I have…
- [ ] Checked the logs and have provided the logs if I found something suspicious there
I’m submitting a…
- [ ] Regression (a behavior that stopped working in a new release)
- [x] Bug report
- [ ] Performance issue
- [ ] Documentation issue or request
Current behavior
I have set up squidex as a docker image running on Docker swarm. We are using traefik as the proxy for the swarm. It is also running as docker containers and it is terminating ssl. When I go through haproxy, I can get to the login page but when I click the ‘log in’ link, the pop up login window is blank. When I bypass haproxy by putting the IP for the docker swarm in /etc/hosts, squidex works as expected.
Already logged in users can get right to the /app page and everything works normally. API calls work normally. It’s only logging in that is a problem.
http 2 is enabled on haproxy and I’ve checked and re-checked the hostnames in all of the configurations.
Expected behavior
I would expect that putting squidex behind haproxy would not break squidex.
Minimal reproduction of the problem
Install squidex 1.16.2 via docker
Create users and applications in squidex
Place squidex behind haproxy 1.8.20
Environment
- [x ] Self hosted with docker
- [ ] Self hosted with IIS
- [ ] Self hosted with other version
- [ ] Cloud version
Version: [VERSION]
Browser:
- [ x] Chrome (desktop)
- [ ] Chrome (Android)
- [ ] Chrome (iOS)
- [x ] Firefox
- [ ] Safari (desktop)
- [ ] Safari (iOS)
- [ ] IE
- [ ] Edge
Squidex docker compose:
squidex:
image: squidex/squidex:v1.16.2
environment:
- URLS__BASEURL=https://squidex-qa.
- URLS__ENFORCEHTTPS=true
- EVENTSTORE__CONSUME=true
- EVENTSTORE__MONGODB__CONFIGURATION=mongodb://mongo-qa.
- STORE__MONGODB__CONFIGURATION=mongodb://mongo-qa.
- IDENTITY__ADMINEMAIL=webdev@
- IDENTITY__ADMINPASSWORD=
- VIRTUAL_HOST=squidex-qa.
- IDENTITY__GITHUBCLIENT=${SQUIDEX_GITHUBCLIENT}
- IDENTITY__GOOGLECLIENT=${SQUIDEX_GOOGLECLIENT}
- IDENTITY__MICROSOFTCLIENT=${SQUIDEX_MICROSOFTCLIENT}
volumes:
- /mnt/sasquidexqa/assets:/app/Assets
deploy:
labels:
- “traefik.backend.loadbalancer.method=drr”
- “traefik.frontend.rule=Host:squidex-qa.”
- “traefik.port=80”
- “traefik.docker.network=ops_proxy”
placement:
constraints:
- node.role == worker
mode: replicated
replicas: 2
restart_policy:
condition: on-failure
networks:
- internal
- proxy
haproxy config:
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 4096
ssl-default-bind-options no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11
ssl-default-bind-ciphers ECDHE+aRSA+AES256+GCM+SHA384:ECDHE+aRSA+AES128+GCM+SHA256:ECDHE+aRSA+AE
S256+SHA384:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:!aNULL:!MD5:!DSS
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
Defaults for all the ‘listen’ and ‘backend’ sections
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option httpclose
option abortonclose
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 10m
timeout server 10m
timeout http-keep-alive 10s
timeout check 10s
maxconn 5000
#---------------------------------------------------------------------
Frontend which proxys to the backends
#---------------------------------------------------------------------
frontend localhost
bind *:80
bind *:443 ssl crt /path/to/cert1.pem crt /path/to/cert2.pem crt /path/to/cert3.pem alpn http/1.1,h2
mode http
rspidel Server
redirect scheme https if !{ ssl_fc }
…
use_backend squidex if { hdr(host) -i squidex-qa.<my domain> }
…
backend squidex
balance roundrobin
option forwardfor
server kbrdsmql01 10.200.1.181:443 check ssl verify none
server kbrdsmql02 10.200.1.182:443 check ssl verify none
Others: