Hi,

I'm trying to use cryptpad with docker. Normally such things are not an issue for me but with the original cryptpad container I'm not able to get it working.

config.js

    httpUnsafeOrigin: 'https://sub1.domain.tld',
    httpSafeOrigin: 'https://sub2.domain.tld',
    httpAddress: '0.0.0.0',
    httpPort: 3000,
    httpSafePort: 3001,
    websocketPort: 3003,
    adminKeys: [
	    "[admin@domain/key]",
    ],
    filePath: './datastore/',
    archivePath: './data/archive',
    pinPath: './data/pins',
    taskPath: './data/tasks',
    blockPath: './block',
    blobPath: './blob',
    blobStagingPath: './data/blobstage',
    decreePath: './data/decrees',
    logPath: './data/logs',
    logToStdout: true,
    logLevel: 'info',
    logFeedback: false,
    verbose: false,
    installMethod: 'docker',
};

nginx-site.conf

As reverse proxy I use nginx with the [basic example](https://github.com/cryptpad/cryptpad/blob/main/docs/example.nginx.conf) with small changes for port 80 redirections and logging:

 server {
 listen		12.34.56.78:80;
 server_name     sub1.domain.tld;
 access_log      /.../sub1.domain.tld-access.log;
 error_log	/.../sub1.domain.tld-error.log;
 return 301 https://$server_name$request_uri;
 }
 
 server {
 listen	12.34.56.78:443 ssl http2;
 access_log      /.../sub1.domain.tld-access.log;
 error_log	/.../sub1.domain.tld-error.log;
 
     server_name sub1.domain.tld sub2.domain.tld;
 
     ssl_certificate /.../certificate.pem;
     ssl_certificate_key /../certificate.key;
 
     ssl_session_timeout 1d;
     ssl_session_cache shared:MozSSL:10m;
     ssl_session_tickets off;
 
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
     ssl_prefer_server_ciphers off;
 
     ssl_stapling on;
     ssl_stapling_verify on;
     ssl_trusted_certificate /.../certificate_fullchain.pem;
 
     location / {
         proxy_pass            http://127.0.0.1:3000;
         proxy_set_header      X-Real-IP $remote_addr;
         proxy_set_header      Host $host;
         proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
         client_max_body_size  150m;
         proxy_http_version    1.1;
         proxy_set_header      Upgrade $http_upgrade;
         proxy_set_header      Connection upgrade;
     }
 }

docker-compose.yml:

docker is deployed by docker-compose

version: '3.8'

services:
  cryptpad:
    image: "cryptpad/cryptpad:version-5.6.0"
    container_name: sub1.domain.tld
    hostname: cryptpad

    environment:
      - CPAD_MAIN_DOMAIN=https://sub1.domain.tld
      - CPAD_SANDBOX_DOMAIN=https://sub2.domain.tld
      - CPAD_CONF=/cryptpad/config/config.js
      - CPAD_TRUSTED_PROXY=0.0.0.0/0
      - CPAD_REALIP_HEADER=X-Forwarded-For
      - CPAD_REALIP_RECURSIVE=on
      # Traefik can't use HTTP2 to communicate with cryptpad_websocket
      # A workaround is to disable HTTP2 in Nginx
      - CPAD_HTTP2_DISABLE=true

    volumes:
      - ./data/blob:/cryptpad/blob
      - ./data/block:/cryptpad/block
      - ./customize:/cryptpad/customize
      - ./data/data:/cryptpad/data
      - ./data/files:/cryptpad/datastore
      - ./config/config.js:/cryptpad/config/config.js

    ports:
      - "3000:3000"
      - "3001:3001"
      - "3003:3003"

    ulimits:
      nofile:
        soft: 1000000
        hard: 1000000

Tests done

  1. My nginx reverse throws 502 Bad Gateway.

  2. A telnet test against 127.0.0.1:3000 shows that the connection is immidately closed by the container

$ telnet 127.0.0.1 3000
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.

With the container from hub.docker.com of elestio/cryptpad and promasu/cryptpad I'm able to get it running.
But I want to use the official one.

What am I doing wrong? :-)

Hello,

Thanks for reaching out and for your interest in CryptPad!

Our Docker version doesn't contain any web server. It's why everything is proxied directly to the 3000 port where the NodeJS application (i.e. CryptPad in our case) will then handle all the requests.

I've noticed that your docker-compose.yml doesn't match ours. Especially the following lines aren't needed:

- CPAD_TRUSTED_PROXY=0.0.0.0/0
- CPAD_REALIP_HEADER=X-Forwarded-For
- CPAD_REALIP_RECURSIVE=on
# Traefik can't use HTTP2 to communicate with cryptpad_websocket
# A workaround is to disable HTTP2 in Nginx
- CPAD_HTTP2_DISABLE=true

Note that you should be able to get some logs by running docker compose logs -f.

    Mathilde

    Our Docker version doesn't contain any web server. It's why everything is proxied directly to the 3000 port where the NodeJS application (i.e. CryptPad in our case) will then handle all the requests.

    Okay, but then I guess a reverse nginx proxy is the right one to use

    I've noticed that your docker-compose.yml doesn't match ours. Especially the following lines aren't needed:

    • CPAD_TRUSTED_PROXY=0.0.0.0/0
    • CPAD_REALIP_HEADER=X-Forwarded-For
    • CPAD_REALIP_RECURSIVE=on
    • CPAD_HTTP2_DISABLE=true

    You are right. I' was not sure how to get it working. I removed the lines

    Note that you should be able to get some logs by running docker compose logs -f.

    I know. Logs do not indicate any error. So where is did I something wrong?

    Parsing ./customize.dist/contact.html
    Creating ./www/contact.html
    
    Parsing ./customize.dist/features.html
    Creating ./www/features.html
    
    Parsing ./customize.dist/index.html
    Creating ./www/index.html
    
    Copying built files to target directory (/cryptpad/customize)
    Removing temporary build directory (/tmp/CRYPTPAD_TEMP_BUILD/)
    Successfully removed /tmp/CRYPTPAD_TEMP_BUILD/
    
    cryptpad@5.6.0 start
    node server.js
    3 months later

    Same in my case, - 502th error from nginx, no errors in docker logs:

    ...
    cryptpad-1  | > cryptpad@2024.3.0 start
    cryptpad-1  | > node server.js

      dreyTee hello thanks for reaching out!

      For anyone being able to help you, we'll need some more information about your setup. For example:

      • What is your Nginx configuration?
        • We propose 2 types: the basic one and the advanced
        • Docker installations only support the basic one
      • Can you share with us your Nginx configuration?
        • You can redact all the private information you don't want to share
      • Have you applied the appropriate access rights to your CryptPad folder?
        • As mentioned in our Administrator Guide, Installation chapter, Docker section

      Thanks for reaching out, Mathilde!

      Indeed, I've followed the example configuration of nginx from your GH repo.
      Tried basic one.

      Have you applied the appropriate access rights to your CryptPad folder?

      Yes, I did:
      Form the very beginning I've being met with this error:
      Error: EACCES: permission denied, mkdir '/cryptpad/customize/www'
      fixed it with
      sudo chown -R 4001:4001 data customize

      and then I'm stuck.

      Here are my docker-compose changes:

          environment:
            - CPAD_MAIN_DOMAIN=https://cryptpad.offi.ce
            - CPAD_SANDBOX_DOMAIN=https://dev.cryptpad.offi.ce
            - CPAD_CONF=/cryptpad/config/config.js
      
            # Read and accept the license before uncommenting the following line:
            # https://github.com/ONLYOFFICE/web-apps/blob/master/LICENSE.txt
            # - CPAD_INSTALL_ONLYOFFICE=yes
      ...
          volumes:
      ...
            - ./data/config:/cryptpad/config
        ...

      nginx config - cat /etc/nginx/sites-enabled/cryptpad.office | grep . | grep -v -e '^#' -e '^ #':

      server {
          listen 443 ssl http2;
          listen [::]:443 ssl http2;
          server_name cryptpad.offi.ce dev.cryptpad.offi.ce;
          ssl_certificate /etc/nginx/certs/cryptpad.offi.ce.crt;
          ssl_certificate_key /etc/nginx/certs/cryptpad.offi.ce.key;
          ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
          ssl_session_timeout 1d;
          ssl_session_cache shared:MozSSL:10m;
          ssl_session_tickets off;
          ssl_protocols TLSv1.2 TLSv1.3;
          ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
          ssl_prefer_server_ciphers off;
          add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
          ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
          resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 208.67.222.222 208.67.220.220;
          location / {
              proxy_pass            http://127.0.0.1:3000;
              proxy_set_header      X-Real-IP $remote_addr;
              proxy_set_header      Host $host;
              proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
              client_max_body_size  150m;
              proxy_http_version    1.1;
              proxy_set_header      Upgrade $http_upgrade;
              proxy_set_header      Connection upgrade;
          }
      }

      I made a self-signed certificate for cryptpad.offi.ce and put a line with $IP cryptpad.offi.ce dev.cryptpad.offi.ce into my local hosts file.

        dreyTee you're welcome!

        Have you followed the Domains section of the Installation chapter of our Administrator Guide?

        Especially talking about the requirements:

        You will need:

        • ...
        • generate one TLS certificate that covers both domains.

        Thanks for suggestion, I've just tried this:

        days=730
        name="cryptpad.offi.ce"
        san="*.cryptpad.offi.ce"
        keyname="${name}.key"
        certname="${name}.crt"
        # prepare config
        :>openssl.conf
        cat >> openssl.conf << EOF
        [req]
        distinguished_name = req_distinguished_name
        x509_extensions = v3_req
        prompt = no
        [req_distinguished_name]
        C = US
        ST = VA
        L = SomeCity
        O = MyCompany
        OU = MyDivision
        CN = ${name}
        [v3_req]
        keyUsage = digitalSignature, keyEncipherment 
        extendedKeyUsage = serverAuth
        subjectAltName = @alt_names
        [alt_names]
        DNS.1 = ${name}
        DNS.2 = ${san}
        EOF
        # gen
        openssl req -x509 -newkey rsa:4096 -keyout $keyname -out $certname -days $days -nodes   -config conf  -extensions 'v3_req'

        Copied certificates to nginx place,
        Reloaded nginx w/o errors,
        Getting 502th error still.

        Result certificate looks good:

         Subject Alt Names
            DNS Name cryptpad.offi.ce
            DNS Name dev.cryptpad.offi.ce

          dreyTee Good! Now that we are sure it's not coming from this, let's move to another idea.

          HTTP 502 means that the destination (CryptPad running inside Docker) isn't responding to your reverse proxy. Can you share with us your config.js file? What might be interesting is on which network is it listening, and ports.

          Thanks for prompt support!
          I didn't change httpAddress from default restrictive 'localhost'.
          Finally can see cryptpad loading)

          Maybe it's better to set it to open '0.0.0.0' or it is just me did this stupid mistake?