Monica: Docker instance behind reverse proxy uses incorrect App Url
Problem
I'm trying to run an instance of MonicaHQ via Docker and behind a reverse proxy (Caddy), but when using the domain name I created for the app, it uses the wrong URL when getting resources.
Context
I created a subdomain like crm.domain.com that points to my server address. There, I have a Caddy instance in a Docker container that proxies requests from that subdomain to the IP of the MonicaHQ Docker container. This part works fine for the most part, as when I navigate to crm.domain.com in my browser I'm greeted by a semi-broken login page.
The reason the login page is broken is that Monica is making requests to the Docker container IP instead of the App URL I set in the .env. I.e. instead of going to https://crm.domain.com/css/... it's going to http://172.17.0.6/css/...
This breaks 1) because a https domain is trying to load http resources and 2) because 172.17.0.6 is the local IP of the Docker container on my server and is not publicly accessible.
Attempted Fixes
I pulled down the Monica source and modified scripts/docker/000-default.conf to set the ServerName directive, then tried building the container and running. That still didn't work as I saw the httpd warning about it unable to figure out the domain name and using 172.17.0.6 as the backup.
I then exec'd into the running container and modified /etc/apache2/httpd.conf and set the ServerName directive there. When running httpd from inside the container, it would no longer show the error about ServerName not being set. However, the issue persists.
I also tried setting APP_TRUSTED_PROXIES=* in my .env but still no dice.
Any ideas on where to go from here?
ROODAY
All 14 comments
+1 from me. I have a similar problem: I am running monica behind a traefik proxy which does SSL offloading and connects to port 80 of the monica container. I have set the APP_URL to the proper https-Domain, but internal links are still shown as http only. This works semi-good on 2.10, but breaks CSS on 2.11, since CSS is loaded via an absolute URL then (why?), which causes Chrome to throw an error since it should load insecure assets on a secure web site.
simonszu
on 30 Dec 2018
This does work, I'm running Monica in Docker behind Traefik with no problems.
See the SSL documentation https://github.com/monicahq/monica/blob/master/docs/installation/ssl.md
Specifically, check that you have the APP_ENV, APP_URL and APP_TRUSTED_PROXIES in your .env set to fit your environment
plett
on 31 Dec 2018
@plett I've already tried those environment variables, setting APP_ENV=production, APP_TRUSTED_PROXIES=*, and APP_URL to my domain. Still, when I go to my domain, it redirects to http://172.17.0.6/register instead of https://crm.domain.com/register.
ROODAY
on 31 Dec 2018
@plett I can confirm @ROODAY s problems. I have also set the same values. However, my instance seems to recognize its FQDN, but not its protocol, so this issue breaks CSS. The fact that CSS is loaded via an absolute URL is a whole new topic.
simonszu
on 3 Jan 2019
We use docker on our staging environment. No problem with reverse proxy, so it's working.
What http server are you using? Apache or nginx? What is your configuration?
Note: the APP_URL is not used to generate urls for routing or redirection, it's only used by reminders to sent a proper url in emails. So the problem is more likely on the http server, or docker instance.
asbiin
on 5 Jan 2019
I am using traefik for myself. I forward to Port 80 in the container. Maybe i should forward to port 443 and use HTTPS as the protocol between traefik and monica. I have avoided such a setup for now, since i assumed every proxied instance to act protocol-agnostic and do the SSL offloading in traefik.
I'll test it...
UPDATE: Doesn't work. Monica isnt serving anything on port 443. Since i am using identical configurations to serve around 10 other apps via the same traefik instance, and monica is the only one which has these problems, i am quite sure that traefik's configuration isn't the main issue of this problem.
simonszu
on 5 Jan 2019
@asbiin In my configuration I use neither Apache or nginx for the containers. I use Caddy to proxy requests from crm.domain.com to the Monica docker container IP (port 80 on the container), and it doesn't require setting a protocol. I believe the Monica container uses Apache under the hood however.
ROODAY
on 6 Jan 2019
Same problem here with Docker behind an nginx reverse proxy which does the ssl.
Page is semi broken (no css). This kind of resource is requested http-only
Brice187
on 12 Jan 2019
I have fixed it for me. Make sure that your reverse proxy sets the proper headers like x-forwarded-for and such. There is also a header to set the protocol.
simonszu
on 13 Jan 2019
could you please post your nginx.conf
Brice187
on 13 Jan 2019
No. I'm not using nginx but traefik and haproxy
simonszu
on 14 Jan 2019
Okay so I found the fix (for those using caddy at least, but I assume the same principle applies to other web servers). It seems when running Monica behind a reverse proxy, the proxy must be transparent. I'm not really sure what this means, so if anyone can shed light on that, that'd be great. But I figured it out because it was the same solution to getting the latest version of ghost blogging software running under a caddy reverse proxy. This is what my caddyfile looked like before the fix:
monica.domain.com {
proxy / 172.17.0.5:80
}
Here's what it looks like now:
monica.domain.com {
proxy / 172.17.0.5:80 {
transparent
}
}
Here's what the caddy docs say about transparent proxy:
transparent: Passes thru host information from the original request as most backend apps would expect.
Shorthand for:
header_upstream Host {host}
header_upstream X-Real-IP {remote}
header_upstream X-Forwarded-For {remote}
header_upstream X-Forwarded-Proto {scheme}
Edit 1: This may also be useful, I'll update this comment if I figure out more on the topic before another reply is made.
Edit 2: I made this thread on serverfault about what a transparent reverse proxy is, so the final answer should eventually be there.
ROODAY
on 14 Jan 2019
@plett
This does work, I'm running Monica in Docker behind Traefik with no problems.
Can you share the monica-specific Traefik labels you're using? I'm trying to get this working myself and I have the same issue of all of my assets being served on HTTP. Using Traefik 1.7.8.
FWIW I did have this working with Caddy using @ROODAY 's suggestion above, but when moving to Traefik I broke it. 馃槩
neezer
on 2 Feb 2019
@plett Nevermind, didn't realized I had to bust the config cache. This is working for me.
neezer
on 2 Feb 2019
Related issues
baisong
路
3Comments
bensbox
路
3Comments
jkbecker
路
3Comments
cynddl
路
3Comments
dnykanen
路
3Comments
Most helpful comment
Okay so I found the fix (for those using caddy at least, but I assume the same principle applies to other web servers). It seems when running Monica behind a reverse proxy, the proxy must be transparent. I'm not really sure what this means, so if anyone can shed light on that, that'd be great. But I figured it out because it was the same solution to getting the latest version of ghost blogging software running under a caddy reverse proxy. This is what my caddyfile looked like before the fix:
Here's what it looks like now:
Here's what the caddy docs say about transparent proxy:
Edit 1: This may also be useful, I'll update this comment if I figure out more on the topic before another reply is made.
Edit 2: I made this thread on serverfault about what a transparent reverse proxy is, so the final answer should eventually be there.