Checklist
I have read intro post: https://community.passbolt.com/t/about-the-installation-issues-category/12
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue
Hi, Sorry if this has been answered somewhere else. I haven’t been able to find a topic that matches this issue.
I recently noticed on my Passbolt CE install that the logs use the internal IP of the docker network instead of the X-Forwarded-For IP.
When I went through the environment variables I noticed I could set PASSBOLT_SECURITY_PROXIES_ACTIVE to true, which, to my understanding, should tell Passbolt that it is behind a proxy and to use the appropriate HTTP Headers.
Yet, it is still writing the logs with the internal IP of the Traefik proxy. The main issue here for me is that the emails being sent also show the internal IP in the User IP: section of the mail.
Is there something obvious that I have missed? I tried a clean install following the docker automatic cert setup with traefik, yet I got the same result.
Let me know if you need anything else.
OS: Rocky Linux release 9.4 (Blue Onyx)
*Actual domain name has been switched out with domain.com
Passbolt Compose file (Traefik is moved to separate file, as it was already in use):
services:
db:
image: mariadb:10.11
restart: unless-stopped
networks:
- internal
environment:
MYSQL_RANDOM_ROOT_PASSWORD: "true"
MYSQL_DATABASE: "passbolt"
MYSQL_USER: "passbolt"
MYSQL_PASSWORD: "P4ssb0lt"
volumes:
- database_volume:/var/lib/mysql
passbolt:
image: passbolt/passbolt:latest-ce
restart: unless-stopped
depends_on:
- db
networks:
- internal
- traefik_public
environment:
APP_FULL_BASE_URL: https://passbolt.domain.com
PASSBOLT_SECURITY_PROXIES_ACTIVE: true
DATASOURCES_DEFAULT_HOST: "db"
DATASOURCES_DEFAULT_USERNAME: "passbolt"
DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"
DATASOURCES_DEFAULT_DATABASE: "passbolt"
volumes:
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
command:
[
"/usr/bin/wait-for.sh",
"-t",
"0",
"db:3306",
"--",
"/docker-entrypoint.sh",
]
labels:
traefik.enable: true
traefik.http.routers.passbolt-http.entrypoints: http
traefik.http.routers.passbolt-http.middlewares: "SslHeader@file, cloudflare@file"
traefik.http.routers.passbolt-https.middlewares: "SslHeader@file, cloudflare@file"
traefik.http.routers.passbolt-https.entrypoints: https
traefik.http.routers.passbolt-https.tls: true
volumes:
database_volume:
gpg_volume:
jwt_volume:
networks:
internal:
traefik_public:
external: true
Traefik compose:
services:
traefik:
container_name: traefik
image: traefik:v3.1
restart: unless-stopped
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
networks:
- public
extra_hosts: ["host.docker.internal:host-gateway"]
volumes:
- /home/admin/containers/traefik/config:/etc/traefik:Z
- /var/run/docker.sock:/var/run/docker.sock:ro
- /home/admin/containers/traefik/cloudflare:/certificates:ro
labels:
traefik.enable: true
# Dashboard/API
traefik.http.routers.traefik-api.rule: Host(`traefik.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
traefik.http.routers.traefik-api.entrypoints: https
traefik.http.routers.traefik-api.tls: true
traefik.http.routers.traefik-api.service: api@internal
traefik.http.routers.traefik-api.middlewares: admin-auth@file
# Metrics
traefik.http.routers.traefik-metrics.rule: Host(`traefik.domain.com`) && PathPrefix(`/metrics`)
traefik.http.routers.traefik-metrics.entrypoints: https
traefik.http.routers.traefik-metrics.tls: true
traefik.http.routers.traefik-metrics.service: prometheus@internal
traefik.http.routers.traefik-metrics.middlewares: admin-auth@file
networks:
public:
driver: bridge
ipam:
driver: default
config:
- subnet: 172.18.0.0/16
gateway: 172.18.0.1
Traefik.yml
# Log level INFO|DEBUG|ERROR
log:
level: INFO
api:
dashboard: true
accessLog: {}
metrics:
prometheus:
buckets:
- 0.100000
- 0.300000
- 1.200000
- 5.000000
addEntryPointsLabels: true
addServicesLabels: true
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
permanent: true
https:
address: :443
# This is here to ensure that LetsEncrypt is applied to all routers
http:
tls:
certResolver: lts
providers:
docker:
defaultRule: Host(`{{ index .Labels "com.docker.compose.service" }}.domain.com`)
exposedByDefault: false
network: traefik_public
file:
filename: /etc/traefik/dynamic.yml
experimental:
plugins:
cloudflarewarp:
modulename: github.com/BetterCorp/cloudflarewarp
version: v1.3.0
Dynamic.yml
tls:
stores:
default:
defaultCertificate:
certFile: /certificates/domain.com.pem
