Cryptpad sandbox has the same internal port as "Wanderer-Trails" app

What type of hardware are you using: VPS bought online
What YunoHost version are you running: 12.0.11
What app is this about: Cryptpad

Describe your issue

I tried to get the Cryptpad app running and I’m having issues with the pages on the sandbox domain. I can access the Cryptpad homepage without any problems, but as soon as I want to create a new document or access my profile, I get an error page with the message “blocked site”.

The installation went through without any issues, and after initial problems due to a missing certificate for the sandbox domain, everything seemed to be set up correctly. However, the error page remains, regardless of which browser and device I use.

When I directly access sandbox.cryptpad.domain.org, I end up on the Wanderer-Trails Page one of my other Yunohost apps. That doesn’t seem right and is certainly not the expected behavior from Cryptpad?

Since I’m not an expert with Yunohost and don’t know exactly how things work in the background, my thoughts are pure speculation. I have a rough idea of how Nginx works as a reverse proxy and think there might be an issue here.

I looked at the nginx configs of both apps (Wanderer, Cryptpad) and believe there is an error in the Cryptpad nginx-sandbox.conf. The relevant section looks like this:

location / {
    proxy_pass            http://localhost:3000;
    proxy_set_header      X-Real-IP $remote_addr;
    proxy_set_header      Host $host;
    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
    client_max_body_size  150m;

    proxy_http_version    1.1;
    proxy_set_header      Upgrade $http_upgrade;
    proxy_set_header      Connection upgrade;
}

location ^~ /cryptpad_websocket {
    proxy_pass            http://localhost:3003;
    proxy_set_header      X-Real-IP $remote_addr;
    proxy_set_header      Host $host;
    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_http_version    1.1;
    proxy_set_header      Upgrade $http_upgrade;
    proxy_set_header      Connection upgrade;
}

Here, ports 3000 and 3003 are hardcoded and do not use the Yunohost variables.

In the Wanderer nginx.conf, it looks different:

proxy_pass http://127.0.0.1:__PORT__/;
proxy_set_header Connection '';
proxy_http_version 1.1;
proxy_read_timeout 360s;

Here, __PORT__ is used to utilize the variables set by Yunohost during installation.

When I check the config files of my Yunohost installation, the two apps have a collision on port 3000, which likely explains why I end up on the Wanderer page.

So my assumption is that the Cryptpad nginx-sandbox.conf is faulty and that the hardcoded ports need to be replaced with variables? Could that be correct, or is it another issue?

Share relevant logs or error messages

Nginx config on github: cryptpad_ynh/conf/nginx-sandbox.conf at master · YunoHost-Apps/cryptpad_ynh · GitHub
Wanderer config on github:

testing a fix for Wanderer:

Thank you! So there is no problem with the cryptpad config or is this just a way to optimize the wanderer installation?

From my POV it’s more a Cryptpad issue (you can see the conversation in said Wanderer’s PR).

Am I right to think that you first installed Wanderer, and then Cryptpad?

Yes, Wanderer was already a few weeks installed.

Thank you guys for the quick updates in wanderer. Unfortunately just updating wanderer doesn’t help, it stays on Port 3000. So I uninstalled wanderer and cryptpad works as expected.

Since I have a bunch of data in wanderer, I recovered it from the backup but it doesn’t work. If I access its domain I land on the cryptpad siite…

Would it be helpful if I try to create a pull request for the cryptpad file?

May I ask you to try to upgrade to my branch by running following command:

yunohost app upgrade cryptpad -u https://github.com/Thovi98/cryptpad_ynh/tree/testing --debug

Btw the “fix” in Wanderer has no impact on upgrade, only on new installations (there is no preconfigured port anymore, it will be chosen by Yunohost on install)

Ok, so you have tested this ? like if the port 3000 and/or 3003 is use by other app, did the variable for __PORT__ and __PORT_SOCKET__ change ?

For changing manually the ports hardcoded after an install it should be something like this

yunohost app setting cryptpad port -v xxxx
yunohost app setting cryptpad port -v xxxx
yunohost app setting cryptpad port_socket -v xxxx

I have 3 settings in cryptpad for ports in /etc/yunohost/apps/cryptpad/settings.yml ???

port: '3000'
port_porti: 3001
port_socket: 3003
porti: '3001'

Be carefull there is also configs here:

Updating Cryptpad with your command does not change the ports, but reinstalling it solves my problem at first sight.
The port is different to 3000 and everything seems to work. Wanderer still works too.

    location / {
        proxy_pass            http://localhost:3001;
        proxy_set_header      X-Real-IP $remote_addr;
        proxy_set_header      Host $host;
        proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
        client_max_body_size  150m;

        proxy_http_version    1.1;
        proxy_set_header      Upgrade $http_upgrade;
        proxy_set_header      Connection upgrade;
    }

    location ^~ /cryptpad_websocket {
        proxy_pass            http://localhost:3003;
        proxy_set_header      X-Real-IP $remote_addr;
        proxy_set_header      Host $host;
        proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_http_version    1.1;
        proxy_set_header      Upgrade $http_upgrade;
        proxy_set_header      Connection upgrade;

Ok, so I could approve your PR @Tho , you think is an advancement ?

I think so, because the port in nginx-sandbox.conf was fixed but for the other files and in the manifest, the ports were set as 3000 and 3003 but not fixed. So if at install another port is chosen, the ports in nginx-sandbox.conf won’t be updated.

But I don’t use the app so my thoughts are limited here

I have doubts…
So is possible verify if another port is choosen, do you see it in the file /var/www/cryptpad/config/config.js for httpPort: __PORT__, and websocketPort: __PORT_SOCKET__, ?

I was thinking about a choose for the ports if possible… looking if it’s possible to do…

So in my installation where Port 3000 is blocked by wanderer, my /var/www/cryptpad/config/config.js looks like this:

/*  httpPort specifies on which port the nodejs server should listen.
 *  By default it will serve content over port 3000, which is suitable
 *  for both local development and for use with the provided nginx example,
 *  which will proxy websocket traffic to your node server.
 *
 */
    httpPort: 3001,

/*  httpSafePort allows you to specify an alternative port from which
 *  the node process should serve sandboxed assets. The default value is
 *  that of your httpPort + 1. You probably don't need to change this.
 *
 */
    // httpSafePort: 3001,

/*  Websockets need to be exposed on a separate port from the rest of
 *  the platform's HTTP traffic. Port 3003 is used by default.
 *  You can change this to a different port if it is in use by a
 *  different service, but under most circumstances you can leave this
 *  commented and it will work.
 *
 *  In production environments, your reverse proxy (usually NGINX)
 *  will need to forward websocket traffic (/cryptpad_websocket)
 *  to this port.
 *
 */
    websocketPort: 3003,

ok, if you check cryptpad is it OK ?

https://cryptpad.yourdomain.com/checkup/

50/55 checks are okay.
The 5 checks with an issue are about missing admin info, nothing about domains.

thanks