missing state cookie #69

@gilbrotheraway commented on GitHub (May 12, 2025):

on hoarder i get 404

I'm sure this is not an error from godoxy, make sure you've picked the correct port

in case of hoarder it tries to log in then redirects to https://hoarder.domain.com:8443/auth/callback?code=******
which shows the cited error

the front end just errors straight away

I'm on latest everything

@gilbrotheraway commented on GitHub (May 12, 2025): > > on hoarder i get 404 > > I'm sure this is not an error from godoxy, make sure you've picked the correct port in case of hoarder it tries to log in then redirects to https://hoarder.domain.com:8443/auth/callback?code=****** which shows the cited error the front end just errors straight away I'm on latest everything

adam commented

@gilbrotheraway commented on GitHub (May 12, 2025):

do we need to add oidc.middleware to front-end labels or entry point now
edit: other apps are working just hoarder and frontend not yet

@gilbrotheraway commented on GitHub (May 12, 2025): do we need to add oidc.middleware to front-end labels or entry point now edit: other apps are working just hoarder and frontend not yet

adam commented

@yusing commented on GitHub (May 12, 2025):

No we don't, but now I wanna give up on the native OIDC and just use the OIDC middleware. Try adding that and see if the issue is gone

@yusing commented on GitHub (May 12, 2025): No we don't, but now I wanna give up on the native OIDC and just use the OIDC middleware. Try adding that and see if the issue is gone

adam commented

@gilbrotheraway commented on GitHub (May 12, 2025):

jellyfin/jellyseer also not working

edit: the apps all work it's just the redirect callback url that 404's when i manually add hoarder/dashboard it takes me to the page

calibre stack redirects properly
frontend still not working

No we don't, but now I wanna give up on the native OIDC and just use the OIDC middleware. Try adding that and see if the issue is gone

what do you mean?

@gilbrotheraway commented on GitHub (May 12, 2025): jellyfin/jellyseer also not working edit: the apps all work it's just the redirect callback url that 404's when i manually add hoarder/dashboard it takes me to the page calibre stack redirects properly frontend still not working > No we don't, but now I wanna give up on the native OIDC and just use the OIDC middleware. Try adding that and see if the issue is gone what do you mean?

adam commented

2025-12-29 14:24:07 +01:00

@yusing commented on GitHub (May 12, 2025):

I mean you can try adding the oidc middleware to the frontend.

@yusing commented on GitHub (May 12, 2025): I mean you can try adding the oidc middleware to the frontend.

adam commented

@yusing commented on GitHub (May 22, 2025):

Could you explain more on this error? Is it still happening?

@yusing commented on GitHub (May 22, 2025): Could you explain more on this error? Is it still happening?

adam commented

2025-12-29 14:24:07 +01:00

@gilbrotheraway commented on GitHub (May 23, 2025):

Could you explain more on this error? Is it still happening?

i gave up, updates going too fast etc

let me try again with the new packages

edit: getting this error now, both containers running, do i need to put pocketid behind the socket proxy or something?

error="failed to initialize OIDC provider: Get \"https://ttfyhhu.com:8553/.well-known/openid-configuration\": context deadline exceeded"

this is the compose file

---
services:
  socket-proxy:
    container_name: socket-proxy
    image: ghcr.io/yusing/socket-proxy:latest
    environment:
      - ALLOW_START=1
      - ALLOW_STOP=1
      - ALLOW_RESTARTS=1
      - CONTAINERS=1
      - EVENTS=1
      - INFO=1
      - PING=1
      - POST=1
      - VERSION=1
    volumes:
      - ${DOCKER_SOCKET:-/var/run/docker.sock}:/var/run/docker.sock
    restart: unless-stopped
    tmpfs:
      - /run
    ports:
      - ${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1:2375}:2375
  frontend:
    image: ghcr.io/yusing/godoxy-frontend:${TAG:-latest}
    container_name: godoxy-frontend
    restart: unless-stopped
    network_mode: host # do not change this
    env_file: godoxy-reverse-proxy.env
    user: ${GODOXY_UID:-1111}:${GODOXY_GID:-1111}
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - all
    depends_on:
      - app
    environment:
      TZ: ${TIME_ZONE_VALUE}
      HOSTNAME: 127.0.0.1
      PORT: ${GODOXY_FRONTEND_PORT:-3000}
    labels:
      proxy.idle_timeout: 1h
      proxy.aliases: ${GODOXY_FRONTEND_ALIASES:-godoxy}
      proxy.#1.port: ${GODOXY_FRONTEND_PORT:-3000}
      # proxy.#1.middlewares.cidr_whitelist: |
      #   status: 403
      #   message: IP not allowed
      #   allow:
      #     - 127.0.0.1
      #     - 10.0.0.0/8
      #     - 192.168.0.0/16
      #     - 172.16.0.0/12
      # proxy.#1.godoxy.middlewares.cloudflare_real_ip:
  #    proxy.#1.middlewares.real_ip.header: X-Real-IP
  #    proxy.#1.middlewares.real_ip.from: |
 #       - 127.0.0.1
   #     - 192.168.0.0/16
  #      - 10.0.0.0/8

