0","installMethod":"docker","httpUnsafeOrigin":"https://jojo-cryptpad.duckdns.org","httpSafeOrigin":"https://jojo-sandbox-cryptpad.duckdns.org","consentToContact":false}]
["ERROR","2023-11-22T09:14:34.992Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T09:14:58.183Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T09:15:08.599Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T09:15:26.786Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T09:15:40.446Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T09:16:07.518Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T09:16:34.694Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T09:17:01.589Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T09:17:28.542Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T09:17:55.533Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T09:18:23.556Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T09:18:51.677Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T09:19:18.944Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T09:19:46.610Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T09:20:15.526Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T09:20:48.842Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T09:49:23.377Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T09:49:29.083Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T10:19:17.479Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T14:43:48.999Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T14:44:09.473Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T14:44:11.030Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
["ERROR","2023-11-22T14:44:38.215Z","HTTP_PROXY_MIDDLEWARE","[HPM] Error occurred while proxying request jojo-cryptpad.duckdns.org/cryptpad_websocket to undefined [ECONNREFUSED] (https://nodejs.org/api/errors.html#errors_common_system_errors)"]
super_jojo@truenas:/mnt/Safe/Apps_Data/CryptPadServer/data/logs/23$

Here is my nginx conf :

super_jojo@truenas:/mnt/FastBoy/ix-applications/releases/nginx-proxy-manager/volumes/ix_volumes/data/nginx/proxy_host$ cat cryptpad.conf 
# ------------------------------------------------------------
# jojo-cryptpad.duckdns.org jojo-sandbox-cryptpad.duckdns.org
# ------------------------------------------------------------


server {
    listen 443 ssl http2;
    #listen [::]:443 ssl http2;

    # Let's Encrypt webroot
    #include letsencrypt-webroot;

    # CryptPad serves static assets over these two domains.
    # `your-main-domain` is what users will enter in their address bar.
    # Privileged computation such as key management is handled in this scope
    # UI content is loaded via the `your-sandbox-domain`.
    # "Content Security Policy" headers prevent content loaded via the sandbox
    # from accessing privileged information.
    # This setup allows to take advantage of CryptPad's sandboxing techniques.
    # In the event of an XSS vulnerability in CryptPad's front-end code
    # this will limit the amount of information accessible to attackers.
    server_name jojo-cryptpad.duckdns.org jojo-sandbox-cryptpad.duckdns.org;

    # You'll need to Set the path to your certificates and keys here
    # IMPORTANT: this config is intended to serve assets for at least two domains
    # (your main domain and your sandbox domain). As such, you'll need to generate a single SSL certificate
    # that includes both domains in order for things to work as expected.
    include conf.d/include/letsencrypt-acme-challenge.conf;
    include conf.d/include/ssl-ciphers.conf;
    ssl_certificate /etc/letsencrypt/live/npm-10/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/npm-10/privkey.pem;

    # diffie-hellman parameters are used to negotiate keys for your session
    # generate strong parameters using the following command
   # ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096

    # Speeds things up a little bit when resuming a session
    #ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;

    #ssl_protocols TLSv1.2 TLSv1.3;
    #ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    #ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

    # replace with the IP address of your resolver
    resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 208.67.222.222 208.67.220.220;

    location / {
        proxy_pass            http://192.168.1.126:3000;
        proxy_set_header      X-Real-IP $remote_addr;
        proxy_set_header      Host $host;
        proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
        client_max_body_size  150m;

        proxy_http_version    1.1;
        proxy_set_header      Upgrade $http_upgrade;
        proxy_set_header      Connection upgrade;
    }
}

Mathilde

Thanks for the logs, again your Nginx configuration is valid and meets our requirements.

Your CryptPad installation being a non-official distribution, you might want to reach out to the maintainers of the project you use, Truecharts: https://github.com/truecharts/charts/tree/master/charts/incubator/cryptpad

As shown in the CryptPad logs you shared, your instance refuses to serve the websocket requests. It may be caused by a misconfiguration in their Helm chart setup (see the repository previously linked), or because the reverse proxy (Nginx Proxy Manager) you use isn't intended to be supported in the context of their project.

I'm afraid we reached the bottom of what debugging we can do together about your instance. To summarize:

Your config.js is valid
Your Nginx configuration file matches our recomendations
Websockets requests aren't received on the Nodejs app
It might be because the way "ingress" is supposed to be managed by Truecharts isn't using the same Nginx Proxy Manager setup as yours

Reach out to them and see what they think of it. I'm sure that if they are maintaining a CryptPad distribution there are at least a few of them using it. Good luck and don't hesitate to report back your findings!

Super_Jojo

Mathilde Thank you for all your answers, I forwarded this thread to the Truecharts team to let them know.