Login not possible (no SSO, no LDAP, etc.)


(Patrik Mayer) #1

Hi guys,

I don’t know if this is a bug. I’m hosting a dockerized discourse install for our local makerspace with the official docker discourse image.

Since I’m web developer I’m fluent in PHP/JS/MySQL/etc. and generel server administration. But Ruby and Rails are totally new to me, also I have to admit this is my first dockerized application

I’ve never tried to “relogin” to the site as all worked perfectly. Today I’ve just hit logout, cause some of the users told me about some login problems, and that they can not log in anymore. The site is behind a nginx-ssl proxy. But even on the local network (no https) I can not log in anymore.

This is what happens:

  • After Login via the modal, the data is posted to /login which redirects me to / which then redirects me back to /login
  • From /login I get the desired (?) cookie: Set-Cookie:"_forum_session=[xxx]; path=/; HttpOnly" including the redirect to /.
  • From / I getthe cookie Set-Cookie:"destination_url=http%3A%2F%2F<our-domain>%2F; path=/ _forum_session=[xxx]; path=/; HttpOnly" including the header-location to /login

I’ve already rebuilt the app with ./launcher rebuild app and can’t see anything more than the DB-saving in my log:

40:M 25 Oct 15:39:55.051 * 10 changes in 300 seconds. Saving...
40:M 25 Oct 15:39:55.054 * Background saving started by pid 29231
29231:C 25 Oct 15:39:55.141 * DB saved on disk
29231:C 25 Oct 15:39:55.141 * RDB: 8 MB of memory used by copy-on-write
40:M 25 Oct 15:39:55.160 * Background saving terminated with success

This is the start after the rebuild:

run-parts: executing /etc/runit/1.d/copy-env
run-parts: executing /etc/runit/1.d/enable-brotli
Started runsvdir, PID is 28
sh: echo: I/O error
ok: run: redis: (pid 40) 0s
ok: run: postgres: (pid 39) 0s
                _._                                                  
           _.-``__ ''-._                                             
      _.-``    `.  `_.  ''-._           Redis 3.0.6 (00000000/0) 64 bit
  .-`` .-```.  ```\/    _.,_ ''-._                                   
 (    '      ,       .-`  | `,    )     Running in standalone mode
 |`-._`-...-` __...-.``-._|'` _.-'|     Port: 6379
 |    `-._   `._    /     _.-'    |     PID: 40
  `-._    `-._  `-./  _.-'    _.-'                                   
 |`-._`-._    `-.__.-'    _.-'_.-'|                                  
 |    `-._`-._        _.-'_.-'    |           http://redis.io        
  `-._    `-._`-.__.-'_.-'    _.-'                                   
 |`-._`-._    `-.__.-'    _.-'_.-'|                                  
 |    `-._`-._        _.-'_.-'    |                                  
  `-._    `-._`-.__.-'_.-'    _.-'                                   
      `-._    `-.__.-'    _.-'                                       
          `-._        _.-'                                           
              `-.__.-'                                               

40:M 25 Oct 14:14:38.516 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
40:M 25 Oct 14:14:38.517 # Server started, Redis version 3.0.6
40:M 25 Oct 14:14:38.517 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
40:M 25 Oct 14:14:38.517 # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
40:M 25 Oct 14:14:38.547 * DB loaded from disk: 0.030 seconds
40:M 25 Oct 14:14:38.547 * The server is now ready to accept connections on port 6379
rsyslogd: command 'KLogPermitNonKernelFacility' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.16.0 try http://www.rsyslog.com/e/2222 ]
rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted.
rsyslogd: activation of module imklog failed [v8.16.0 try http://www.rsyslog.com/e/2145 ]
rsyslogd: Could not open output pipe '/dev/xconsole':: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2039 ]
2016-10-25 14:14:39 UTC [55-1] LOG:  database system was shut down at 2016-10-25 14:14:25 UTC
2016-10-25 14:14:39 UTC [55-2] LOG:  MultiXact member wraparound protections are now enabled
2016-10-25 14:14:39 UTC [39-1] LOG:  database system is ready to accept connections
2016-10-25 14:14:39 UTC [59-1] LOG:  autovacuum launcher started
supervisor pid: 38 unicorn pid: 61
2016-10-25 14:14:52 UTC [86-1] discourse@discourse LOG:  duration: 117.795 ms  parse <unnamed>:               SELECT t.oid, t.typname, t.typelem, t.typdelim, t.typinput, r.rngsubtype, t.typtype, t.typbasetype
                  FROM pg_type as t
                  LEFT JOIN pg_range as r ON oid = rngtypid
                  WHERE
                    t.typname IN ('int2', 'int4', 'int8', 'oid', 'float4', 'float8', 'text', 'varchar', 'char', 'name', 'bpchar', 'bool', 'bit', 'varbit', 'timestamptz', 'date', 'time', 'money', 'bytea', 'point', 'hstore', 'json', 'jsonb', 'cidr', 'inet', 'uuid', 'xml', 'tsvector', 'macaddr', 'citext', 'ltree', 'interval', 'path', 'line', 'polygon', 'circle', 'lseg', 'box', 'timestamp', 'numeric')
                    OR t.typtype IN ('r', 'e', 'd')
                    OR t.typinput = 'array_in(cstring,oid,integer)'::regprocedure
                    OR t.typelem != 0

Maybe someone from you can give me a hint, especially from a non ruby point of view.

Cheers,
Patrik


(Régis Hanol) #2

We recently added secure cookies. Have a look at this topic, it might help you fix your issue


(Patrik Mayer) #3

I got it working again. Thanks for your hint.

All missing was to tell my nginx-proxy in front of discourse_docker that the forwarded protocoll is https, as I’ve configured force_https.

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;

Cheers,
Patrik


(Rafael dos Santos Silva) #4