J’ai un problème avec le message d’erreur « Erreur inconnue » lors de la connexion. D’après les fichiers journaux, il semble s’agir d’un problème de CSRF lors de l’ouverture de la session (l’opération POST provoque une réponse 403), mais je ne comprends pas la cause réelle.
L’erreur d’accès dans le conteneur web_only (/var/log/nginx/access.log) :
[29/Mar/2022:18:08:30 +0000] "forum.netzwissen.de" 87.154.170.198 "POST /message-bus/e65d4728665448f4a47a8fc74a0a6478/poll HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0" "-" 200 538 "https://forum.netzwissen.de/" 25.002 25.002 "-" "-" "-" "-" "-" "-" "-"
[29/Mar/2022:18:08:41 +0000] "forum.netzwissen.de" 87.154.170.198 "GET /session/csrf HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0" "session/csrf" 200 716 "https://forum.netzwissen.de/" 0.029 0.030 "-" "-" "-" "-" "-" "-" "-"
[29/Mar/2022:18:08:41 +0000] "forum.netzwissen.de" 87.154.170.198 "POST /session HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0" "-" 403 494 "https://forum.netzwissen.de/" 0.007 0.006 "-" "-" "-" "-" "-" "-" "-"
[29/Mar/2022:18:08:56 +0000] "forum.netzwissen.de" 87.154.170.198 "POST /message-bus/e65d4728665448f4a47a8fc74a0a6478/poll HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0" "-" 200 538 "https://forum.netzwissen.de/" 25.003 25.002 "-" "-" "-" "-" "-" "-" "-"
La configuration opérationnelle :
- Le répartiteur de charge haproxy est utilisé pour la terminaison SSL
- Apache est utilisé comme proxy inverse sur l’hôte Docker local, livrant le trafic à un websocket local (web.socketed.template.yml)
- Discourse actuel avec des conteneurs séparés pour les données et web_only
- Les adresses IP d’origine sont fournies par haproxy (forwardfor) à Apache et de là via RemoteIPHeader X-Forwarded-For au nginx à l’intérieur du conteneur web_only
J’aurais besoin d’idées pour déboguer davantage cette configuration. Configuration du conteneur web_only :
templates:
- "templates/web.template.yml"
- "templates/redis.template.yml"
- "templates/web.ratelimited.template.yml"
- "templates/web.socketed.template.yml"
#expose:
## - "127.0.0.1:84:80" # http
## - "443:443" # https
# Use 'links' key to link containers together, aka use Docker --link flag.
links:
- link:
name: data
alias: data
params:
## Which Git revision should this container use? (default: tests-passed)
#version: tests-passed
env:
LANG: de_DE.UTF-8
# DISCOURSE_DEFAULT_LOCALE: en
UNICORN_WORKERS: 4
DISCOURSE_HOSTNAME: 'forum.netzwissen.de'
DOCKER_USE_HOSTNAME: true
DISCOURSE_DEVELOPER_EMAILS: 'admin@netzwissen.de,support@netzwissen.de'
DISCOURSE_SMTP_ADDRESS: mail.netzwissen.de
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: discourse@netzwissen.de
DISCOURSE_SMTP_PASSWORD: xxxxxxxxxxxxxxx
DISCOURSE_DB_SOCKET: ''
DISCOURSE_DB_USERNAME: discourse
DISCOURSE_DB_PASSWORD: xxxxxxxxxxxxxxx
DISCOURSE_DB_HOST: data
DISCOURSE_REDIS_HOST: data
volumes:
- volume:
host: /var/discourse/shared/web-only
guest: /shared
- volume:
host: /var/discourse/shared/web-only/log/var-log
guest: /var/log
## Plugins go here
## see https://meta.discourse.org/t/19157 for details
## in our case plugins are part of the web container
hooks:
after_code:
- exec:
cd: $home/plugins
cmd:
- git clone https://github.com/discourse/docker_manager.git
- git clone https://github.com/discourse/discourse-shared-edits.git
- git clone https://github.com/discourse/discourse-chat-integration
- git clone https://github.com/discourse/discourse-feature-voting
- git clone https://github.com/discourse/wp-discourse
- git clone https://github.com/discourse/discourse-openid-connect
- git clone https://github.com/discourse/discourse-calendar
- git clone https://github.com/discourse/discourse-data-explorer
- git clone https://github.com/paviliondev/discourse-events
- git clone https://github.com/paviliondev/discourse-locations
## Remember, this is YAML syntax - you can only have one block with a name
run:
- exec: echo "Beginning of custom commands"
- exec: rails r "SiteSetting.notification_email='discourse@netzwissen.de'"
- replace:
filename: /etc/nginx/conf.d/discourse.conf
from: "types {"
to: |
set_real_ip_from 127.0.0.1/24;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
proxy_set_header Host $http_host;
proxy_set_header X-Request-Start “t=${msec}”;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # replaced $thescheme;
types {
## If you want to configure password login for root, uncomment and change:
## Use only one of the following lines:
- exec: /usr/sbin/usermod -p 'xxxxxxxxxxxxxxxxxx' root
- exec: echo "End of custom commands"