Cant get docker working (webserver issue in docker)

creasy

Hi,

I'm trying to use cryptpad with docker. Normally such things are not an issue for me but with the original cryptpad container I'm not able to get it working.

config.js

    httpUnsafeOrigin: 'https://sub1.domain.tld',
    httpSafeOrigin: 'https://sub2.domain.tld',
    httpAddress: '0.0.0.0',
    httpPort: 3000,
    httpSafePort: 3001,
    websocketPort: 3003,
    adminKeys: [
	    "[admin@domain/key]",
    ],
    filePath: './datastore/',
    archivePath: './data/archive',
    pinPath: './data/pins',
    taskPath: './data/tasks',
    blockPath: './block',
    blobPath: './blob',
    blobStagingPath: './data/blobstage',
    decreePath: './data/decrees',
    logPath: './data/logs',
    logToStdout: true,
    logLevel: 'info',
    logFeedback: false,
    verbose: false,
    installMethod: 'docker',
};

nginx-site.conf

As reverse proxy I use nginx with the [basic example](https://github.com/cryptpad/cryptpad/blob/main/docs/example.nginx.conf) with small changes for port 80 redirections and logging:

 server {
 listen		12.34.56.78:80;
 server_name     sub1.domain.tld;
 access_log      /.../sub1.domain.tld-access.log;
 error_log	/.../sub1.domain.tld-error.log;
 return 301 https://$server_name$request_uri;
 }
 
 server {
 listen	12.34.56.78:443 ssl http2;
 access_log      /.../sub1.domain.tld-access.log;
 error_log	/.../sub1.domain.tld-error.log;
 
     server_name sub1.domain.tld sub2.domain.tld;
 
     ssl_certificate /.../certificate.pem;
     ssl_certificate_key /../certificate.key;
 
     ssl_session_timeout 1d;
     ssl_session_cache shared:MozSSL:10m;
     ssl_session_tickets off;
 
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
     ssl_prefer_server_ciphers off;
 
     ssl_stapling on;
     ssl_stapling_verify on;
     ssl_trusted_certificate /.../certificate_fullchain.pem;
 
     location / {
         proxy_pass            http://127.0.0.1:3000;
         proxy_set_header      X-Real-IP $remote_addr;
         proxy_set_header      Host $host;
         proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
         client_max_body_size  150m;
         proxy_http_version    1.1;
         proxy_set_header      Upgrade $http_upgrade;
         proxy_set_header      Connection upgrade;
     }
 }

docker-compose.yml:

docker is deployed by docker-compose

version: '3.8'

services:
  cryptpad:
    image: "cryptpad/cryptpad:version-5.6.0"
    container_name: sub1.domain.tld
    hostname: cryptpad

    environment:
      - CPAD_MAIN_DOMAIN=https://sub1.domain.tld
      - CPAD_SANDBOX_DOMAIN=https://sub2.domain.tld
      - CPAD_CONF=/cryptpad/config/config.js
      - CPAD_TRUSTED_PROXY=0.0.0.0/0
      - CPAD_REALIP_HEADER=X-Forwarded-For
      - CPAD_REALIP_RECURSIVE=on
      # Traefik can't use HTTP2 to communicate with cryptpad_websocket
      # A workaround is to disable HTTP2 in Nginx
      - CPAD_HTTP2_DISABLE=true

    volumes:
      - ./data/blob:/cryptpad/blob
      - ./data/block:/cryptpad/block
      - ./customize:/cryptpad/customize
      - ./data/data:/cryptpad/data
      - ./data/files:/cryptpad/datastore
      - ./config/config.js:/cryptpad/config/config.js

    ports:
      - "3000:3000"
      - "3001:3001"
      - "3003:3003"

    ulimits:
      nofile:
        soft: 1000000
        hard: 1000000

Tests done

My nginx reverse throws 502 Bad Gateway.
A telnet test against 127.0.0.1:3000 shows that the connection is immidately closed by the container

$ telnet 127.0.0.1 3000
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.

With the container from hub.docker.com of elestio/cryptpad and promasu/cryptpad I'm able to get it running.
But I want to use the official one.

What am I doing wrong? :-)

Mathilde

Hello,

Thanks for reaching out and for your interest in CryptPad!

Our Docker version doesn't contain any web server. It's why everything is proxied directly to the 3000 port where the NodeJS application (i.e. CryptPad in our case) will then handle all the requests.

I've noticed that your docker-compose.yml doesn't match ours. Especially the following lines aren't needed:

- CPAD_TRUSTED_PROXY=0.0.0.0/0
- CPAD_REALIP_HEADER=X-Forwarded-For
- CPAD_REALIP_RECURSIVE=on
# Traefik can't use HTTP2 to communicate with cryptpad_websocket
# A workaround is to disable HTTP2 in Nginx
- CPAD_HTTP2_DISABLE=true

Note that you should be able to get some logs by running docker compose logs -f.

creasy

Mathilde

Our Docker version doesn't contain any web server. It's why everything is proxied directly to the 3000 port where the NodeJS application (i.e. CryptPad in our case) will then handle all the requests.

