[Solved] Error 500 on yunohost-api websocket

Benjamin · November 20, 2020, 3:14am

Bonjour,

My YunoHost server

Latest Yunohost in an LXC Debian 10 priviledged container behind an Apache2 proxy on Debian 10
In this config ssl certificates are on the host, not in LXC container

Description of my issue

On a fresh install, In the browser inspector, I see errors 500 on wss://sub.domain.fr/yunohost/api/messages GET in the admin web interface, on some operations (add a DNS) the interface is slow

2020-11-20 03:13:19,939 INFO     geventwebsocket.handler log_request - 127.0.0.1 - - [2020-11-20 03:13:19] "GET /domains?locale=fr HTTP/1.1" 200 234 0.002633
2020-11-20 03:13:21,521 DEBUG    geventwebsocket.handler run_application - Initializing WebSocket
2020-11-20 03:13:21,521 DEBUG    geventwebsocket.handler upgrade_websocket - Validating WebSocket request
2020-11-20 03:13:21,522 INFO     geventwebsocket.handler log_request - 127.0.0.1 - - [2020-11-20 03:13:21] "GET /messages HTTP/1.1" 500 170 0.000636
2020-11-20 03:13:21,617 DEBUG    geventwebsocket.handler run_application - Initializing WebSocket
2020-11-20 03:13:21,617 DEBUG    geventwebsocket.handler upgrade_websocket - Validating WebSocket request
2020-11-20 03:13:21,617 DEBUG    geventwebsocket.handler upgrade_websocket - Can only upgrade connection if using GET method.
2020-11-20 03:13:21,617 DEBUG    moulinette.authenticator.ldap __init__ - initialize authenticator 'default' with: uri='ldap://localhost:389', base_dn='dc=yunohost,dc=org', user_rdn='cn=admin,dc=yunohost,dc=org'
2020-11-20 03:13:21,618 DEBUG    moulinette.core acquire - acquiring lock...
2020-11-20 03:13:21,618 DEBUG    moulinette.core acquire - lock has been acquired
2020-11-20 03:13:21,618 DEBUG    moulinette.actionsmap process - loading python module yunohost.domain took 0.000s
2020-11-20 03:13:21,618 INFO     moulinette.actionsmap process - processing action [1799.5]: yunohost.domain.main-domain with args={'new_main_domain': None}
2020-11-20 03:13:21,618 DEBUG    moulinette.actionsmap process - action [1799.5] executed in 0.000s
2020-11-20 03:13:21,619 DEBUG    moulinette.core release - lock has been released
2020-11-20 03:13:21,619 INFO     geventwebsocket.handler log_request - 127.0.0.1 - - [2020-11-20 03:13:21] "PUT /domains/main HTTP/1.1" 200 183 0.001894
...
2020-11-20 02:41:28,247 DEBUG    geventwebsocket.handler upgrade_websocket - Can only upgrade connection if using GET method.

The websocket is handled from here I guess, I tried different /etc/hosts configuration in the container without success.

thanks for any input
++

Benjamin · November 26, 2020, 5:55pm

Well, I found the problem : there is the need to add rules in the vhost of the host machine to make the wss socket to yunohost-api work, it can be something like that :

            # For WebSockets
	RewriteEngine on
	RewriteCond %{HTTP:Connection} Upgrade [NC]
	RewriteCond %{HTTP:Upgrade} websocket [NC]
	RewriteRule /(.*) wss://ynh.mydomain.org/$1  [P,L]

Also I had to desactivate some security rules in the nging vhost inside the container in /etc/nginx/conf.d/security.conf.inc :

            # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla $
            # https://wiki.mozilla.org/Security/Guidelines/Web_Security
            # https://observatory.mozilla.org/
            #more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
            #more_set_headers "Content-Security-Policy-Report-Only : default-src https: dat$
            #more_set_headers "X-Content-Type-Options : nosniff";
            more_set_headers "X-XSS-Protection : 1; mode=block";
            more_set_headers "X-Download-Options : noopen";
            more_set_headers "X-Permitted-Cross-Domain-Policies : none";
            more_set_headers "X-Frame-Options : SAMEORIGIN";

not sure it is the best configuration as I’m not a vhost expert, if someone has better ideas on how to make yunohost work fluently and in a secure manner in a LXC container, it would be great.

More documentation here : https://ressources.labomedia.org/yunohost_un_container_lxc

++
benjamin

Aleks · November 26, 2020, 6:23pm

To me it sounds like the issue is more related to the reverse proxy configuration (apache) than running inside a LXC ?

In fact many of the devs are using Yunohots inside LXC for developments and we don’t really have issues regarding the websocket or CSP rules. (But we also don’t have any reverse proxy since we’re accessing the LXC directly from the host, hence my suspicion regarding the reverse proxy configuration, which are always tricky…)

Benjamin · November 26, 2020, 7:10pm

Yes, I guess the optimum solution is more on the side of the host / apache / its vhost that do the proxy things, to transfer the packets and headers without altering the config of yunohost nginx, because it’s not yunohost “fault”
If I find better settings, I’ll share them here at least.

Anyway, thanks Aleks and yunohost dev team for this super work

system · December 11, 2020, 7:10pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.