I am having problems to set passbolt to work behind a proxy, and I need some advice.
I found some threads about similar problems, but they didn’t help.
My setting is:
- Passbolt running with docker image (latest).
- HAProxy as a internet frontend (doing the SSL job with Let’s Encrypt).
When I set up the docker image to run without a frontend in the local network, it works (here “works” mean: I can set up the first user and use it). But when I set it up to run behind haproxy, I can access the server, but I am not able to retrieve the Server Key in the initial setting.
To set up the environment, I’m using this docker-compose file (I didn’t set persistent storage on purpose):
version: '3' services: db: image: "mariadb" environment: - MYSQL_ROOT_PASSWORD=password - MYSQL_DATABASE=passbolt - MYSQL_USER=passbolt_user - MYSQL_PASSWORD=password restart: always app: depends_on: - "db" image: passbolt/passbolt environment: - DATASOURCES_DEFAULT_HOST=db - DATASOURCES_DEFAULT_PASSWORD=password - DATASOURCES_DEFAULT_USERNAME=passbolt_user - DATASOURCES_DEFAULT_DATABASE=passbolt - APP_FULL_BASE_URL=https://passbolt.mydomain.com ports: - "6080:80" - "6081:443" restart: always
I am assuming the defaults for settings I didn’t set, so PASSBOLT_SSL_FORCE is true, for example.
When accessing the URL generated by “register_user” util, in Docker logs I face two situations:
HAProxy access Passbolt with HTTP (no SSL between HAProxy and Passbolt)
app_1 | 172.16.0.140 - - [07/May/2019:14:37:58 +0000] "GET /setup/install/cb7fec38-3c98-4747-a2bc-52c0a7449c61/11143ccc-9558-4336-894c-6ecc4fe34a15 HTTP/1.1" 200 2092 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36" app_1 | 127.0.0.1 - 07/May/2019:14:37:57 +0000 "GET /index.php" 200 app_1 | 127.0.0.1 - 07/May/2019:14:37:58 +0000 "GET /index.php" 404 app_1 | 2019/05/07 14:37:58 [info] 158#158: *77 recv() failed (104: Connection reset by peer) while sending to client, client: 172.16.0.140, server: , request: "GET /1.1", upstream: "fastcgi://127.0.0.1:9000" app_1 | 172.16.0.140 - - [07/May/2019:14:37:58 +0000] "GET /1.1" 404 3186 "-" "-"
HAProxy access Passbolt with HTTPS (SSL enabled between HAProxy and Passbolt)
app_1 | 172.16.0.140 - - [07/May/2019:14:36:42 +0000] "GET /setup/install/cb7fec38-3c98-4747-a2bc-52c0a7449c61/11143ccc-9558-4336-894c-6ecc4fe34a15 HTTP/1.1" 200 2092 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36" app_1 | 127.0.0.1 - 07/May/2019:14:36:42 +0000 "GET /index.php" 200 app_1 | 127.0.0.1 - 07/May/2019:14:36:43 +0000 "GET /index.php" 404 app_1 | 172.16.0.140 - - [07/May/2019:14:36:43 +0000] "GET /1.1" 404 3186 "-" "-"
In both cases, I receive the message “Could not retrieve server key. Please contact administrator.” in the browser and in the Console log I read:
domainCheck.js:301 There was a problem when trying to communicate with the server (Code: 502) (anonymous) @ domainCheck.js:301 Promise.then (async) step.fetchServerKey @ domainCheck.js:300 step.start @ domainCheck.js:63 (anonymous) @ setup.js:357 Promise.then (async) (anonymous) @ setup.js:348 Promise.then (async) passbolt.setup.initContent @ setup.js:344 (anonymous) @ setup.js:378 Promise.then (async) passbolt.setup.goToStep @ setup.js:377 passbolt.setup.goForward @ setup.js:402 (anonymous) @ setup.js:630 Promise.then (async) passbolt.setup.init @ setup.js:629 (anonymous) @ setup.js:694 mightThrow @ jquery.js:3557 process @ jquery.js:3625 setTimeout (async) (anonymous) @ jquery.js:3663 fire @ jquery.js:3291 add @ jquery.js:3350 (anonymous) @ jquery.js:3683 Deferred @ jquery.js:3774 then @ jquery.js:3668 jQuery.fn.ready @ jquery.js:3863 jQuery.fn.init @ jquery.js:3024 jQuery @ jquery.js:152 (anonymous) @ setup.js:12
The weird part of this error is that I can’t see anything in the Network tab: there are no errors (only 200-OK status code).
Important to cite that I am pretty sure there’s nothing wrong with HAProxy (I mean, it is doing its job and it is handling SSL correctly). I set up these kind of server everyday, so I’m a little confident about this. But since passbolt is a tool with elevated security measures, I really don’t know if it need something special to work or if it doesn’t work in this setting.
Do you guys have any thoughts?