keyFile: /certificates/domain.com.key
http:
middlewares:
cloudflare:
plugin:
cloudflarewarp:
disableDefault: false
trustip: # Trust IPS not required if disableDefault is false - we will allocate Cloud Flare IPs automatically
- "2400:cb00::/32"
admin-auth:
basicAuth:
users:
- "REDACTED"
- "REDACTED"
SslHeader:
headers:
FrameDeny: true
AccessControlAllowMethods: 'GET,OPTIONS,PUT'
AccessControlAllowOriginList:
- origin-list-or-null
AccessControlMaxAge: 100
AddVaryHeader: true
BrowserXssFilter: true
ContentTypeNosniff: true
ForceSTSHeader: true
STSIncludeSubdomains: true
STSPreload: true
ContentSecurityPolicy: default-src 'self' 'unsafe-inline'
CustomFrameOptionsValue: SAMEORIGIN
ReferrerPolicy: same-origin
PermissionsPolicy: vibrate 'self'
STSSeconds: 315360000
Snippet of the logs showing Traefiks IP - 172.18.0.2 instead of the X-Forwarded-For IP:
172.18.0.2 - - [24/Feb/2025:07:36:57 +0000] "GET /auth/is-authenticated.json?api-version=v2 HTTP/1.1" 200 277 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"
172.18.0.2 - - [24/Feb/2025:07:37:57 +0000] "GET /auth/is-authenticated.json?api-version=v2 HTTP/1.1" 200 277 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"
172.18.0.2 - - [24/Feb/2025:07:38:57 +0000] "GET /auth/is-authenticated.json?api-version=v2 HTTP/1.1" 200 277 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"
172.18.0.2 - - [24/Feb/2025:07:39:57 +0000] "GET /auth/is-authenticated.json?api-version=v2 HTTP/1.1" 200 277 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"
172.18.0.2 - - [24/Feb/2025:07:40:57 +0000] "GET /auth/is-authenticated.json?api-version=v2 HTTP/1.1" 200 277 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"
172.18.0.2 - - [24/Feb/2025:07:41:57 +0000] "GET /auth/is-authenticated.json?api-version=v2 HTTP/1.1" 401 282 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"
2025-02-24 07:41:57,598 INFO reaped unknown pid 916 (exit status 0)
2025-02-24 07:41:57,599 INFO reaped unknown pid 918 (exit status 0)
172.18.0.2 - - [24/Feb/2025:07:43:07 +0000] "GET /auth/is-authenticated.json?api-version=v2 HTTP/1.1" 401 282 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"
2025-02-24 07:43:07,153 INFO reaped unknown pid 957 (exit status 0)
2025-02-24 07:43:07,153 INFO reaped unknown pid 959 (exit status 0)
Healthcheck from the CLI:
-------------------------------------------------------------------------------
Healthcheck shell
-------------------------------------------------------------------------------
Environment
[INFO] Linux 016ea04399a2 5.14.0-427.13.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Wed May 1 19:11:28 UTC 2024 x86_64 GNU/Linux
[PASS] PHP version 8.2.26.
[PASS] PHP version is 8.1 or above.
[PASS] 64-bit architecture system detected.
[INFO] gpg (GnuPG) 2.2.40 / libgcrypt 1.10.1
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[WARN] System clock and NTP service information cannot be found.
[HELP] See `timedatectl | grep -i -A 1 clock`. More information: https://www.passbolt.com/docs/hosting/configure/ntp/
Config files
[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables
Core config
[PASS] Cache is working.
[PASS] Debug mode is off.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passbolt.domain.com
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[PASS] SSL peer certificate validates.
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate.
SMTP settings
[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[WARN] The SMTP Settings source is: env variables.
[HELP] It is recommended to set the SMTP Settings in the database through the administration section.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[PASS] No custom SSL configuration for SMTP server.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled.
[FAIL] The /etc/passbolt/jwt/ directory should not be writable.
[HELP] You can try:
[HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
[HELP] sudo chmod 750 /etc/passbolt/jwt/
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
[PASS] A valid JWT key pair was found.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one.
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.
Application configuration
[PASS] Using latest passbolt version (4.11.1).
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
[PASS] The database schema is up to date.
Database
[PASS] The application is able to connect to the database
[PASS] 34 tables found.
[PASS] Some default content is present.
[FAIL] 2 error(s) found. Hang in there!