Discouse with NginX reverse proxy - Cannot log in

When running an NGINX reverse proxy in front of Discourse you cannot log into the site. After submitting your credentials you are taken back to the index page and do not have a session. No errors are displayed and it seems from the logs that the login was successfull.

Creating scope :open. Overwriting existing method Poll.open.
Started GET "/" for 10.42.4.0 at 2021-10-05 14:24:41 +1300
Processing by ListController#latest as HTML
  Rendered list/list.erb within layouts/application (Duration: 8.8ms | Allocations: 1141)
  Rendered layout layouts/application.html.erb (Duration: 22.9ms | Allocations: 3194)
Completed 200 OK in 189ms (Views: 23.9ms | ActiveRecord: 0.0ms | Allocations: 21280)
Creating scope :open. Overwriting existing method Poll.open.
Started GET "/session/csrf" for 10.42.4.0 at 2021-10-05 14:24:52 +1300
Processing by SessionController#csrf as JSON
Completed 200 OK in 384ms (Views: 0.3ms | ActiveRecord: 0.0ms | Allocations: 5303)
Started POST "/session" for 10.42.4.0 at 2021-10-05 14:24:52 +1300
Processing by SessionController#create as */*
  Parameters: {"login"=>"admin", "password"=>"[FILTERED]", "second_factor_method"=>"1", "timezone"=>"Pacific/Auckland"}
Completed 200 OK in 1043ms (Views: 0.3ms | ActiveRecord: 0.0ms | Allocations: 147364)
Started POST "/login" for 10.42.4.0 at 2021-10-05 14:24:54 +1300
Processing by StaticController#enter as HTML
  Parameters: {"username"=>"admin", "password"=>"[FILTERED]", "redirect"=>"https://forum.test.financefeast.io/"}
Redirected to https://forum.test.financefeast.io/
Completed 302 Found in 3ms (ActiveRecord: 0.0ms | Allocations: 710)
Started GET "/" for 10.42.4.0 at 2021-10-05 14:24:54 +1300
Processing by ListController#latest as HTML
  Rendered list/list.erb within layouts/application (Duration: 46.7ms | Allocations: 11808)
  Rendered layout layouts/application.html.erb (Duration: 308.6ms | Allocations: 53646)
Completed 200 OK in 1123ms (Views: 311.1ms | ActiveRecord: 0.0ms | Allocations: 167190)

Tested without the NGIX reverse proxy in front of discourse and logins are fine. Is there any specific configuration for NGINX to get this working?

This is the NGINX conf:

server {

    listen 80;
    server_tokens off;
    server_name forum.test.financefeast.io;
    location / {
	 return 301 https://$host$request_uri;
    }
    location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
         expires 30m;
         add_header Pragma public;
         add_header Cache-Control "public";
    }
}
		
server {

    ssl_certificate /etc/nginx/certs/test.financefeast.io-bundle.crt;
    ssl_certificate_key /etc/nginx/certs/test.financefeast.io.key;

    listen 443 ssl;
    server_name forum.test.financefeast.io;
    location / {
	add_header 'Access-Control-Allow-Origin' "$http_origin";
	add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT';
	add_header 'Access-Control-Allow-Credentials' 'true';
	add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type';
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_read_timeout 90;
	proxy_http_version 1.1;
 	proxy_buffers 8 32k;
	proxy_buffer_size 64k;
	proxy_pass   https://kube_lb;
	}
}

You forgot to add a header:

proxy_set_header X-Forwarded-Proto https;

will fix this issue.

1 Like

I’ve added that directive but still getting the same issue. Conf looks like this now:

server {

    listen 80;
    server_tokens off;
    server_name forum.test.financefeast.io;
    location / {
	 return 301 https://$host$request_uri;
    }
    location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
         expires 30m;
         add_header Pragma public;
         add_header Cache-Control "public";
    }
}
		
server {

    ssl_certificate /etc/nginx/certs/test.financefeast.io-bundle.crt;
    ssl_certificate_key /etc/nginx/certs/test.financefeast.io.key;

    listen 443 ssl;
    server_name forum.test.financefeast.io;
    location / {
	add_header 'Access-Control-Allow-Origin' "$http_origin";
	add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT';
	add_header 'Access-Control-Allow-Credentials' 'true';
	add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type';
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto https;
	proxy_read_timeout 90;
	proxy_http_version 1.1;
 	proxy_buffers 8 32k;
	proxy_buffer_size 64k;
	proxy_pass   https://kube_lb;
	}
}