"Instructions" not showing when using reverse proxy

[Engr-AllanG]

Issue

Hello,
I Cannot get the "instruction" section to show when using a reverse proxy. When accessing the application using the local IP address, it works fine.

The untare android app, which is using my public domain name and therefore is going through my reverse proxy, seems to find the directions block.

I am using the supplied docker setup with the dedicated nginx container. I have a separate reverse proxy in a separate proxmox container. Images in tandoor are loading fine.

Any help would be appreciated, thank you

Tandoor Version

1.5.24

OS Version

Ubuntu 22.04

Setup

Docker / Docker-Compose

Reverse Proxy

Others (please state below)

Other

nginx, seperate proxmox container

Environment file

# ---------------------------------------------------------------------------
# This template contains only required options.
# Visit the docs to find more https://docs.tandoor.dev/system/configuration/
# ---------------------------------------------------------------------------

# random secret key, use for example `base64 /dev/urandom | head -c50` to generate one
SECRET_KEY=blah

# allowed hosts (see documentation), should be set to your hostname(s) but might be * (default) for some proxies/providers
 ALLOWED_HOSTS=*

# add only a database password if you want to run with the default postgres, otherwise change settings accordingly
DB_ENGINE=django.db.backends.postgresql
POSTGRES_HOST=db_recipes
POSTGRES_DB=djangodb
POSTGRES_PORT=5432
POSTGRES_USER=djangouser
POSTGRES_PASSWORD=blah

#shouldn't be needed aymore, my issue was my host reverse proxy not needing the /media location
#GUNICORN_MEDIA=0

Docker-Compose file

services:
  db_recipes:
    restart: always
    image: postgres:16-alpine
    volumes:
      - ./postgresql:/var/lib/postgresql/data
    env_file:
      - ./.env

  web_recipes:
    restart: always
    image: vabene1111/recipes
    env_file:
      - ./.env
    volumes:
      - staticfiles:/opt/recipes/staticfiles
      # Do not make this a bind mount, see https://docs.tandoor.dev/install/docker/#volumes-vs-bind-mounts
      - nginx_config:/opt/recipes/nginx/conf.d
      - ./mediafiles:/opt/recipes/mediafiles
    depends_on:
      - db_recipes

  nginx_recipes:
    image: nginx:mainline-alpine
    restart: always
    ports:
      - 8080:80
    env_file:
      - ./.env
    depends_on:
      - web_recipes
    volumes:
      # Do not make this a bind mount, see https://docs.tandoor.dev/install/docker/#volumes-vs-bind-mounts
      - nginx_config:/etc/nginx/conf.d:ro
      - staticfiles:/static:ro
      - ./mediafiles:/media:ro

volumes:
  nginx_config:
  staticfiles:

Relevant logs

reverse proxy configuration:

server {
	listen 443 ssl;
	server_name ----.net;
	include /etc/nginx/includes/ssl.conf;
	include /etc/nginx/includes/securityheaders.conf;
	
	ssl on;
	server_tokens off;

	access_log /var/log/nginx/tandoor-access.log;
	error_log  /var/log/nginx/tandoor-error.log error;

	client_max_body_size 128M;

	add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' data: blob: http: https:; object-src 'none'; base-uri 'none'; frame-ancestors 'self';" always;

	add_header "Access-Control-Allow-Origin" "$http_origin";

	location / {
		proxy_set_header Host $http_host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Frame-Options SAMEORIGIN;
		
		#include proxy_params;
		proxy_pass http://192.168.1.232:8080;

[SpacemanSpiffy1]

Check the development console for the following screenshot. I am having a similar issue, and it's due to something with the reverse proxy settings, though I haven't solved it yet.

[smilerz]

Check the development console for the following screenshot. I am having a similar issue, and it's due to something with the reverse proxy settings, though I haven't solved it yet.

your reverse proxy, most likely, isn't setting headers properly.

[SpacemanSpiffy1]

@smilerz That's what I have found as well, but there is a lot of variations in the fixes that have supposedly worked for people. I haven't been able to find a solution yet. Do you by chance happen to have a working reverse proxy config file we can take a look at?

[smilerz]

which header are you missing?

[SpacemanSpiffy1]

Not entirely sure. I think I've added all the ones that were missing, along with the example they gave on the site. Here is my config.

`server {
if ($host = recipes.xxx.com) { # replace domain
return 301 https://$host$request_uri;
}

server_name recipes.xxx.com; # replace domain
listen 80;
return 404;

}
server {
server_name recipes.xxx.com; # replace domain
listen 443 ssl;

ssl_certificate /etc/letsencrypt/live/recipes.xxx.com/fullchain.pem; # replace domain
ssl_certificate_key /etc/letsencrypt/live/recipes.xxx.com/privkey.pem; # replace domain
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_set_header HTTP_HOST recipes.xxx.com;
        proxy_set_header HTTP_X_FORWARDED_HOST recipes.xxx.com;
        proxy_set_header Host $http_host; # try $host instead if this doesn't work
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://10.0.3.37:8002; # replace port
        proxy_redirect http://10.0.3.37:8002 https://recipes.xxx.com; # replace port and domain
    }

}
`

[SpacemanSpiffy1]

Missed one, HTTP_X_FORWARDED_PROTO, but it still doesnt work.