  app:
    image: ghcr.io/yusing/godoxy:${TAG:-latest}
    container_name: godoxy
    restart: always
    network_mode: host # do not change this
    env_file: godoxy-reverse-proxy.env
    user: ${GODOXY_UID:-1111}:${GODOXY_GID:-1111}
    depends_on:
      socket-proxy:
        condition: service_started
      pocket-id:
        condition: service_healthy
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - all
    cap_add:
      - NET_BIND_SERVICE
    environment:
      - DOCKER_HOST=tcp://${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1:2375}
    volumes:
      - ./config:/app/config
      - ./logs:/app/logs
      - ./error_pages:/app/error_pages:ro
      - ./data:/app/data

      # To use autocert, certs will be stored in "./certs".
      # You can also use a docker volume to store it
      - ./certs:/app/certs

      # remove "./certs:/app/certs" and uncomment below to use existing certificate
      # - /path/to/certs/cert.crt:/app/certs/cert.crt
      # - /path/to/certs/priv.key:/app/certs/priv.key
  pocket-id:
    labels:
      proxy.oidc.middlewares.redirect_http:
      proxy.oidc.scheme: http
    container_name: oidc
    image: ghcr.io/pocket-id/pocket-id
    restart: unless-stopped
    ports:
      - 3838:80
    env_file: godoxy-reverse-proxy.env
    volumes:
      - ${PATH_TO_APPDATA}/pocket-id/data:/app/backend/data
    # Optional healthcheck  
    healthcheck:
      test: "curl -f http://localhost/health"
      interval: 1m30s
      timeout: 5s
      retries: 3
      start_period: 10s

@gilbrotheraway commented on GitHub (May 23, 2025): > Could you explain more on this error? Is it still happening? i gave up, updates going too fast etc let me try again with the new packages edit: getting this error now, both containers running, do i need to put pocketid behind the socket proxy or something? `error="failed to initialize OIDC provider: Get \"https://ttfyhhu.com:8553/.well-known/openid-configuration\": context deadline exceeded"` this is the compose file ``` --- services: socket-proxy: container_name: socket-proxy image: ghcr.io/yusing/socket-proxy:latest environment: - ALLOW_START=1 - ALLOW_STOP=1 - ALLOW_RESTARTS=1 - CONTAINERS=1 - EVENTS=1 - INFO=1 - PING=1 - POST=1 - VERSION=1 volumes: - ${DOCKER_SOCKET:-/var/run/docker.sock}:/var/run/docker.sock restart: unless-stopped tmpfs: - /run ports: - ${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1:2375}:2375 frontend: image: ghcr.io/yusing/godoxy-frontend:${TAG:-latest} container_name: godoxy-frontend restart: unless-stopped network_mode: host # do not change this env_file: godoxy-reverse-proxy.env user: ${GODOXY_UID:-1111}:${GODOXY_GID:-1111} read_only: true security_opt: - no-new-privileges:true cap_drop: - all depends_on: - app environment: TZ: ${TIME_ZONE_VALUE} HOSTNAME: 127.0.0.1 PORT: ${GODOXY_FRONTEND_PORT:-3000} labels: proxy.idle_timeout: 1h proxy.aliases: ${GODOXY_FRONTEND_ALIASES:-godoxy} proxy.#1.port: ${GODOXY_FRONTEND_PORT:-3000} # proxy.#1.middlewares.cidr_whitelist: | # status: 403 # message: IP not allowed # allow: # - 127.0.0.1 # - 10.0.0.0/8 # - 192.168.0.0/16 # - 172.16.0.0/12 # proxy.#1.godoxy.middlewares.cloudflare_real_ip: # proxy.#1.middlewares.real_ip.header: X-Real-IP # proxy.#1.middlewares.real_ip.from: | # - 127.0.0.1 # - 192.168.0.0/16 # - 10.0.0.0/8 app: image: ghcr.io/yusing/godoxy:${TAG:-latest} container_name: godoxy restart: always network_mode: host # do not change this env_file: godoxy-reverse-proxy.env user: ${GODOXY_UID:-1111}:${GODOXY_GID:-1111} depends_on: socket-proxy: condition: service_started pocket-id: condition: service_healthy security_opt: - no-new-privileges:true cap_drop: - all cap_add: - NET_BIND_SERVICE environment: - DOCKER_HOST=tcp://${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1:2375} volumes: - ./config:/app/config - ./logs:/app/logs - ./error_pages:/app/error_pages:ro - ./data:/app/data # To use autocert, certs will be stored in "./certs". # You can also use a docker volume to store it - ./certs:/app/certs # remove "./certs:/app/certs" and uncomment below to use existing certificate # - /path/to/certs/cert.crt:/app/certs/cert.crt # - /path/to/certs/priv.key:/app/certs/priv.key pocket-id: labels: proxy.oidc.middlewares.redirect_http: proxy.oidc.scheme: http container_name: oidc image: ghcr.io/pocket-id/pocket-id restart: unless-stopped ports: - 3838:80 env_file: godoxy-reverse-proxy.env volumes: - ${PATH_TO_APPDATA}/pocket-id/data:/app/backend/data # Optional healthcheck healthcheck: test: "curl -f http://localhost/health" interval: 1m30s timeout: 5s retries: 3 start_period: 10s ```

