Loomio
Wed 18 Mar 2020 4:44PM

Loomio with docker-compose behind nginx proxy with SAML (/cable error)

J Jordan Public Seen by 54

Hi,

I'm using a personal configuration using loomio-deploy for the Loomio instance of my organization.

I'm getting an error (look a bit similar from this which make Loomio refuse SAML login...

My nginx logs are

nginx.1 | 2020/03/18 16:35:46 [error] 1759#1759: *13363 connect() failed (111: Connection refused) while connecting to upstream, client: 77.198.223.246, server: agora.xxxxx-xxxxx.org, request: "GET /cable HTTP/1.1", upstream: "http://172.22.0.21:3000/cable", host: "agora.xxxxx-xxxxx.org"

My Loomio app logs are

An unauthorized connection attempt was rejected
Failed to upgrade to WebSocket (REQUEST_METHOD: GET, HTTP_CONNECTION: upgrade, HTTP_UPGRADE: websocket)
Finished "/cable/" [WebSocket] for 77.198.223.246 at 2020-03-18 16:36:27 +0000
Finished "/cable/" [WebSocket] for 77.198.223.246 at 2020-03-18 16:36:27 +0000

Do you have any idea how to fix this ? If you need more information, just tell me !

Thanks

FDS

Fabio dos Santos Wed 15 Apr 2020 1:04AM

Now I get the following error:


loomio-app     | Started GET "/cable" for 177.194.12.130 at 2020-04-15 00:56:43 +0000
loomio-app     | Started GET "/cable/"[non-WebSocket] for 177.194.12.130 at 2020-04-15 00:56:43 +0000
loomio-app     | Failed to upgrade to WebSocket (REQUESTMETHOD: GET, HTTPCONNECTION: upgrade, upgrade, HTTP_UPGRADE: websocket, websocket)
loomio-app     | Finished "/cable/"[non-WebSocket] for 177.194.12.130 at 2020-04-15 00:56:43 +0000

I don't really understand what this error is about, but would appreciate any feedback.
Also. This does not really seem to be related to the email problem.

One issue at a time, I supposed!

Thanks for the wonderful program!

CF

Colin Fletcher Wed 15 Apr 2020 1:52AM

I think I've seen this error. I'm using apache, but I expect it's the same problem if you can figure out how to address it with nginx. Here's a snippit from my apache solution:

# The loomio code is running without encryption, because the apache
# front end is providing that.  So the code listening for websockets
# doesn't like that the Origin header begins with "https://".  Looking
# through the source, if FORCE_SSL is off it just wants whatever the value
# of CANONICAL_NAME is in the env file.

   RequestHeader edit Origin "https://" ""

The line removes the protocol from the Origin header in the request as it passes through the reverse proxy, which turns it into what the Loomio backend is expecting.

Though, now that I think about it, I seem to remember Loomio complaining about an Origin mismatch in the logs for that error. Well, it's something to try, anyway.