Rocket.chat: Uploading picture gives 403 sporadically

Created on 16 Aug 2016 · 24Comments · Source: RocketChat/Rocket.Chat

Your Rocket.Chat version: (make sure you are running the latest) 0,36

Very often when someone uploads a clipboard files it gets failed a 403 is showed in the console log.

If the person do a refresh crtl+r of page then the image is showed!
Using GridFS.

This is very very annoying. Running the RC as 1 instance at the moment without any nginx loadbalancing.
However the nginx sits infront of the RC but only has 1 server upstream. Previously it had 3 upstream instances. But changed it to 1 to rule out session issues.
Anyone else have the same experience.

attachments bug

Source

lunitic

👍2

All 24 comments

The issue could be coming from this line of code here https://github.com/AlecTroemel/Rocket.Chat/blob/develop/lib/fileUpload.coffee#L56

Which could be because rocketchat is unable to get the rawCookies (or its missing the uid or token). Maybe something with nginx

AlecTroemel on 16 Aug 2016

@AlecTroemel this is my config on the nginx i got the config from @Sing-Li
Any NGINX pro that could look at it??

`# Upstreams

upstream backend {
server 127.0.0.1:3000;
server 127.0.0.1:3001;
server 127.0.0.1:3002;
}

server {
listen 443;
server_name chat.example.com;
error_log /var/log/nginx/example.access.log;

    ssl on;
    ssl_certificate /etc/nginx/certificate.crt;
    ssl_certificate_key /etc/nginx/certificate.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ;

    error_page 497 https://chat.example.com;

location / {
    proxy_pass http://backend/;
    #proxy_pass http://192.168.102.2:3000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forward-Proto http;
    proxy_set_header X-Nginx-Proxy true;
    proxy_redirect off;
}

}

server {
listen 80;
server_name www.example.com;
error_log /var/log/nginx/www.example.access.log;
#return 301 https://chat.example.com:81;

location / {
    proxy_pass http://192.168.102.7/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forward-Proto http;
    proxy_set_header X-Nginx-Proxy true;
    proxy_redirect off;

}

}

server {
listen 80;
server_name chat.example.com;
error_log /var/log/nginx/example.access.log;
return 301 https://chat.example.com;
}
`

lunitic on 16 Aug 2016

And my config is identical with

https://rocket.chat/docs/installation/manual-installation/configuring-ssl-reverse-proxy-with-nginx

lunitic on 17 Aug 2016

This problem occur on 2 RC installations haven't anyone else seen it?

lunitic on 18 Aug 2016

Just to add this is windows 10 64bit clipboard

On @Sing-Li suggestion i tested to use S3 instead. Behaves the same

lunitic on 19 Aug 2016

Not only clipboard files gives this result.. Also happend from regular (a png) pictures.

lunitic on 19 Aug 2016

This driving me nuts..

Just tested to disable firewall IDS system infront of the chat and the ngingx..
The RC instances now sits directly on the internet nothing in between
Still get this 403 now and then when i scroll back in messages.

This system was a 0.20 from the beginning and been updated.

lunitic on 20 Aug 2016

One of my user is hitting the same issue on his instance, let me know if I can help debug.

pierreozoux on 23 Aug 2016

We are updating the GridFS packages, can you guys please retry with the develop branch when https://github.com/RocketChat/Rocket.Chat/issues/4235 gets closed?

engelgabriel on 13 Sep 2016

@engelgabriel Thanks, but I can't test easily until it hits a release. Just let me know when it is released, and then I let know my user.

(Or do you have a develop docker image?)

pierreozoux on 14 Sep 2016

@pierreozoux and @lunitic can you please try with version 0.40.1 ?

engelgabriel on 26 Sep 2016

@engelgabriel just gonna update our live server to 0.39 then we will migrate to 0.40.1 on our lab server.

lunitic on 1 Oct 2016

@engelgabriel finally had time to upgrade lab server and it still exists in 0.43

lunitic on 23 Oct 2016

This weekend I will replace the Sophos firewall in front of the instance. It's the last thing I can come up with

lunitic on 25 Oct 2016

Just notice that his happend on demo.rocket.chat too

lunitic on 25 Oct 2016

Any way to reproduce? I can't :(

rodrigok on 21 Nov 2016

@lunitic @AlecTroemel @pierreozoux Is this still happening?

engelgabriel on 14 Dec 2016

@engelgabriel I confirm that it is fixed, thanks (and sorry for delay)

pierreozoux on 20 Dec 2016

Sorry i saw the comment now.. I am at 0.43 and there it still exists.
Have not been able to upgrade to any later revision yet.. (waiting for a stable release)
@engelgabriel @rodrigok

lunitic on 20 Dec 2016

👍1

Definitely not fixed. I can easily replicate it just by logging out and in again - refreshing the browser (while in the channel where the image is posted) fixes it for the duration of that particular login session.

I did some digging in packages/rocketchat-file-upload/server/lib/requests.js and it looks like it's picking up the rc_token value from the previous login. As soon as you refresh, you get a new rc_token (i.e. one that hashes correctly to the current hashedToken in the user record) and then the findOneByIdAndLoginToken() call succeeds.