Dear community and developers,
I have a fresh YunoHost 3.4.2.2 running inside an LXC container hosted on a fresh Debian 9.7 install (x64 VPS OVH).
I downloaded and installed YunoHost from and on the LXC container (using the curl |bash way) and performed the post-installation from my web browser. For this last step, the Host (gateway address 10.5.0.1) acts as a VPN server allowing to access directly to the LXC container (address 10.5.0.2), from the browser using the public IP of the Host.
Below, please find the diagnosis as obtained from the admin panel Diagnostic tool:
{
"host": "Debian 9.7",
"kernel": "4.9.0-8-amd64",
"packages": {
"yunohost": {
"repo": "stable",
"version": "3.4.2.2"
},
"yunohost-admin": {
"repo": "stable",
"version": "3.4.2"
},
"moulinette": {
"repo": "stable",
"version": "3.4.2"
},
"ssowat": {
"repo": "stable",
"version": "3.4.2"
}
},
"backports": [],
"system": {
"disks": {
"sda1": "Mounted on /, 39.4GiB (36.3GiB free)"
},
"memory": {
"ram": "3.8GiB (3.2GiB free)",
"swap": "0B (0B free)"
}
},
"nginx": [
"nginx: the configuration file /etc/nginx/nginx.conf syntax is ok",
"nginx: configuration file /etc/nginx/nginx.conf test is successful"
],
"services": {
"glances": "running (enabled)",
"nslcd": "running (enabled)",
"metronome": "running (enabled)",
"postfix": "exited (enabled)",
"rspamd": "running (enabled)",
"yunohost-firewall": "exited (enabled)",
"nginx": "running (enabled)",
"php7.0-fpm": "running (enabled)",
"dnsmasq": "running (enabled)",
"fail2ban": "running (enabled)",
"yunohost-api": "running (enabled)",
"mysql": "running (enabled)",
"avahi-daemon": "running (enabled)",
"dovecot": "running (enabled)",
"redis-server": "running (enabled)",
"slapd": "running (enabled)",
"ssh": "running (enabled)"
},
"applications": {},
"security": {
"CVE-2017-5754": {
"name": "meltdown",
"vulnerable": false
}
}
}
I have two issues that I cannot manage to find a solution for.
First, in the admin panel interface, I obtain the following error very frequently, while the page stops loading (the error comes with a red ribbon on the top of the page):
The server closed the connection instead of answering it, has nginx been restarted by error? (Error code/message: 0 error)
From the logs (as far as I know, for instance in /var/log/nginx/*
or /var/log/syslog
or monitoring systemctl status nginx
), I cannot see that nginx is actually restarted. Any idea? It can be related to the fact that the YunoHost instance is running inside an LXC container, would you advice any checkups or tests to see if everything is running OK ?
Secondly, I setup a domain to access to my YunoHost instance, with the following various steps:
- I set up the domain name DNS A record to the public address of the VPS (LXC Host)
- I created the proper LetsEncrypt certificate for this domain with Certbot
- I installed and set up an nginx web server on the LXC Host with the following conf file for the domain to redirect to the YunoHost LXC container (reverse proxy):
server {
listen 80;
listen [::]:80 ipv6only=on;
server_name domain.tld www.domain.tld;
root /var/www/html;
index index.nginx-debian.html;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://10.5.0.2:80/;
proxy_redirect http://10.5.0.2:80 http://domain.tld;
}
}
server {
listen 443;
listen [::]:443 ipv6only=on;
server_name domain.tld www.domain.tld;
ssl_certificate /etc/letsencrypt/live/domain.tld/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/domain.tld.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://10.5.0.2:80/;
proxy_redirect http://10.5.0.2:80 https://domain.tld;
}
}
(please ask me for the actual – but obvious – domain name by private message if needed )
- I then added the domain to the YunoHost configuration, from the admin panel, which in turn generated the proper LetsEncrypt certificate inside the YunoHost LXC container.
- I also set up the proper firewall and iptables rules to allow connection to the LXC container from the domain.
Now, when I try to access to the YunoHost LXC container with http(s)://(www.)domain.tld
(any of the possibilities implied by the brackets), I end up in a sort of redirect loop, which ends up with the following browser error:
too many HTTP redirects
Or something like this in Firefox:
La page n’est pas redirigée correctement
Which translates into the following nginx logs:
- For the Host nginx
/var/log/nginx/access.log
file:
[04/Feb/2019:19:56:47 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:47 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:47 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:47 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:47 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:47 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:47 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:47 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:47 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:47 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:47 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:48 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:48 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:48 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:48 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:48 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:48 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:48 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:48 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:48 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
[04/Feb/2019:19:56:48 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
- For the YunoHost LXC container
/var/log/nginx/access.log
file:
10.5.0.1 - - [04/Feb/2019:18:56:47 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:47 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:47 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:47 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:47 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:47 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:47 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:47 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:47 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:47 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:47 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:48 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:48 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:48 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:48 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:48 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:48 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:48 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:48 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
10.5.0.1 - - [04/Feb/2019:18:56:48 +0000] "GET /yunohost/admin HTTP/1.0" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
I suspect a conflit between the nginx servers and https redirections and certificates that could lead to a sort of 301 redirect ping pong between the Host and the LXC container. I am not sure at all. But, in fact it does not look consistent to have two LetsEncrypt certificates for the same domain, one on the Host and one on the YunoHost LXC container which manages domains itself, but before breaking everything up I wanted to call for some help. Any idea how to correct things?
Thanks for your help! (dites-moi si une version français de mon post peut être utile)