White screen after enabling external NGINX post install

cygace · September 8, 2023, 10:43am

Checklist
[Y ] I have read intro post: About the Installation Issues category
[ Y] I have read the tutorials, help and searched for similar issues
[ Y] I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
[ Y] I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Hello All,

I just installed Passbolt on a fresh new install on Ubuntu 22.04. I setup the installation with the script and I asked no SSL for NGINX as I’m using external NGINX server.

I was able to finalize the full setup process and everything was ok until I enable the external access.

I’m facing with a blank screen. Off course I already tried a lot of things in the forum but nothing solved the issue.

Here are the behaviors :

access with local ip in http → nginx welcome screen (message from the passbolt nginx itself)
access with local ip in https → Unable to connect as SSL is disabled in Passbolt config
access with external url in http or https → redirected to auth/login?redirect=%2F white page

I launched a healthcheck and no issue related to url

-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 8.1.2-1ubuntu2.14.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to http://xxx.yyy.be
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 32 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
 [PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (4.2.0).
 [FAIL] Passbolt is not configured to force SSL use.
 [HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
 [FAIL] App.fullBaseUrl is not set to HTTPS.
 [HELP] Check App.fullBaseUrl url scheme in /etc/passbolt/passbolt.php.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 SMTP Settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [PASS] The SMTP Settings source is: database.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

 [FAIL] 2 error(s) found. Hang in there!

The fullbase url use my external domain in http.

Here is the NGINX config on my passbolt server

#
#  Passbolt.conf - Nginx configuration file to run the Passbolt software.
#

server {

  listen 80;
  listen [::]:80;

  # Managed by Passbolt
  #server_name 10.10.31.50;
  server_name xxx.yyy.be;
  client_body_buffer_size     100K;
  client_header_buffer_size   1K;
  client_max_body_size        5M;

  client_body_timeout   10;
  client_header_timeout 10;
  keepalive_timeout     5 5;
  send_timeout          10;

  root /usr/share/php/passbolt/webroot;
  index index.php;
  error_log /var/log/nginx/passbolt-error.log info;
  access_log /var/log/nginx/passbolt-access.log;

  # Managed by Passbolt
  # include __PASSBOLT_SSL__

  location / {
    try_files $uri $uri/ /index.php?$args;
  }

  location ~ \.php$ {
    try_files                $uri =404;
    include                  fastcgi_params;
    fastcgi_pass             unix:/run/php/php8.1-fpm.sock;
    fastcgi_index            index.php;
    fastcgi_intercept_errors on;
    fastcgi_split_path_info  ^(.+\.php)(.+)$;
    fastcgi_param            SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param            SERVER_NAME $http_host;
    fastcgi_param PHP_VALUE  "upload_max_filesize=5M \n post_max_size=5M";
  }

}

The external NGINX configuration should be ok.

Could you help me to solve that issue ?

Thanks

ishan · September 8, 2023, 10:55am

Hey @cygace, Welcome to passbolt community forum.

Can you check the browser console for any errors and if there is share with us?

Also, from the healtcheck it looks like you’ve configured SSL so all the request will be served from HTTPS so you might want to change the Full base url (App.fullBaseUrl in passbolt.php file) to use https://yourdomain.com instead of http://yourdomain.com.

cygace · September 8, 2023, 11:52am

Thanks for your feedback.

As mentionned I use one external NGINX reverse proxy (on other server) + the default NGINX.

The connection should stay disabled I imagine in my fullbase url.

Anyway I tried and nothing changed

ishan · September 8, 2023, 2:13pm

Did you checked browser’s console for any errors? Also, is there any errors in the nginx server logs?

Termindiego25 · September 9, 2023, 8:48am

Hello @cygace and welcome to the forum!
Is there a reason why you can’t set up Passbolt over HTTPS?
It is a better approach to use Passbolt always over HTTPS and if you have a reverse proxy, just redirect to the address of the server with HTTPS