Cannot connect to Corteza (LAN or WAN)

Razva · September 4, 2021, 3:39pm

Hello,

I would like to install Corteza by using an external NGINX proxy. The host is using Debian 11, Docker 20.10.8 and doesn’t has anything else except Docker.

Here’s docker-compose.yml:

version: '3.5'

services:
  server:
    image: cortezaproject/corteza-server
    networks: [ external, corteza ]
    restart: on-failure
    env_file: [ .env ]
    depends_on: [ db ]
    volumes: [ "./data/server:/data" ]

  db:
    image: postgres:13
    networks: [ corteza ]
    restart: on-failure
    healthcheck: { test: ["CMD-SHELL", "pg_isready -U corteza"], interval: 10s, timeout: 5s, retries: 5 }
    environment:
      POSTGRES_USER:     corteza
      POSTGRES_PASSWORD: corteza

networks:
  external: { external: true }
  corteza: {}

Here’s .env:

DOMAIN=your-demo.example.tld
VERSION=2021.3
DB_DSN=postgres://corteza:corteza@db:5432/corteza?sslmode=disable
HTTP_WEBAPP_ENABLED=true
ACTIONLOG_DEBUG=true
LOG_LEVEL=debug
LOG_DEBUG=true

Here’s NGINX config:

server {
        listen 80;
        server_name crm.avocat-ludusan.ro;

        location / {
                proxy_pass http://192.168.1.202;
                proxy_http_version  1.1;
                proxy_cache_bypass  $http_upgrade;
                proxy_set_header Upgrade   $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host  $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host  $host;
                proxy_set_header X-Forwarded-Port  $server_port;
        }

        proxy_read_timeout 360;
        proxy_connect_timeout 360;
        proxy_send_timeout 360;
        client_max_body_size 0;
}

Here are the problems:

when connecting directly to http://192.168.1.202 I’m being redirected to https://192.168.1.202. Again, note that there’s nothing else on the host, no NGINX on the host etc. Basically I’m connecting directly to the Corteza container.
When connecting to https://crm.domain.tld I’m getting 502 Bad Gateway.

My only logical deduction is that Corteza is not starting, hence nothing is being posted.

Any hints? Thank you!

darh · September 5, 2021, 11:50am

I’v tried accessing the .ro domain from your nginx config and from the looks of it, Nginx is redirecting you from the HTTP to HTTPS. Request does not even get to Corteza in the 1st request.

When accessing .ro via https, I’m not sure what part of the nginx config is handling the SSL requests. You’re listening only on port 80 there.

Corteza does not (should not) do any kind of http=>https redirections.

Another thing I’m having trouble to understand here is…

You are using 192.168.1.202. This is the IP of the host machine (the one that runs the Nginx and Corteza Docker containers), right? And you are proxying (according to the Nginx config) to the same IP 192.168.1.202 to the port 80 again – so back to itself (to nginx).

This might be the source of your issues.

Publish ports on the server container (internal 80 to something like 8080) and proxy to port 8080 then.
May not be the setup you would want to have at the end but it should help you to move forward.

Hope this helps.

Razva · September 7, 2021, 3:38pm

Hey,

When accessing .ro via https, I’m not sure what part of the nginx config is handling the SSL requests. You’re listening only on port 80 there.

I’ve disable HTTPS entirely, so NGINX is doing only HTTP redirect (see the conf above).

This is the IP of the host machine (the one that runs the Nginx and Corteza Docker containers), right?

202 is the Docker machine. It does not have any ports redirected to itself, nor anything running on it except Docker + Corteza.

And you are proxying (according to the Nginx config) to the same IP 192.168.1.202 to the port 80 again – so back to itself (to nginx).

No. Ports 80 and 443 are directed to .203 (NGINX). The NGINX config I’ve pasted is from 203. I’m just doing a basic proxy from 203 to 202.

Publish ports on the server container (internal 80 to something like 8080) and proxy to port 8080 then.

Is there any way to set Corteza’s ports? Because it would be great for debugging.

Also please note that the “local install” works fine, so this issue is only for the “production install”.

Razva · September 7, 2021, 3:49pm

Here’s the full map, in order for you to have a better understanding.

Proxy IP

root@proxy:~# ip addr
  eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether a2:53:31:61:96:63 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.203/24 brd 192.168.1.255 scope global eth0

NGINX, hosted on Proxy:

root@proxy:~# cat /etc/nginx/conf.d/crm.conf 
server {
        listen 80;
        server_name crm.avocat-ludusan.ro;

        location / {
                proxy_pass http://192.168.1.202;
                proxy_http_version  1.1;
                proxy_cache_bypass  $http_upgrade;
                proxy_set_header Upgrade   $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host  $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host  $host;
                proxy_set_header X-Forwarded-Port  $server_port;
        }

        proxy_read_timeout 360;
        proxy_connect_timeout 360;
        proxy_send_timeout 360;
        client_max_body_size 0;
}

Docker IP

root@docker:~# ip addr
 eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether ea:5b:b7:c4:f7:d2 brd ff:ff:ff:ff:ff:ff
    altname enp0s18
    altname ens18
    inet 192.168.1.202/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever

Docker Corteza docker-compose.yml

root@docker:~# cat /docker/corteza/docker-compose.yml 
version: '3.5'

services:
  server:
    image: cortezaproject/corteza-server
    restart: on-failure
    env_file: [ .env ]
    depends_on: [ db ]
    volumes: [ "./data/server:/data" ]

  db:
    image: postgres:13
    restart: on-failure
    healthcheck: { test: ["CMD-SHELL", "pg_isready -U corteza"], interval: 10s, timeout: 5s, retries: 5 }
    environment:
      POSTGRES_USER:     corteza
      POSTGRES_PASSWORD: corteza

Docker Corteza .env

root@docker:~# cat /docker/corteza/.env 
DOMAIN=crm.avocat-ludusan.ro
VERSION=2021.3
DB_DSN=postgres://corteza:corteza@db:5432/corteza?sslmode=disable
HTTP_WEBAPP_ENABLED=true
ACTIONLOG_DEBUG=true
LOG_LEVEL=debug
LOG_DEBUG=true

#SMTP_HOST=smtp-server.example.tld:587
#SMTP_USER=postmaster@smtp-server.example.tld
#SMTP_PASS=this-is-your-smtp-password
#SMTP_FROM='"Demo" <info@your-demo.example.tld>'

So basically:

Port 80 points to IP .203 (proxy)
IP .203 (proxy) redirects http://crm.avocat-ludusan.ro to http://192.168.1.202 (docker)
Corteza Docker is not running inside a private network, in order to be sure that it’s fully exposed

Razva · September 7, 2021, 5:41pm

Solved. None of us noticed that, in the docker-compose.yml file, there was no exposed port.

The fix was simple, in the “server” compose section:

    ports:
      - "80:80"