[smilerz]

can you please share the headers as seen by tandoor

[SpacemanSpiffy1]

I added the following configs to the nginx config for header logging,

`log_format custom_format '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'Headers: $http_x_real_ip $http_host $http_authorization';

access_log /var/log/nginx/access.log custom_format;`

It produced this log

10.0.3.7 - - [08/Jan/2025:22:59:30 +0000] "GET /manifest.json HTTP/1.0" 200 1420 "https://recipes.xxxx.com/search/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "10.0.3.1" Headers: 10.0.3.1 recipes.xxxx.com -

[SpacemanSpiffy1]

I am adding more headers to the log

[SpacemanSpiffy1]

log_format custom_format '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'Headers: $http_x_real_ip $http_host $http_authorization $HTTP_HOST $HTTP_X_FORWARDED_HOST $HTTP_X_FORWARDED_PROTO';

Headers: 10.0.3.1 recipes.burningcrowhosting.com - recipes.burningcrowhosting.com - https

[smilerz]

they are listed in /system/ under Debug

[SpacemanSpiffy1]

Ah, found it.

Gunicorn Media: False
Sqlite: False
PostgreSQL: 14
Debug: True

SERVER_PROTOCOL:HTTP/1.0
REMOTE_ADDR:
SERVER_PORT:80

HTTP_HOST:recipes.xxx.com
HTTP_X_FORWARDED_PROTO:http
HTTP_CONNECTION:close
HTTP_X_REAL_IP:10.0.3.1
HTTP_X_FORWARDED_FOR:10.0.3.1
HTTP_SEC_CH_UA:"Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"
HTTP_SEC_CH_UA_MOBILE:?0
HTTP_SEC_CH_UA_PLATFORM:"Windows"
HTTP_UPGRADE_INSECURE_REQUESTS:1
HTTP_USER_AGENT:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
HTTP_ACCEPT:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
HTTP_SEC_FETCH_SITE:none
HTTP_SEC_FETCH_MODE:navigate
HTTP_SEC_FETCH_USER:?1
HTTP_SEC_FETCH_DEST:document
HTTP_ACCEPT_ENCODING:gzip, deflate, br, zstd
HTTP_ACCEPT_LANGUAGE:en-US,en;q=0.9
HTTP_PRIORITY:u=0, i
HTTP_COOKIE:csrftoken=rC0IoqrQbD8JOpZbxItvOCqCqv2NxlDG; csrftoken=TXpLzQ5WOWjeB6Rqtiy95XXDzxBQqf1X; sessionid=bqldtryobj3hmb1iwgks9cw8p455pke4

wsgi.errors:<gunicorn.http.wsgi.WSGIErrorsWrapper object at 0x7fa50c4c7820>
wsgi.version:(1, 0)
wsgi.multithread:False
wsgi.multiprocess:False
wsgi.run_once:False
wsgi.file_wrapper:
wsgi.input_terminated:True
wsgi.input:<gunicorn.http.body.Body object at 0x7fa50c36f490>
wsgi.url_scheme:http

[SpacemanSpiffy1]

@smilerz the Tandoor server was overwriting the header.

`server {
listen 8002;
#access_log /var/log/nginx/access.log;
#error_log /var/log/nginx/error.log;

# serve media files
location /static/ {
    alias /var/www/recipes/staticfiles/;
}

location /media/ {
    alias /var/www/recipes/mediafiles/;
}

location / {
    proxy_set_header Host $http_host;
    proxy_pass http://unix:/var/www/recipes/recipes.sock;
    #proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Proto https;
}

}
`

[SpacemanSpiffy1]

@Engr-AllanG On top of making certain your reverse proxy server is set with the proper header values, you need to edit the nginx config /etc/nginx/conf.d/recipes.conf on the Tandoor server as well, and change the X-Forwarded-Proto to https instead of $scheme. That worked for me.

[Engr-AllanG]

Ok I will check this out this weekend and report back. I am fairly certain I have it correct in my reverse proxy, so I suspect it's the tandoor config issues that you pointed out. I'll see what I find and reply here Thank you ⁣Get BlueMail for Android ​

…

On Jan 8, 2025, 6:45 PM, at 6:45 PM, SpacemanSpiffy1 ***@***.***> wrote: @Engr-AllanG On top of making certain your reverse proxy server is set with the proper header values, you need to edit the nginx config /etc/nginx/conf.d/recipes.conf on the Tandoor server as well, and change the X-Forwarded-Proto to https instead of $scheme. That worked for me. -- Reply to this email directly or view it on GitHub: #3446 (comment) You are receiving this because you were mentioned. Message ID: ***@***.***>