Hello guys.
I am having problems to set passbolt to work behind a proxy, and I need some advice.
I found some threads about similar problems, but they didn’t help.
My setting is:
- Passbolt running with docker image (latest).
- HAProxy as a internet frontend (doing the SSL job with Let’s Encrypt).
When I set up the docker image to run without a frontend in the local network, it works (here “works” mean: I can set up the first user and use it). But when I set it up to run behind haproxy, I can access the server, but I am not able to retrieve the Server Key in the initial setting.
To set up the environment, I’m using this docker-compose file (I didn’t set persistent storage on purpose):
version: '3'
services:
db:
image: "mariadb"
environment:
- MYSQL_ROOT_PASSWORD=password
- MYSQL_DATABASE=passbolt
- MYSQL_USER=passbolt_user
- MYSQL_PASSWORD=password
restart: always
app:
depends_on:
- "db"
image: passbolt/passbolt
environment:
- DATASOURCES_DEFAULT_HOST=db
- DATASOURCES_DEFAULT_PASSWORD=password
- DATASOURCES_DEFAULT_USERNAME=passbolt_user
- DATASOURCES_DEFAULT_DATABASE=passbolt
- APP_FULL_BASE_URL=https://passbolt.mydomain.com
ports:
- "6080:80"
- "6081:443"
restart: always
I am assuming the defaults for settings I didn’t set, so PASSBOLT_SSL_FORCE is true, for example.
When accessing the URL generated by “register_user” util, in Docker logs I face two situations:
HAProxy access Passbolt with HTTP (no SSL between HAProxy and Passbolt)
app_1 | 172.16.0.140 - - [07/May/2019:14:37:58 +0000] "GET /setup/install/cb7fec38-3c98-4747-a2bc-52c0a7449c61/11143ccc-9558-4336-894c-6ecc4fe34a15 HTTP/1.1" 200 2092 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36"
app_1 | 127.0.0.1 - 07/May/2019:14:37:57 +0000 "GET /index.php" 200
app_1 | 127.0.0.1 - 07/May/2019:14:37:58 +0000 "GET /index.php" 404
app_1 | 2019/05/07 14:37:58 [info] 158#158: *77 recv() failed (104: Connection reset by peer) while sending to client, client: 172.16.0.140, server: , request: "GET /1.1", upstream: "fastcgi://127.0.0.1:9000"
app_1 | 172.16.0.140 - - [07/May/2019:14:37:58 +0000] "GET /1.1" 404 3186 "-" "-"
HAProxy access Passbolt with HTTPS (SSL enabled between HAProxy and Passbolt)
app_1 | 172.16.0.140 - - [07/May/2019:14:36:42 +0000] "GET /setup/install/cb7fec38-3c98-4747-a2bc-52c0a7449c61/11143ccc-9558-4336-894c-6ecc4fe34a15 HTTP/1.1" 200 2092 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36"
app_1 | 127.0.0.1 - 07/May/2019:14:36:42 +0000 "GET /index.php" 200
app_1 | 127.0.0.1 - 07/May/2019:14:36:43 +0000 "GET /index.php" 404
app_1 | 172.16.0.140 - - [07/May/2019:14:36:43 +0000] "GET /1.1" 404 3186 "-" "-"
In both cases, I receive the message “Could not retrieve server key. Please contact administrator.” in the browser and in the Console log I read:
domainCheck.js:301 There was a problem when trying to communicate with the server (Code: 502)
(anonymous) @ domainCheck.js:301
Promise.then (async)
step.fetchServerKey @ domainCheck.js:300
step.start @ domainCheck.js:63
(anonymous) @ setup.js:357
Promise.then (async)
(anonymous) @ setup.js:348
Promise.then (async)
passbolt.setup.initContent @ setup.js:344
(anonymous) @ setup.js:378
Promise.then (async)
passbolt.setup.goToStep @ setup.js:377
passbolt.setup.goForward @ setup.js:402
(anonymous) @ setup.js:630
Promise.then (async)
passbolt.setup.init @ setup.js:629
(anonymous) @ setup.js:694
mightThrow @ jquery.js:3557
process @ jquery.js:3625
setTimeout (async)
(anonymous) @ jquery.js:3663
fire @ jquery.js:3291
add @ jquery.js:3350
(anonymous) @ jquery.js:3683
Deferred @ jquery.js:3774
then @ jquery.js:3668
jQuery.fn.ready @ jquery.js:3863
jQuery.fn.init @ jquery.js:3024
jQuery @ jquery.js:152
(anonymous) @ setup.js:12
The weird part of this error is that I can’t see anything in the Network tab: there are no errors (only 200-OK status code).
Important to cite that I am pretty sure there’s nothing wrong with HAProxy (I mean, it is doing its job and it is handling SSL correctly). I set up these kind of server everyday, so I’m a little confident about this. But since passbolt is a tool with elevated security measures, I really don’t know if it need something special to work or if it doesn’t work in this setting.
Do you guys have any thoughts?