AstonJ
October 21, 2016, 12:58pm
1
I upgraded the forum last night and this morning several members have emailed saying they can’t register (everything appears to work but when redirected back to the forum they are still shown the log-in/sign-up and can’t post etc).
I’ve tried using a Twitter log-in on one of our existing accounts and I get the same thing.
Anyone know how to troubleshoot this? There are no errors in the error log. The forum is at https://elixirforum.com
Edit : Normal username and password logins are not working either.
1 Like
Falco
October 21, 2016, 1:08pm
2
Maybe it’s related?
Sites down:
Note that if these sites seem to be up to you, it’s likely that your machine has cached the DNS response for these sites.
Some of these sites seem to work when using a UK VPN
https://news.ycombinator.com/item?id=12759520
3 Likes
AstonJ
October 21, 2016, 2:50pm
3
I don’t think this is the issue because I managed to log in via Twitter to Discourse ok.
1 Like
Falco
October 21, 2016, 2:51pm
4
And I managed to login with Github on Meta just now.
This looks like something with the new secure cookie. Is your setup just standard docker? I think you are on multisite right?
Is force_https on for you?
EDIT: Your redirect URI is http on Github Login, somehow. Here on meta is correctly set to https.
AstonJ
October 21, 2016, 3:48pm
5
Still getting the same thing (changed github callback url to https://elixirforum.com ).
I’m not using multisite, just multiple single containers.
Yep, force_https is selected.
I think it’s to do with the update : /
Falco
October 21, 2016, 3:51pm
6
When logging with Github on Meta:
https://github.com/login?client_id=redacted&return_to=%2Flogin%2Foauth%2Fauthorize%3Fclient_id%redacted%26redirect_uri%3Dhttps%253A%252F%252Fmeta.discourse.org%252Fauth%252Fgithub%252Fcallback%26response_type%3Dcode%26scope%3Duser%253Aemail%26state%redacted
On Elixir Forum:
https://github.com/login?client_id=redacted&return_to=%2Flogin%2Foauth%2Fauthorize%3Fclient_id%redacted%26redirect_uri%3Dhttp%253A%252F%252Felixirforum.com%252Fauth%252Fgithub%252Fcallback%26response_type%3Dcode%26scope%3Duser%253Aemail%26state%redacted
Notice http VS https
2 Likes
riking
October 21, 2016, 4:08pm
7
Yeah, the redirect Uri is plain http. This is the secure cookies change
2 Likes
AstonJ
October 21, 2016, 4:11pm
8
I just tried logging in with a normal username and password and that is not working either.
What is the secure cookies change and what do I need to do to fix it?
Falco
October 21, 2016, 4:11pm
9
https://meta.discourse.org/t/secure-cookie-flag/28058/33?u=falco
We are adding necessary security on https enabled sites.
It can break if https isn’t set properly.
riking
October 21, 2016, 4:12pm
10
Go to your GitHub oauth settings and change the redirect URL to be https.
2 Likes
AstonJ
October 21, 2016, 4:19pm
11
I set it to https earlier. But still, why would it affect normal username and password logins (which isn’t working either). Or Twitter?
I also just tried to rebuild one of the other forums… and that failed cos Could not resolve host: github.com; (which I guess is due to their current problems).
Can we switch this secure cookie update off via ACP or revert to an older version for the time being?
Edit : My set-up is detailed in this How To: How to set up Discourse on a server with existing Apache sites
Falco
October 21, 2016, 4:39pm
12
So it’s:
Internet -> Haproxy -> Apache -> Docker -> Nginx -> Unicorn
When using something outside docker, I know it’s recommended make the inner nginx listen in a unix socket so stuff don’t break. However I don’t have much experience in your stack.
AstonJ
October 21, 2016, 4:45pm
13
No, it’s simply:
Haproxy -> Apache sites
Or for the Discourse forums:
Haproxy -> Discourse Docker
1 Like
AstonJ
October 21, 2016, 4:55pm
14
Why is this an unsupported install @Falco ? It is a Docker install as normal - the only difference is Haproy on the front (as there is no other way to run ‘normal’ websites on the same server - or do you know what the supported method is of running normal sites on a server as well?).
Also is there any way I can roll back the discourse version to before these new secure cookies were introduced? (Without reverting to an older database).
AstonJ
October 21, 2016, 5:00pm
15
Github is back online and it’s set to https:
Falco
October 21, 2016, 5:10pm
16
I think that the call back should be:
1 Like
AstonJ
October 21, 2016, 5:30pm
17
I’ve done that but it’s still http in the url
Btw, I’m not using web.ssl.template.yml as I thought there was no need if you are using something like nginix or haproxy on the front end (which handles the https side of things).
cpradio
October 21, 2016, 5:39pm
18
So you are terminating HTTPS at haproxy then right? And then sending HTTP to Discourse Docker?
