ReverseProxy and Passbolt

Hi @ all,

we are running a Passbolt CE Server inhouse and wanted to setup a reverseproxy in front the passbolt server with NGINX Reverse Proxy Manager.
If I configure the NGINX Reverse Proxy, pointing to the passbolt server, the webbrowser page stays empty (no error) with correct Title information.
I changed the FullBaseURL in passbolt.php to the Proxy Address but then the Registration Wizard appears.

On one hand, I can see that firewall etc is correct, but on the other hand I cant figure out what type of setting is neccassery to get it running.

Does anyone can help?
I am not that Reverse Proxy Pro :slight_smile:

Thanks and best regards
J

Hi @2983hf :wave:

It is right. The fullBaseUrl setting in passbolt.php must be the url where passbolt is served. If you were previously using passbolt with another url (http to https is a different url for passbolt extension), you have to perform an account recovery to reconfigure your passbolt browser extension.

Let me know if you have further questions.

Best,

Just reviewed some logs and checked health of passbolt:

Exception: Plugin EmailQueue could not be found.
In [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Core/PluginCollection.php, line 143]

I am confused. We received a lot of emails in the past and invited, created etc. new users / passwords… and received mails.
Its on Ubuntu 20 LTS with native installation, no docker enviroment.

So, one problem turns out to open the next.
How do I get back the MailQueue? :slight_smile:

In the error.log the system asks for authentification while passbolt tries to send out mails.

Best regards

@2983hf

For consideration. my setup:

  1. For an NGINX reverse proxy on a different server, the server directive needs to have the public-facing domain you are desiring.
  2. On the passbolt server I have the full domain listed for the fullBaseUrl.
  3. On the passbolt server I have NGINX also running and listening for the full domain.
  4. I have the passbolt app calling to the full domain but I have set in the /etc/hosts file for that domain to be localhost. Like 127.0.0.1 my.domain.tld so it does not actually route through the reverse proxy, but makes calls to itself locally.

If the app is not able to find a plugin, it might be a routing issue. If #2 and #3 are both ip addresses in your case, then #4 is not needed, I would think. It sounds like you put #2 pointing to the reverse proxy, but as @_jc was saying it needs to be the ip address of the passbolt server instead.

EDIT: Actually, I think what I am suggesting regarding using ip addresses will break it. If your reverse proxy is not using an ip address but instead is using a domain, you’ll want to set it up like mine, using domains. I think @_jc was allowing for reverse proxies that are serving on an ip address.

@_jc @garrett

Thanks for you help.
In the passbolt.php I changed the FullBaseURL to the ReverseProxy Address and the browsers shows up the Passbolt window redirecting to auth/login?redirect=%2F&locale=de-DE.

I had logged out the browser extension and tried to recover the registered account but for now no emails are send. The healthcheck says that the EmailQueue Plugin is missing.

Thats quiet confusing because the initial setup just went fine.
It started to get worse since the ReverseProxy changes. But I dont know how to fix the mailqueue. Perhaps everything is fine after that…

Best regards

Hi @2983hf ,

How did you installed passbolt ? from sources, packages, docker ? Can you tell us what is your operating system name and version ?

Best,