Indico behind Nginx reverse proxy

Yann_LEFEBVRE · March 24, 2019, 9:28pm

Hi,

I spend a lot of trying trying to find the solution by myself but I can’t find …

I have a Indico server running behind another server which is a nginx reverse proxy. The reverse proxy manage SSL, and communicates with other servers by HTTP and I wan’t to do the same with indico. When I deactivate SSL it’s OK (so USER<->HTTP<->REVERSE<-> HTTP <-> INDICO), but when I activate SSL on proxy, I got a lot of errors (so USER<->HTTPS<->REVERSE<-> HTTP <-> INDICO) :

I tried all possible apache conf (on Indico server), all possible Nginx conf and all possible indico.conf options, it always do the same …

So if someone has any idea or a working config I would appreciate

Regards

ThiefMaster · March 24, 2019, 9:30pm

Open one of the files that show up with a syntax error directly to see if they contain anything that looks strange.

Yann_LEFEBVRE · March 25, 2019, 10:31am

Thanks for your answer

I did, nothing looks strange, it’s the “normal” file. What is strange is that it’s not a “mixed content” error or anything like that which could be easy to understand as it’s a classic error mixing http and https, no, it’s a JS error like a script is not running and objects that are created in doesn’t exist :s

ThiefMaster · March 25, 2019, 10:34am

Strange… Unfortunately I only get your website when accessing http://indico.labsud.org/ and not Indico - otherwise I could have had a look…

Yann_LEFEBVRE · March 25, 2019, 10:37am

As I wanted to demonstrate Indico to other people, I let this instance in HTTP and I created another one in order to try to solve this https issue : https://indicodev.labsud.org

Yann_LEFEBVRE · March 25, 2019, 10:54am

I made some tests : some js scripts seems to be accessible and others not. I simply took direct link and try a GET. I got “protocol error” and some files are truncated :

UPDATE : it’s really strange, when I try to GET a script directly, sometimes it works, sometimes it fails (the file is cut after ~16000 char, size issue ?)

ThiefMaster · March 25, 2019, 11:12am

https://www.ssllabs.com/ssltest/analyze.html?d=indicodev.labsud.org shows some warnings but nothing likely related to your problem.

But since you mentioned the size, please check your nginx logs if there are any errors related to buffering data. With the correct aliases (make sure you use the one from https://docs.getindico.io/en/stable/ and not https://docs.getindico.io/en/latest/) nginx serves the data directly, buf if the aliases are wrong/missing, then the data would go through the Indico Python app and uwsgi, and nginx may need to buffer the data.

Yann_LEFEBVRE · March 25, 2019, 12:36pm

I checked : no error on Nginx reverse proxy, and no error on Indico Apache :s

Something more : behind this reverse proxy I have several servers that work well (nextcloud, Dolibarr, RocketChat, Wekan …), Indico is the only one giving this errors.

ThiefMaster · March 25, 2019, 12:40pm

So you have a nginx in front of Apache? Or what exactly is the setup you have?

Could you post the indico-related configs?

Yann_LEFEBVRE · March 25, 2019, 3:27pm

Great new : it works But I haven’t clear explanation … What I changed ? I switch to Nginx on Indico server.

To make things clear :

Before before (working) :
Client <-> HTTP <-> Nginx Reverse Proxy <-> HTTP <-> Apache Indico

Before (not working) :
Client <-> HTTPS <-> Nginx Reverse Proxy <-> HTTP <-> Apache Indico

Now (working):
Client <-> HTTPS <-> Nginx Reverse Proxy <-> HTTP <-> Nginx Indico

When I switched from Apache to Nginx, I got some error about file permissions (maybe I forgot a step ?) that I solved like a pig with chmod 777. Maybe Nginx is more explicit than Apache ? I don’t know … I will make a clean install and tell you if I find something.

But before switching I tried everything : adding buffer on reverse proxy, add all options possible … I changed nothing. Sometimes files were complete, sometimes they were cut.

TimmermanTim · May 27, 2021, 7:08am

Sorry to revive this old topic, but I was facing the same issue with our nginx reverse proxy. All I had to do to fix this issue was to put “ssi off;” in the nginx virtual server config.

ethio_historico · June 17, 2022, 4:24pm

Would you please explain that a bit more? I have a situation where I have a reverse proxy in front of my nginx Indico deployment. getting an error “…redirected you too many times” error

ethio_historico · June 20, 2022, 7:37pm

Sorry for this but I am in the same situation with an Nginx proxy in front … the web admin is telling me to disable ssl but when I do that indico stops working. I am running v3.1.
I have been fighting with this the past two days, I welcome any suggestion.
Thank you,

ThiefMaster · June 20, 2022, 7:41pm

Do you have a link to your instance? Without seeing what exactly is happening (errors, http error codes, etc.) we can just make wild guesses… (and tbh I’d open a new thread, most likely it’s a completely different problem).

Disabling SSL is certainly not an option unless SSL is terminated at an earlier stage (in that case set USE_PROXY = True in indico.conf and make sure that the X-Forwarded-Proto header is set to https).

ethio_historico · June 22, 2022, 5:01pm

Thank you for the response. to answer your question, yes, the proxy server provides SSL. What I need is to make sure indico works without SSL enabled. I tried your suggestion of USE_PROXY but even indico refused to restart with this option.

server {
  listen 80;
  server_name indico-t.myorg.org;
  USE_PROXY = True;
  location /.xsf/indico/ {
    internal;
    alias /opt/indico/;
  }

  location ~ ^/(images|fonts)(.*)/(.+?)(__v[0-9a-f]+)?\.([^.]+)$ {
    alias /opt/indico/web/static/$1$2/$3.$5;
    access_log off;
  }

  location ~ ^/(css|dist|images|fonts)/(.*)$ {
    alias /opt/indico/web/static/$1/$2;
    access_log off;
  }

  location /robots.txt {
    alias /opt/indico/web/static/robots.txt;
    access_log off;
  }

  location / {
    root /var/empty/nginx;
    include /etc/nginx/uwsgi_params;
    uwsgi_pass unix:/opt/indico/web/uwsgi.sock;
    uwsgi_param UWSGI_SCHEME $scheme;
    uwsgi_read_timeout 15m;
    uwsgi_buffers 32 32k;
    uwsgi_busy_buffers_size 128k;
    uwsgi_hide_header X-Sendfile;
    client_max_body_size 1G;
  }
}

ThiefMaster · June 22, 2022, 5:06pm

you need to put it in the Indico config, not the nginx config…

ethio_historico · June 22, 2022, 5:25pm

This actually is my indico.config file. I’m now trying to rebuild again. I will report back how that goes.
Thanks for all the help,

ethio_historico · June 23, 2022, 6:37pm

Ahh you mean in indico configuration file in the indico directory like below :

# General settings
SQLALCHEMY_DATABASE_URI = 'postgresql:///indico'
SECRET_KEY = b'\asdfa'
BASE_URL = 'https://endico-t.myorg.org'
CELERY_BROKER = 'redis://127.0.0.1:6379/0'
REDIS_CACHE_URL = 'redis://127.0.0.1:6379/1'
DEFAULT_TIMEZONE = 'GMT'
DEFAULT_LOCALE = 'es_ES'
ENABLE_ROOMBOOKING = True
CACHE_DIR = '/opt/indico/cache'
TEMP_DIR = '/opt/indico/tmp'
LOG_DIR = '/opt/indico/log'
STORAGE_BACKENDS = {'default': 'fs:/opt/indico/archive'}
ATTACHMENT_STORAGE = 'default'
USE_PROXY = True

ThiefMaster · June 23, 2022, 6:39pm

Yes, exactly!

PS: If that was your actual SECRET_KEY you need to replace it with a new random string that’s still secret.

ethio_historico · June 23, 2022, 9:33pm

I’m happy to report that I was able to make indico work with http with USE_PROXY = True and the reverse proxy providing SSL.
Thank you for the support!!