Cryptpad with Traefik - Connection Reset Error (vulcand/oxy/forward/websocket related?)

by novam   Last Updated January 13, 2018 18:00 PM

I'm attempting to set up Cryptpad via Docker, reachable through Traefik, on a public server. I have configured Traefik and Cryptpad to talk to each other, generated a cert for Cryptpad (manually via cert-bot) to be accessible over HTTPS, and can currently browse all the main, standard pages of the application (e.g. index.html, what-is-cryptpad.html, about.html, login.html, etc.). I can even register a user.

However, upon trying to navigate to any of the 'pads', I get a connection reset error in the browser. Similarly, if I register a user I get redirected to /drive, which results in a connection reset error as well. I thought maybe this was an issue with the websocket functionality attempting to make a connection to the host on 3000, so I opened that port with Traefik, but it didn't help. I'm not sure where else the issue would lie and unfortunately, the Traefik logs don't reveal much. In fact, when I try to access one of the 'pads' as an unregistered user, only the HTTP error codes are logged:

time="2018-01-12T23:45:45Z" level=debug msg="Round trip: http://172.19.0.3:3000, code: 304, duration: 1.153887ms tls:version: 303, tls:resume:true, tls:csuite:c02f, tls:server:cryptpad.myserver.com" 
time="2018-01-12T23:45:46Z" level=debug msg="Round trip: http://172.19.0.3:3000, code: 303, duration: 1.40141ms tls:version: 303, tls:resume:true, tls:csuite:c02f, tls:server:cryptpad.myserver.com" 
time="2018-01-12T23:45:46Z" level=debug msg="Round trip: http://172.19.0.3:3000, code: 200, duration: 1.374882ms tls:version: 303, tls:resume:true, tls:csuite:c02f, tls:server:cryptpad.myserver.com" 
time="2018-01-12T23:45:46Z" level=debug msg="Round trip: http://172.19.0.3:3000, code: 404, duration: 1.592766ms tls:version: 303, tls:resume:true, tls:csuite:c02f, tls:server:cryptpad.myserver.com" 

When I log in / register a user and am redirected to /drive though, something more substantial is logged. I'd like to imagine the problems are related, considering in the end I get the same connection reset error in the browser. The issue here seems to involve vulcand/oxy/forward/websocket, which is what originally led me down the path of (inadequately, apparently) diagnosing the websocket connection:

time="2018-01-12T23:49:40Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..." 
time="2018-01-12T23:49:40Z" level=debug msg="Got provided certificate for domains [cryptpad.myserver.com]" 
time="2018-01-12T23:49:40Z" level=debug msg="vulcand/oxy/forward/websocket: Copying from backend to client completed without error." 
time="2018-01-12T23:49:40Z" level=debug msg="vulcand/oxy/forward/websocket: Copying from client to backend completed without error." 
time="2018-01-12T23:49:40Z" level=debug msg="vulcand/oxy/forward/websocket: Copying from backend to client completed without error." 
time="2018-01-12T23:49:40Z" level=debug msg="vulcand/oxy/forward/websocket: Copying from backend to client completed without error." 
time="2018-01-12T23:49:40Z" level=debug msg="vulcand/oxy/forward/websocket: Copying from backend to client completed without error." 
time="2018-01-12T23:49:40Z" level=debug msg="vulcand/oxy/forward/websocket: Copying from client to backend completed without error." 
time="2018-01-12T23:49:40Z" level=debug msg="vulcand/oxy/forward/websocket: Copying from backend to client completed without error." 
time="2018-01-12T23:49:40Z" level=debug msg="vulcand/oxy/forward/websocket: Copying from backend to client completed without error." 
time="2018-01-12T23:49:40Z" level=debug msg="vulcand/oxy/forward/websocket: Copying from backend to client completed without error." 
time="2018-01-12T23:49:40Z" level=debug msg="vulcand/oxy/forward/websocket: Copying from backend to client completed without error." 
time="2018-01-12T23:49:40Z" level=debug msg="vulcand/oxy/forward/websocket: Copying from backend to client completed without error." 
time="2018-01-12T23:49:40Z" level=debug msg="Round trip: http://172.19.0.3:3000, code: 200, duration: 2.15833ms tls:version: 303, tls:resume:true, tls:csuite:c02f, tls:server:cryptpad.myserver.com" 
time="2018-01-12T23:49:40Z" level=debug msg="Round trip: http://172.19.0.3:3000, code: 200, duration: 10.678191ms tls:version: 303, tls:resume:true, tls:csuite:c02f, tls:server:cryptpad.myserver.com" 
time="2018-01-12T23:49:41Z" level=warning msg="vulcand/oxy/forward/websocket: Error when copying from client to backend using ReadMessage: websocket: close 1001 (going away)" 
time="2018-01-12T23:49:41Z" level=debug msg="http: response.WriteHeader on hijacked connection" 
time="2018-01-12T23:49:41Z" level=warning msg="vulcand/oxy/forward/websocket: Error when copying from backend to client using ReadMessage: read tcp 172.19.0.2:47698->172.19.0.3:3000: use of closed network connection" 
time="2018-01-12T23:49:41Z" level=debug msg="Round trip: http://172.19.0.3:3000, code: 200, duration: 1.258429ms tls:version: 303, tls:resume:true, tls:csuite:c02f, tls:server:cryptpad.myserver.com" 
time="2018-01-12T23:49:41Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..." 
time="2018-01-12T23:49:41Z" level=debug msg="Got provided certificate for domains [cryptpad.myserver.com]" 
time="2018-01-12T23:49:41Z" level=debug msg="Round trip: http://172.19.0.3:3000, code: 303, duration: 1.211206ms tls:version: 303, tls:resume:true, tls:csuite:c02f, tls:server:cryptpad.myserver.com" 
time="2018-01-12T23:49:41Z" level=debug msg="Round trip: http://172.19.0.3:3000, code: 404, duration: 2.534368ms tls:version: 303, tls:resume:true, tls:csuite:c02f, tls:server:cryptpad.myserver.com" 
time="2018-01-12T23:49:41Z" level=debug msg="Round trip: http://172.19.0.3:3000, code: 200, duration: 5.287088ms tls:version: 303, tls:resume:true, tls:csuite:c02f, tls:server:cryptpad.myserver.com" 

It seems strange to me that a lot of configuration needs to be done with nginx, apache, and haproxy, while with traefik, only a few labels are needed; so, I feel (and hope) like I'm just haven't configured some crucial settings. Below are the .env and docker-compose.yml file for Cryptpad:

VERSION=latest
USE_SSL=true
STORAGE='./storage/file'
LOG_TO_STDOUT=true

docker-compose.yml:

version: '2'
services:

  cryptpad:
    build:
      context: .
      args:
        - VERSION=${VERSION}
    image: "xwiki/cryptpad:${VERSION}"
    hostname: cryptpad

    labels:
      - "traefik.backend=cryptpad"
      - "traefik.docker.network=proxy"
      - "traefik.frontend.rule=Host:cryptpad.myserver.com"
      - "traefik.enable=true"
      - "traefik.port=3000"
      - "traefik.frontend.passHostHeader=true"
    environment:
      - USE_SSL=${USE_SSL}
      - STORAGE=${STORAGE}
      - LOG_TO_STDOUT=${LOG_TO_STDOUT}
    restart: always
    volumes:
      - ./data/files:/cryptpad/datastore:rw
      - ./data/customize:/cryptpad/customize:rw
    networks:
      - proxy
      - default
    expose:
      - "3000"

networks:
  proxy:
    external: true

I won't include the data/customize/config.js file here as I haven't changed anything in it. So in other words it still looks like this: https://github.com/xwiki-labs/cryptpad/blob/master/config.example.js. Below are the docker-compose.yml and traefik.toml files for Traefik:

version: '2'

services:
  traefik:
    image: traefik
    command: --docker
    networks:
      - proxy 
    ports:
      - "9080:9080"
      - "9443:9443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/traefik/traefik.toml:/traefik.toml
      - /opt/traefik/acme.json:/acme.json
    labels:
      - "traefik.frontend.rule=Host:monitor.myserver.com"
      - "traefik.port=8080"
    container_name: traefik

networks:
  proxy:
    external: true

traefik.toml:

checkNewVersion = true
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]

[entryPoints]
    [entryPoints.http]
    address = ":9080"
        [entryPoints.http.redirect]
        entryPoint = "https"
    [entryPoints.https]
    address = ":9443"
        [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
        certFile = [snip]
            keyFile = [snip]
[retry]

[acme]
email = "admin@myserver.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
onDemand = false

[web]
address = ":8080"

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "myserver.com"
watch = true
exposedbydefault = false

Any help with this would be greatly appreciated. Of course I can also provide more details if necessary. Thank you!

P.S. This issue may be related the issue discussed here https://github.com/xwiki-labs/cryptpad/issues/186; notice toward the bottom a person states they can access the main page but when accessing a pad they get a blank screen and that the docker-compose.yml file wasn't exposing the correct ports. Does anyone know what other ports aside from 3000 would need to be exposed?



Related Questions


Matrix Container Cannot Connect to PostgreSQL Database

Updated January 13, 2018 17:00 PM




Apache reverse proxy sometimes takes over all requests

Updated December 04, 2015 13:00 PM