2 Likes
AstonJ
October 21, 2016, 5:53pm
19
Yes @cpradio
This is in my haproxy config (when it matches the url of my first Discourse forum):
backend discourse_docker
And in my container:
expose:
“8888:80” # fwd host port 80 to container port 80 (http)
“2222:22” # fwd host port 2222 to container port 22 (ssh)
Full file here:
After making changes to this file, you MUST rebuild for any changes
to take effect in your live Discourse instance:
/var/discourse/launcher rebuild app
Make sure to obey YAML syntax! You can use this site to help check:
this is the all-in-one, standalone Discourse Docker container template
You may add rate limiting by uncommenting the web.ratelimited template.
Out of the box it allows 12 reqs a second per ip, and 100 per minute per ip
This is configurable by amending the params in this file
templates:
“templates/postgres.template.yml”
“templates/redis.template.yml”
“templates/web.template.yml”
“templates/sshd.template.yml”
“templates/web.ratelimited.template.yml”
which TCP/IP ports should this container expose?
expose:
“8888:80” # fwd host port 80 to container port 80 (http)
“2222:22” # fwd host port 2222 to container port 22 (ssh)
params:
Set db_shared_buffers to a max of 25% of the total memory.
On 1GB installs set to 128MB (to leave room for other processes)
on a 4GB instance you may raise to 1GB
#db_shared_buffers: “256MB”
Set higher on large instances it defaults to 10MB, for a 3GB install 40MB is a good default
this improves sorting performance, but adds memory usage per-connection
#db_work_mem: “40MB”
Which Git revision should this container use? (default: tests-passed)
#version: tests-passed
env:
DISCOURSE_DEFAULT_LOCALE: en
TODO: How many concurrent web requests are supported?
With 2GB we recommend 3-4 workers, with 1GB only 2
#UNICORN_WORKERS: 3
TODO: List of comma delimited emails that will be made admin and developer
on initial signup example ‘user1@example.com,user2@example.com’
DISCOURSE_DEVELOPER_EMAILS: ‘myemail@gmx.net’
TODO: The domain name this Discourse instance will respond to
DISCOURSE_HOSTNAME: ‘metaruby.com ’
TODO: The mailserver this Discourse instance will use
DISCOURSE_SMTP_ADDRESS: mail.myserver.net contact@myforum.com #DISCOURSE_SMTP_ENABLE_START_TLS: false
The CDN address for this Discourse instance (configured to pull)
#DISCOURSE_CDN_URL: //discourse-cdn.example.com
These containers are stateless, all data is stored in /shared
volumes:
volume:
volume:
The docker manager plugin allows you to one-click upgrade Discourse
hooks:https://github.com/discourse/docker_manager.git https://github.com/discourse/discourse-tagging.git https://github.com/discourse/discourse-solved.git
Remember, this is YAML syntax - you can only have one block with a name
run:
exec: echo “Beginning of custom commands”
If you want to set the ‘From’ email address for your first registration, uncomment and change:
#- exec: rails r “SiteSetting.notification_email=‘info@unconfigured.discourse.org’”
After getting the first signup email, re-comment the line. It only needs to run once.
If you want to configure password login for root, uncomment and change:
Use only one of the following lines:
#- exec: /usr/sbin/usermod -p ‘PASSWORD_HASH’ root#- exec: /usr/sbin/usermod -p “$(mkpasswd -m sha-256 ‘RAW_PASSWORD’)” root
If you want to authorized additional users, uncomment and change:
#- exec: ssh-import-id username#- exec: ssh-import-id anotherusername
exec: echo “End of custom commands”
exec: awk -F# ‘{print $1;}’ ~/.ssh/authorized_keys | awk ‘BEGIN { print “Authorized SSH keys for this container:”; } NF>=2 {print $NF;}’
run:
(I think all of this was set-up in this manner after the advice I got here on Meta.)
pfaffman
October 21, 2016, 6:17pm
20
If you log in to your host and type
dig github.com
does it resolve? It’s not resolving anywhere that I can find.
; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> github.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17584
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;github.com. IN A
;; Query time: 5003 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Oct 21 14:13:00 EDT 2016
;; MSG SIZE rcvd: 39
root@forum:/var/discourse#
Right this minute 8.8.8.8 and 8.8.4.4 don’t find github and the ones of github’s DNS servers that I checked are unreachable. I’d wait a while before debugging this further
Tech Email: hostmaster@github.com
Name Server: ns2.p16.dynect.net
Name Server: ns3.p16.dynect.net
Name Server: ns4.p16.dynect.net
Name Server: ns1.p16.dynect.net
1 Like
