I tried so many things to start CryptPad on just ip and self-signed cert. It works fine in http "developer" mode, but if I try to pass it throw nginx, it just not reachable. Maybe someone can help me?

Nginx config

    listen 4000 ssl;
    listen [::]:4000 ssl;

    ssl_certificate /etc/nginx/ssl/self-signed.crt;
    ssl_certificate_key /etc/nginx/ssl/self-signed.key;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem; 

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
	
	location ^~ /cryptpad_websocket {
        proxy_pass            http://127.0.0.1:3003;
        proxy_set_header      X-Real-IP $remote_addr;
        proxy_set_header      Host $host;
        proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_http_version    1.1;
        proxy_set_header      Upgrade $http_upgrade;
        proxy_set_header      Connection upgrade;
    }

    error_page 497 https://$host$request_uri;
}

server {
    listen 4001 ssl;
    listen [::]:4001 ssl;

    ssl_certificate /etc/nginx/ssl/self-signed.crt;
    ssl_certificate_key /etc/nginx/ssl/self-signed.key;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;  

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;

    location / {
        proxy_pass http://127.0.0.1:3001;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
	
	location ^~ /cryptpad_websocket {
        proxy_pass            http://127.0.0.1:3003;
        proxy_set_header      X-Real-IP $remote_addr;
        proxy_set_header      Host $host;
        proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_http_version    1.1;
        proxy_set_header      Upgrade $http_upgrade;
        proxy_set_header      Connection upgrade;
    }

    error_page 497 https://$host$request_uri;
}

config/config.js


    httpUnsafeOrigin: 'https://ip:4000',

    httpSafeOrigin: "https://ip:4001",


    httpAddress: '127.0.0.1',


    httpPort: 3000,


    httpSafePort: 3001,

    websocketPort: 3003,


    // maxWorkers: 4,

    //otpSessionExpiration: 7*24, // hours

    //enforceMFA: false,

    //logIP: false,

    adminKeys: [

    ],

    //inactiveTime: 90, // days

    //archiveRetentionTime: 15,

     //accountRetentionTime: 365,

    //disableIntegratedEviction: true,

    //maxUploadSize: 20 * 1024 * 1024,

    //premiumUploadSize: 100 * 1024 * 1024,

    filePath: './datastore/',

    archivePath: './data/archive',


    pinPath: './data/pins',

    taskPath: './data/tasks',


    blockPath: './block',

    blobPath: './blob',

    blobStagingPath: './data/blobstage',

    decreePath: './data/decrees',


    logPath: './data/logs',

    logToStdout: true,

    logLevel: 'info',

    logFeedback: false,

    verbose: false,

    installMethod: 'unspecified',
};
14 days later

Hello,

As far as I understand a TLS certificate should match a full qualified domain name (FQDN). Which one did you choose for your setup?

Also, stepping back a bit, what are you trying to achieve? Why do you need to proxy it through Nginx without using domain names but only IP addresses?

As per the Administrator Guide we maintain, you can see that domain names are mandatory for production deployments: https://docs.cryptpad.org/en/admin_guide/installation.html#domains

23 days later

Hello hidden_predictor, it would be great, if you please could give some feedback how to handle this thread further. Dead or broken threads are always difficult in community forums.

I personally don't think your case is a CryptPad issue, but rather a nginx issue. So personally I would look for nginx help in nginx communites. If you would like to continue here, some ideas and questions:

1) Why IP? How about using local DNS names like cryptpad.preditcor.local and sandbox.predictor.local to make it a little bit easier?

2) Did you check nginx configuration with nginx -t and nginx -T? And the logs?

3) Please describe " it just not reachable" in more detail. Timeout? Error message? Is nginx up and listening? Is CryptPad listening to the ports?