I identified that the issue on my setup is related to having the APP_FULL_BASE_URL configured in the docker-compose file with an hardcoded value (“https://passbolt.domain.com/”).

I have external collaborators accessing the passbolt server, but since this is a segregated environment, I have the upper-level firewall ports being filtered, and each of the collaborators have a different dedicated open port in the firewall, from where they can access Passbolt server.

Given this context, their HOST header include that port, which is also included in the full URL of the requests as well

e.g. “https://passbolt.domain.com:8443/js/app/api-vendors.js?v=4.2.0”

Traefik is doing its job nicely to reverse-proxy the requests coming from the firewall, and these are arriving successfully to the passbolt web server in the backend with the correct Host and X-Forwarded-For headers including the port.

This issue is that, since cake PHP is configured to use the hardcoded value from fullbaseUrl, and the links in the webserver pages are included by calling the Router::url function (which contains the hardcoded value in fullBaseUrl), thee responses to their requests don’t have the port included in the webpages responded to their clients:
The links in the pages returned are something like:

https://passbolt.domain.com/js/app/api-vendors.js

Instead of the original requested and expected

https://passbolt.domain.com:8443/js/app/api-vendors.js

.
.
This also causes their requests to fail, and to not even leave their browsers, because the resources included in the web page fail the CSP (content security policy), since the page is trying to fetch resources from a host different than https://passbolt.domain.com:8443.

Althouh it is not ideal, I could have this solved by going directly to the passbolt server itself, and replacing, in /etc/passbolt/app.php:

    'fullBaseUrl' => env('APP_FULL_BASE_URL', false),

with

    ‘fullBaseUrl’ => “https://” . $_SERVER[‘HTTP_HOST’],

After this (and nginx restart on Passbolt container level), the webserver started to reply correctly, including the links in the pages replied to their requests, including the port associated in the hyperlinks written in the html body of the page.

image880×253 14 KB

Question

Do you know how can I configure the docker-compose file itself to have this issue fixed diretcly there, instead of passing the hardcoded “https://passbolt.domain.com” and having the change things directly in the container after creation?

P.S.: This is just a temporary fix, because everytime I docker-compose stop/start the containers, the server is unavailable an returns 502. I have to jump into the passbolt container, uncomment the default one ('fullBaseUrl' => env('APP_FULL_BASE_URL', false)), restart nginx, comment the default one and uncomment the lat one I mentioned ('fullBaseUrl' => env('APP_FULL_BASE_URL_NON_EXISTENT', false)) and restart nginx again for it to become available.

To survive restarts you could mount your app.php with your custom configuration.

Hi there @diego , and thanks for the suggestion, and the time taken.
I will implement that, but I think the issue is in other place.

The app.php doesn’t get changed/reset with start/stop. It stays the same, with the same line in the code. But the app seems to be expecting the fullBaseUrl passed in the docker-compose, or other, because it returns 502 Bad Gateway on the backend passbolt webserver level.

It only starts working again when I:

1. uncomment the default one ('fullBaseUrl' => env('APP_FULL_BASE_URL', false)),
2. restart nginx,
3. comment the default one and uncomment the lat one I mentioned ('fullBaseUrl' => env('APP_FULL_BASE_URL_NON_EXISTENT', false)), and
4. restart nginx again for it to become available.

I didn’t find the cause of this yet.