Okay, but then I guess a reverse nginx proxy is the right one to use

I've noticed that your docker-compose.yml doesn't match ours. Especially the following lines aren't needed:

CPAD_TRUSTED_PROXY=0.0.0.0/0

CPAD_REALIP_HEADER=X-Forwarded-For

CPAD_REALIP_RECURSIVE=on

CPAD_HTTP2_DISABLE=true

You are right. I' was not sure how to get it working. I removed the lines

Note that you should be able to get some logs by running docker compose logs -f.

I know. Logs do not indicate any error. So where is did I something wrong?

Parsing ./customize.dist/contact.html
Creating ./www/contact.html

Parsing ./customize.dist/features.html
Creating ./www/features.html

Parsing ./customize.dist/index.html
Creating ./www/index.html

Copying built files to target directory (/cryptpad/customize)
Removing temporary build directory (/tmp/CRYPTPAD_TEMP_BUILD/)
Successfully removed /tmp/CRYPTPAD_TEMP_BUILD/

cryptpad@5.6.0 start
node server.js

dreyTee

Same in my case, - 502th error from nginx, no errors in docker logs:

...
cryptpad-1  | > cryptpad@2024.3.0 start
cryptpad-1  | > node server.js

Mathilde

dreyTee hello thanks for reaching out!

For anyone being able to help you, we'll need some more information about your setup. For example:

What is your Nginx configuration?
- We propose 2 types: the basic one and the advanced
- Docker installations only support the basic one
Can you share with us your Nginx configuration?
- You can redact all the private information you don't want to share
Have you applied the appropriate access rights to your CryptPad folder?
- As mentioned in our Administrator Guide, Installation chapter, Docker section

dreyTee

Thanks for reaching out, Mathilde!

Indeed, I've followed the example configuration of nginx from your GH repo.
Tried basic one.

Have you applied the appropriate access rights to your CryptPad folder?

Yes, I did:
Form the very beginning I've being met with this error:
Error: EACCES: permission denied, mkdir '/cryptpad/customize/www'
fixed it with
sudo chown -R 4001:4001 data customize

and then I'm stuck.

Here are my docker-compose changes:

    environment:
      - CPAD_MAIN_DOMAIN=https://cryptpad.offi.ce
      - CPAD_SANDBOX_DOMAIN=https://dev.cryptpad.offi.ce
      - CPAD_CONF=/cryptpad/config/config.js

      # Read and accept the license before uncommenting the following line:
      # https://github.com/ONLYOFFICE/web-apps/blob/master/LICENSE.txt
      # - CPAD_INSTALL_ONLYOFFICE=yes
...
    volumes:
...
      - ./data/config:/cryptpad/config
  ...

nginx config - cat /etc/nginx/sites-enabled/cryptpad.office | grep . | grep -v -e '^#' -e '^ #':

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name cryptpad.offi.ce dev.cryptpad.offi.ce;
    ssl_certificate /etc/nginx/certs/cryptpad.offi.ce.crt;
    ssl_certificate_key /etc/nginx/certs/cryptpad.offi.ce.key;
    ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
    resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 208.67.222.222 208.67.220.220;
    location / {
        proxy_pass            http://127.0.0.1:3000;
        proxy_set_header      X-Real-IP $remote_addr;
        proxy_set_header      Host $host;
        proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
        client_max_body_size  150m;
        proxy_http_version    1.1;
        proxy_set_header      Upgrade $http_upgrade;
        proxy_set_header      Connection upgrade;
    }
}

I made a self-signed certificate for cryptpad.offi.ce and put a line with $IP cryptpad.offi.ce dev.cryptpad.offi.ce into my local hosts file.

Mathilde

dreyTee you're welcome!

Have you followed the Domains section of the Installation chapter of our Administrator Guide?

Especially talking about the requirements:

You will need:

...

generate one TLS certificate that covers both domains.

dreyTee

Thanks for suggestion, I've just tried this:

days=730
name="cryptpad.offi.ce"
san="*.cryptpad.offi.ce"
keyname="${name}.key"
certname="${name}.crt"
# prepare config
:>openssl.conf
cat >> openssl.conf << EOF
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = ${name}
[v3_req]
keyUsage = digitalSignature, keyEncipherment 
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${name}
DNS.2 = ${san}
EOF
# gen
openssl req -x509 -newkey rsa:4096 -keyout $keyname -out $certname -days $days -nodes   -config conf  -extensions 'v3_req'

Copied certificates to nginx place,
Reloaded nginx w/o errors,
Getting 502th error still.

Result certificate looks good:

 Subject Alt Names
    DNS Name cryptpad.offi.ce
    DNS Name dev.cryptpad.offi.ce

Mathilde

dreyTee Good! Now that we are sure it's not coming from this, let's move to another idea.

HTTP 502 means that the destination (CryptPad running inside Docker) isn't responding to your reverse proxy. Can you share with us your config.js file? What might be interesting is on which network is it listening, and ports.

dreyTee

Thanks for prompt support!
I didn't change httpAddress from default restrictive 'localhost'.
Finally can see cryptpad loading)

Maybe it's better to set it to open '0.0.0.0' or it is just me did this stupid mistake?