Passbolt behind proxy

Hello guys.

I am having problems to set passbolt to work behind a proxy, and I need some advice.
I found some threads about similar problems, but they didn’t help.

My setting is:

  • Passbolt running with docker image (latest).
  • HAProxy as a internet frontend (doing the SSL job with Let’s Encrypt).

When I set up the docker image to run without a frontend in the local network, it works (here “works” mean: I can set up the first user and use it). But when I set it up to run behind haproxy, I can access the server, but I am not able to retrieve the Server Key in the initial setting.

To set up the environment, I’m using this docker-compose file (I didn’t set persistent storage on purpose):

version: '3'
    image: "mariadb"
     - MYSQL_ROOT_PASSWORD=password
     - MYSQL_DATABASE=passbolt
     - MYSQL_USER=passbolt_user
     - MYSQL_PASSWORD=password
    restart: always
      - "db"
    image: passbolt/passbolt
     - "6080:80"
     - "6081:443"
    restart: always

I am assuming the defaults for settings I didn’t set, so PASSBOLT_SSL_FORCE is true, for example.

When accessing the URL generated by “register_user” util, in Docker logs I face two situations:

HAProxy access Passbolt with HTTP (no SSL between HAProxy and Passbolt)

app_1  | - - [07/May/2019:14:37:58 +0000] "GET /setup/install/cb7fec38-3c98-4747-a2bc-52c0a7449c61/11143ccc-9558-4336-894c-6ecc4fe34a15 HTTP/1.1" 200 2092 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36"
app_1  | -  07/May/2019:14:37:57 +0000 "GET /index.php" 200
app_1  | -  07/May/2019:14:37:58 +0000 "GET /index.php" 404
app_1  | 2019/05/07 14:37:58 [info] 158#158: *77 recv() failed (104: Connection reset by peer) while sending to client, client:, server: , request: "GET /1.1", upstream: "fastcgi://"
app_1  | - - [07/May/2019:14:37:58 +0000] "GET /1.1" 404 3186 "-" "-"

HAProxy access Passbolt with HTTPS (SSL enabled between HAProxy and Passbolt)

app_1  | - - [07/May/2019:14:36:42 +0000] "GET /setup/install/cb7fec38-3c98-4747-a2bc-52c0a7449c61/11143ccc-9558-4336-894c-6ecc4fe34a15 HTTP/1.1" 200 2092 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36"
app_1  | -  07/May/2019:14:36:42 +0000 "GET /index.php" 200
app_1  | -  07/May/2019:14:36:43 +0000 "GET /index.php" 404
app_1  | - - [07/May/2019:14:36:43 +0000] "GET /1.1" 404 3186 "-" "-"

In both cases, I receive the message “Could not retrieve server key. Please contact administrator.” in the browser and in the Console log I read:

domainCheck.js:301 There was a problem when trying to communicate with the server (Code: 502)
    (anonymous)	@	domainCheck.js:301
    Promise.then (async)		
    step.fetchServerKey	@	domainCheck.js:300
    step.start	@	domainCheck.js:63
    (anonymous)	@	setup.js:357
    Promise.then (async)		
    (anonymous)	@	setup.js:348
    Promise.then (async)		
    passbolt.setup.initContent	@	setup.js:344
    (anonymous)	@	setup.js:378
    Promise.then (async)		
    passbolt.setup.goToStep	@	setup.js:377
    passbolt.setup.goForward	@	setup.js:402
    (anonymous)	@	setup.js:630
    Promise.then (async)		
    passbolt.setup.init	@	setup.js:629
    (anonymous)	@	setup.js:694
    mightThrow	@	jquery.js:3557
    process	@	jquery.js:3625
    setTimeout (async)		
    (anonymous)	@	jquery.js:3663
    fire	@	jquery.js:3291
    add	@	jquery.js:3350
    (anonymous)	@	jquery.js:3683
    Deferred	@	jquery.js:3774
    then	@	jquery.js:3668
    jQuery.fn.ready	@	jquery.js:3863
    jQuery.fn.init	@	jquery.js:3024
    jQuery	@	jquery.js:152
    (anonymous)	@	setup.js:12

The weird part of this error is that I can’t see anything in the Network tab: there are no errors (only 200-OK status code).

Important to cite that I am pretty sure there’s nothing wrong with HAProxy (I mean, it is doing its job and it is handling SSL correctly). I set up these kind of server everyday, so I’m a little confident about this. But since passbolt is a tool with elevated security measures, I really don’t know if it need something special to work or if it doesn’t work in this setting.

Do you guys have any thoughts?

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.

@diegoqueiroz did you manage to make any progress on this issue?

Sadly, no.
I still have some options to try, but I didn’t make it work yet.

Summoning @diego to have a look when he has time.

Do you have any thoughts about this issue?
I mean, maybe passbolt is validating “Host” or some other HTTP header field and it is failing. My bet is to test some configurations to check if they work.

You could provide a curl -vvvILk to see the if any header is missing, like the gpgauth ones.

I have Passbolt behind a nginx proxy, I needed to filter out IP’s based on location…
My solution: