Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ownfoil doesn't work with reverse proxy #26

Open
Seruschl opened this issue Jul 28, 2023 · 23 comments
Open

ownfoil doesn't work with reverse proxy #26

Seruschl opened this issue Jul 28, 2023 · 23 comments

Comments

@Seruschl
Copy link

Hi and at first thanks for this great docker container :D

It is working so far on my LAN but i want to set it up via dyndns with nginx as reverse proxy but with this the data won't load at all in tinfoil.

When i open up the dyndns like https://switch.my.dyndns.name with the login credentials i see the .nsp and all like it should be but when i add it to tinfoil with https and host and all nothing happend. . .

Does anyone has set up something similar with an reverse proxy?

@datapush3r
Copy link

I have a very similar experience using Nginx Proxy Manager. I can see all the files via browser but the shop is blank in Tinfoil. More troubleshooting is needed.

@mobihen
Copy link

mobihen commented Aug 8, 2023

It's working fine for me.
I have NginX in docker and I can see the shop locally and even from remote (also cloudflare), I'll try to upload a pic later for the config

@rwbxd
Copy link

rwbxd commented Aug 11, 2023

Had this same issue - I have NPM on a VPS pointing to my server with Traefik. Browser worked, Tinfoil didn't. Removed my authentication from Ownfoil (the reverse proxy only accepts requests from my home IP), and it worked. Obviously not a perfect solution, but a reasonable workaround and hopefully can help diagnose the issue.

EDIT: actually, it still doesn't work - I get failed to open NSP when I try to download a game.

@Seruschl
Copy link
Author

so without the reverse proxy on http only with port forwarding it is working. Not the best solution but it works

@pxdl
Copy link

pxdl commented Sep 5, 2023

It's working fine for me. I have NginX in docker and I can see the shop locally and even from remote (also cloudflare), I'll try to upload a pic later for the config

Same here. Haven't tried authentication yet though.

@BaerHub
Copy link

BaerHub commented Sep 27, 2023

any update on this? its not working when using nginx https proxy, only http.

@kevincali
Copy link

Reverse proxying with Caddy didn't work for me either.

I used a Cloudflare Tunnel instead.

@FoUStep
Copy link

FoUStep commented Nov 11, 2023

Tried it with docker-compose, I could confirm this should work with curl on the laptop (curl https://myurl:8000 -v).

version: "3"

services:
  ownfoil:
    container_name: ownfoil
    image: a1ex4/ownfoil
    environment:
      # For write permission in /games directory
      - PUID=1000
      - PGID=1000
    volumes:
      - /home/foustep/games:/games
  nginx-proxy:
    container_name: nginx-proxy-for-ownfoil
    image: nginx
    volumes:
      - ./nginx-proxy/nginx.conf:/etc/nginx/conf.d/default.conf
      - ./nginx-proxy/key.pem:/root/ssl/key.pem
      - ./nginx-proxy/cert.pem:/root/ssl/cert.pem
    ports:
      - "8000:443"
    depends_on:
      - ownfoil

Unfortunately, this doesn't work on the switch. The certificate is valid. Does v2 work?

@a1ex4
Copy link
Owner

a1ex4 commented Nov 15, 2023

If you use the latest image tag then there is already an nginx instance running in the container, so adding another nginx container on top wouldn't work.

In the v2 version (currently in development) reverse proxies should work, though I have yet to test it.

@FoUStep
Copy link

FoUStep commented Nov 17, 2023

I'm very sorry,perhaps I do not fully understand either nginx or docker-compose, but how to I add the ssl configuration without touching ownfoils port 80 configuration in nginx (as a different site, or .conf)? I tried another container with a reverse proxy and that works for curl but not for the switch itself.

If I try to add another server with 443 ssl, it says the directive server is not allowed and if I use another http, it says it is a duplicate in the original nginx.conf.

I want to add additional (ssl) configuration, without touching the docker(-compose) default configuration of the ownfoil setup. Can someone send me in the right direction with this? I've tried several combinations.

@safety1g
Copy link

safety1g commented Jul 10, 2024

I can't get reverse proxy working, even on v2.0.

I can access the admin panel fine using http://tinfoil.'mydomain'.com but when i enter the details in tinfoil it's not working. Working fine with local IP. Working fine with public IP and port opened up.

Not sure if I'm entering something wrong in tinfoil. Currently I have:

Protocol: http
Host: tinfoil.'mydomain'.com
Port: 80 (also tried leaving this blank)
Path: /
Username: (blank - shop is set to public for testing purposes)
Password: (blank - shop is set to public for testing purposes)
Title: My Shop
Enabled: Yes

Any other troubleshooting steps I can could take?

EDIT: Seems like it's actually working in some form. I can access the games through file manager, but I don't get the welcome message when I start tinfoil, and the search doesn't work.

@Terror-Gene
Copy link

Terror-Gene commented Aug 1, 2024

If I use "Public Shop," it works for me through Nginx Proxy Manager (HTTPS). However, if I disable "Public Shop" and try to connect with a username and password, the shop doesn't load on Tinfoil startup, but I can browse the file browser (which then shows the success message) and see the content.

Here's what I tested:
(Local = HTTP, Proxy = HTTPS)

Public Shop:

  • Local: Yes (full function)
  • Proxy: Yes (full function)

Non-Public Shop (with user/pass in Tinfoil):

  • Local: Yes (full function)
  • Proxy: Semi (only file browser access, no success message on Tinfoil start)
  • Proxy (HTTP): Semi (only file browser access, no success message on Tinfoil start)

Non-Public Shop (without user/pass in Tinfoil):

  • Local: "Shop requires authentication" message on start
  • Proxy: "Shop requires authentication" message on start

Seems a bit of a strange behavior. (the more i play with this the more it feels like a tinfoil issue....)

I hope this helps in some way.

@a1ex4
Copy link
Owner

a1ex4 commented Aug 17, 2024

@Terror-Gene thanks for the detailed report, although I can't reproduce any issue with Tinfoil authentication, it works locally on the network with http, and remotely with https without any problem.

I personally use nginx-proxy/nginx-proxy which work without issue, let me know if you still have problems.

@Golumpa
Copy link

Golumpa commented Aug 21, 2024

Hey so I seem to be getting this funny issue aswel when running ownfoil on my nginx reverse proxy.

The EXACT symptoms as @Terror-Gene here #26 (comment)

I use swag as my main servers reverse proxy setup. proxy.conf and resolver.conf is part of base swag the only thing I added is ownfoil.subdomain.conf. this same setup works on all 20 other containers I am running on my server

ownfoil.subdomain.conf
server {
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name ownfoil.*;

  include /config/nginx/ssl.conf;

  client_max_body_size 0;

  location / {
      include /config/nginx/proxy.conf;
      include /config/nginx/resolver.conf;
      set $upstream_app ownfoil;
      set $upstream_port 8465;
      set $upstream_proto http;
      proxy_pass $upstream_proto://$upstream_app:$upstream_port;

  }
}
resolver.conf
# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.

resolver  127.0.0.11 valid=30s;
proxy.conf
## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample

# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Proxy Connection Settings
proxy_buffers 32 4k;
proxy_connect_timeout 240;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_http_version 1.1;
proxy_read_timeout 240;
proxy_redirect http:// $scheme://;
proxy_send_timeout 240;

# Proxy Cache and Cookie Settings
proxy_cache_bypass $cookie_session;
#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
proxy_no_cache $cookie_session;

# Proxy Header Settings
proxy_set_header Connection $connection_upgrade;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header Host $host;
proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;

@notmayo
Copy link

notmayo commented Aug 28, 2024

I see this issue so I wanted to share my nginx reverse proxy config to see if it helps anyone. I use a subdomain (tinfoil.x.x) as my method of access using nginx in a VM.

# SSL-enabled server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name tinfoil.REDACTED.com;
    root /var/www/tinfoil.REDACTED.com;

    # SSL configuration
    ssl_certificate /etc/letsencrypt/live/tinfoil.REDACTED.X/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tinfoil.REDACTED.X/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/tinfoil.REDACTED.X/chain.pem;

    # Logging configuration
    access_log /var/log/nginx/access.log combined buffer=512k flush=1m;
    error_log /var/log/nginx/error.log warn;

    # Index file
    index index.php;

    # Reverse proxy configuration
    location / {
        proxy_pass http://192.168.XXX.XXX:8465;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# HTTP to HTTPS redirect
server {
    listen 80;
    listen [::]:80;
    server_name tinfoil.REDACTED.X;

    location / {
        return 301 https://tinfoil.REDACTED.X$request_uri;
    }
}

@dslatt
Copy link

dslatt commented Sep 3, 2024

I ran into a similar problem.

When running through caddy the only part of Tinfoil that worked was the file browser. New games/dlc weren't visible and the 'Install All DLC/Latest Update' options from Tinfoil didn't seem to work. No issues actually installing the files however.

Everything worked fine once I removed caddy.

Feels like a tinfoil problem but idk.

@ajmandourah
Copy link

This is probably because of the http Auth used in the container. I have not test it but setting it to public shop then adding the http Auth in your reverse proxy should work. Will give it a try tomorrow.

@Gusfit1
Copy link

Gusfit1 commented Oct 4, 2024

EDIT: actually, it still doesn't work - I get failed to open NSP when I try to download a game.

Just wanted to stop in to say I was getting this error but with Cloudflare Tunnel, I can get around it by disabling "Always Use HTTPS" in Edge Certificates.

@dnsBlah
Copy link

dnsBlah commented Oct 10, 2024

try adding
proxy_set_header Authorization "";
proxy_set_header X-Forwarded-User $remote_user;

to your location block

@ajmandourah
Copy link

I think I solved this as I have faced the same issue when working on Tinshop-ng.
Tinfoil expect a content type json when querying shops. This is different from file browser which can just parse the response.
Some proxyies can manage that but explicitly assigning the header fixed the issue.
@a1ex4 lemme know if you need help with that

@a1ex4
Copy link
Owner

a1ex4 commented Oct 15, 2024

@ajmandourah thanks for the hint, although all requests served to Tinfoil explicitly have the Content-Type: application/json header. Since people are describing issues with authenticated requests I double checked and all requests are the same, through auth or not.

Now I am more convinced that the problem is in the reverse proxy configuration, I don't see anything different for Ownfoil... I'll try to change my reverse proxy configuration until it breaks and I can reproduce the issues described here and pinpoint the root cause.

@ajmandourah
Copy link

I see. It's been awhile since I do python. But jsonify should set a json header automatically I guess.
It seems weird as most re proxy won't modify any headers.
I was facing the same issue exactly where without Auth it worked in Tinshop-ng but with Auth somehow the content type was set to text.

Try caddy as it was not working till I sat the header manually.
Also give explicitly setting the content header either way. It was working for your setup from the start so I assume your reverse proxy was setting it correctly. Maybe caddy, npm or others was conflicting somehow.

I will do some testing when I have the time and give you some feedback

@NovaXeros
Copy link

NovaXeros commented Nov 11, 2024

try adding proxy_set_header Authorization ""; proxy_set_header X-Forwarded-User $remote_user;

to your location block

Tried this in a custom location block for / on Nginx Proxy Manager and sadly it made no difference.

If I direct tinfoil directly at my server locally with port 8465 it works with authentication, but if I use a local reverse proxy (http://ownfoil.lan) or exposed reverse proxy (https://foil.domain.com) the tinfoil shop shows as empty and no files are listed in the browser.

The docker terminal logs (displayed on Dockge) also don't seem to receive any API requests from Tinfoil, despite being able to browse to either of the above URLs and log in to see the UI as expected.

Update:

After closing Tinfoil and reopening, it threw an error that the "Shop requires Authentication" so clearly the above approach didn't work.

Howver, removing the custom location block and reverting to previous results in the shop working, to some extent (I get the shop welcome message and can see my files in "File Browser" but no New Games list appears as it does if I don't use reverse proxy, even after restarting Tinfoil). Very confusing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests