Reverse proxy internal IP

Waanie_Simon · January 15, 2024, 11:45am

Hi All I am struggling with my fresh installation of indico. I followed the instructions for installation and all went without a hitch. The problem is that is it running on port 8080 as http on that server. It is not a public facing installation and I am using a virtualmin server as my reverse proxy for this host. Virtualmin does the letsencrypt side and then acts as a revers proxy for my server.

The host is https://events.hevo.co.za

when I try to register for a conference the system does nothing. I will post screenshots etc… to the post in a few moments

Waanie_Simon · January 15, 2024, 11:47am

Waanie_Simon · January 15, 2024, 11:48am

ThiefMaster · January 15, 2024, 12:43pm

Make sure your BASE_URL is set correctly (with https), and that you restarted the indico-uwsgi and indico-celery services after changing your config.

Also make sure that USE_PROXY is set and your reverse proxy is sending the correct headers: Settings — Indico 3.2.8 documentation

Waanie_Simon · January 15, 2024, 1:08pm

This is my config file. when I attempt to make it BASE_URL = ‘https://events.hevo.co.za’ I get the following result

This Indico instance can only be accessed via https://events.hevo.co.za

ThiefMaster · January 15, 2024, 1:12pm

You need to change your SECRET_KEY right now since you just shared it in a public place. Knowing that key is enough to take over accounts on your instance (since one can generate e.g. a valid password reset token with it).

ThiefMaster · January 15, 2024, 1:13pm

Your new error indicates that your reverse proxy is not sending the correct headers so Indico thinks it’s being accessed via a different URL.

Waanie_Simon · January 15, 2024, 1:19pm

WIll change the key right now. In my virtualmin I set proxying to my BASE_URL on port 8080. is this wrong

Waanie_Simon · January 15, 2024, 1:19pm

does my nginx have to listen on port 443

ThiefMaster · January 15, 2024, 1:21pm

Do you mean the one from indico? Doesn’t matter, any port will do. the main one (so on your virtualmin instance) should be on 443 because that’s the standard for https…

Waanie_Simon · January 15, 2024, 1:26pm

Thanks for the assist. I managed to get it working

had to apply the virtualmin setting correctly

you have been great.
checking on emails now

Waanie_Simon · February 8, 2024, 2:06pm

Hi Again guys

I can’t believe I am stuck again.

The site stopped working again.

I don’t think I did anything to it but now I get the following error

Proxy Error

The proxy server could not handle the request

Reason: Error during SSL Handshake with remote server

I did a attempt to change the certificate on my wordpress site of the domain hevo.co.za for email purposes but this should not have had anything to do with this indico site

this is my nginx config

and here is my .indico.conf file

BASE_URL = 'https://events.hevo.co.za'
CELERY_BROKER = 'redis://127.0.0.1:6379/0'
REDIS_CACHE_URL = 'redis://127.0.0.1:6379/1'
DEFAULT_TIMEZONE = 'Africa/Johannesburg'
DEFAULT_LOCALE = 'en_GB'
ENABLE_ROOMBOOKING = True
CACHE_DIR = '/opt/indico/cache'
TEMP_DIR = '/opt/indico/tmp'
LOG_DIR = '/opt/indico/log'
STORAGE_BACKENDS = {'default': 'fs:/opt/indico/archive'}
ATTACHMENT_STORAGE = 'default'
USE_PROXY = True


STATIC_FILE_METHOD = ('xaccelredirect', {'/opt/indico': '/.xsf/indico'})

#Plugins
PLUGINS = {'vc_zoom', 'payment_paypal', 'payment_manual'}

Waanie_Simon · February 8, 2024, 2:08pm

mi config in virtualmin is just

This is my letsencrypt conf

wonder if the certificates on the indico is outdated now

ThiefMaster · February 8, 2024, 2:12pm

From where is the proxy error coming? Your virtualmin reverse proxy? If yes, check the TLS config there. The logfiles might also contain more detailed information than “error during handshake”.

I also suggest trying to access your Indico server directly to see if TLS there is broken for some reason. But a problem on your virtualmin side sounds way more likely if that’s all you touched when it broke.

Waanie_Simon · February 8, 2024, 2:16pm

I added the site to my hosts and I can access it with the domain https://events.hevo.co.za.

but it asks for the self hosted certificate to be accepted

ThiefMaster · February 8, 2024, 2:18pm

If you use a selfsigned cert on your internal host, you need to make sure your virtualmin reverse proxy trusts it or ignores invalid certificates.

Or just use plain HTTP there if it’s in a secure internal network (ie terminate TLS on the virtualmin level)

Waanie_Simon · February 8, 2024, 2:26pm

so do I just remove the ssl component out of the nginx config file? and only listen on port 8080 for example

the result looks like this

the BASE_URL = https://events.hevo.co.za

ThiefMaster · February 8, 2024, 2:30pm

You need to make sure the X-Forwarded-Proto: https header is sent, either by nginx or by your virtualmin reverse proxy.

Waanie_Simon · February 8, 2024, 2:33pm

would this be something I would set in my virtualmin apache config which is the frontend for my virtualmin

ThiefMaster · February 8, 2024, 2:37pm

Yes, try this: RequestHeader set X-Forwarded-Proto https

Alternatively in the nginx config you can do this: proxy_set_header X-Forwarded-Proto https;