adam commented

@gilbrotheraway commented on GitHub (May 23, 2025):

i just tried without oidc and nothing works either, debug is enabled but nothing shows up

05-22 23:28 ??? http: TLS handshake error from someip:port:

@gilbrotheraway commented on GitHub (May 23, 2025): i just tried without oidc and nothing works either, debug is enabled but nothing shows up 05-22 23:28 ??? http: TLS handshake error from someip:port:

adam commented

@yusing commented on GitHub (May 23, 2025):

Could you verify that GoDoxy is listening HTTPS on :8553? Check GODOXY_HTTP_ADDR.

For Pocket ID, add this label:

proxy.oidc.port: 80

@yusing commented on GitHub (May 23, 2025): Could you verify that GoDoxy is listening HTTPS on `:8553`? Check `GODOXY_HTTP_ADDR`. For Pocket ID, add this label: `proxy.oidc.port: 80`

adam commented

@yusing commented on GitHub (May 23, 2025):

What do you mean by nothing works?

@yusing commented on GitHub (May 23, 2025): What do you mean by nothing works?

adam commented

@gilbrotheraway commented on GitHub (May 23, 2025):

i mean ever since you came up with your socket-proxy container, godoxy stopped working for me, not sure if being behind ISP restrictions on port 443 has something to do with it, but before the updates i was able to utilize domain:8443 instead, now it's hopeless I can't access anything

@gilbrotheraway commented on GitHub (May 23, 2025): i mean ever since you came up with your socket-proxy container, godoxy stopped working for me, not sure if being behind ISP restrictions on port 443 has something to do with it, but before the updates i was able to utilize domain:8443 instead, now it's hopeless I can't access anything

adam commented

@yusing commented on GitHub (May 23, 2025):

Try with a fresh setup?

@yusing commented on GitHub (May 23, 2025): Try with a fresh setup?

adam commented

@gilbrotheraway commented on GitHub (May 23, 2025):

Could you verify that GoDoxy is listening HTTPS on :8553? Check GODOXY_HTTP_ADDR.

For Pocket ID, add this label:

proxy.oidc.port: 80

8553 is the external https port, i forward it to internal 443 because the router restricts port forwarding on 443
I don't forward http port because we're using dns challenge for wildcard domain so it shouldn't be needed, is my assumption wrong?

@gilbrotheraway commented on GitHub (May 23, 2025): > Could you verify that GoDoxy is listening HTTPS on `:8553`? Check `GODOXY_HTTP_ADDR`. > > For Pocket ID, add this label: > > `proxy.oidc.port: 80` 8553 is the external https port, i forward it to internal 443 because the router restricts port forwarding on 443 I don't forward http port because we're using dns challenge for wildcard domain so it shouldn't be needed, is my assumption wrong?

adam commented

@gilbrotheraway commented on GitHub (May 23, 2025):

Try with a fresh setup?

tried with the script bare install no oidc, can't access frontend or any service

@gilbrotheraway commented on GitHub (May 23, 2025): > Try with a fresh setup? tried with the script bare install no oidc, can't access frontend or any service

adam commented

@yusing commented on GitHub (May 23, 2025):

Try with a fresh setup?

tried with the script bare install no oidc, can't access frontend or any service

Does the log show something like this?

05-23 22:31 INF server started addr=:443 proto=h3 server=proxy
05-23 22:31 INF server started addr=:80 proto=http server=proxy
05-23 22:31 INF server started addr=:443 proto=https server=proxy
05-23 22:31 INF server started addr=127.0.0.1:8888 proto=http server=api

@yusing commented on GitHub (May 23, 2025): > > Try with a fresh setup? > > tried with the script bare install no oidc, can't access frontend or any service Does the log show something like this? ```plain 05-23 22:31 INF server started addr=:443 proto=h3 server=proxy 05-23 22:31 INF server started addr=:80 proto=http server=proxy 05-23 22:31 INF server started addr=:443 proto=https server=proxy 05-23 22:31 INF server started addr=127.0.0.1:8888 proto=http server=api ```

adam commented

@gilbrotheraway commented on GitHub (May 26, 2025):

Try with a fresh setup?

tried with the script bare install no oidc, can't access frontend or any service

Does the log show something like this?
05-23 22:31 INF server started addr=:443 proto=h3 server=proxy
05-23 22:31 INF server started addr=:80 proto=http server=proxy
05-23 22:31 INF server started addr=:443 proto=https server=proxy
05-23 22:31 INF server started addr=127.0.0.1:8888 proto=http server=api

nope

@gilbrotheraway commented on GitHub (May 26, 2025): > > > Try with a fresh setup? > > > > > > tried with the script bare install no oidc, can't access frontend or any service > > Does the log show something like this? > > ``` > 05-23 22:31 INF server started addr=:443 proto=h3 server=proxy > 05-23 22:31 INF server started addr=:80 proto=http server=proxy > 05-23 22:31 INF server started addr=:443 proto=https server=proxy > 05-23 22:31 INF server started addr=127.0.0.1:8888 proto=http server=api > ``` nope

adam commented

@yusing commented on GitHub (May 27, 2025):

Could you copy the full output from GoDoxy so it's easier for me to find out what happened.

@yusing commented on GitHub (May 27, 2025): Could you copy the full output from GoDoxy so it's easier for me to find out what happened.

adam commented

@gilbrotheraway commented on GitHub (May 28, 2025):

Could you copy the full output from GoDoxy so it's easier for me to find out what happened.

ok i updated everything and now it shows:

05-28 08:08 INF next renewal in 23 days, 5 hours and 25 minutes
05-28 08:08 INF certificate expire on 07-20 16:34:19
05-28 08:08 INF idlewatcher started container=godoxy-frontend provider=docker
05-28 08:08 INF http_routes: added godoxy
05-28 08:08 INF http_routes: added autentication
05-28 08:08 INF idlewatcher started container=open-webui provider=docker
05-28 08:08 WRN service went down name=http.autentication
05-28 08:08 INF http_routes: added open-webui
05-28 08:08 INF http_routes: added notas
05-28 08:08 INF idlewatcher started container=convertx provider=docker
05-28 08:08 INF http_routes: added convertx
05-28 08:08 INF idlewatcher started container=hoarder provider=docker
05-28 08:08 INF http_routes: added hoarder
05-28 08:08 INF server started addr=:8443 proto=h3 server=proxy
05-28 08:08 INF server started addr=:80 proto=http server=proxy
05-28 08:08 INF server started addr=:8443 proto=https server=proxy
05-28 08:08 FTL failed to initialize authentication error="failed to initialize OIDC provider: Get \"https://autentication.domain.com:8443/.well-known/openid-configuration\": dial tcp myipxxxxx:8443: connect: connection refused"
Container stopped

@gilbrotheraway commented on GitHub (May 28, 2025): > Could you copy the full output from GoDoxy so it's easier for me to find out what happened. ok i updated everything and now it shows: ``` 05-28 08:08 INF next renewal in 23 days, 5 hours and 25 minutes 05-28 08:08 INF certificate expire on 07-20 16:34:19 05-28 08:08 INF idlewatcher started container=godoxy-frontend provider=docker 05-28 08:08 INF http_routes: added godoxy 05-28 08:08 INF http_routes: added autentication 05-28 08:08 INF idlewatcher started container=open-webui provider=docker 05-28 08:08 WRN service went down name=http.autentication 05-28 08:08 INF http_routes: added open-webui 05-28 08:08 INF http_routes: added notas 05-28 08:08 INF idlewatcher started container=convertx provider=docker 05-28 08:08 INF http_routes: added convertx 05-28 08:08 INF idlewatcher started container=hoarder provider=docker 05-28 08:08 INF http_routes: added hoarder 05-28 08:08 INF server started addr=:8443 proto=h3 server=proxy 05-28 08:08 INF server started addr=:80 proto=http server=proxy 05-28 08:08 INF server started addr=:8443 proto=https server=proxy 05-28 08:08 FTL failed to initialize authentication error="failed to initialize OIDC provider: Get \"https://autentication.domain.com:8443/.well-known/openid-configuration\": dial tcp myipxxxxx:8443: connect: connection refused" Container stopped ```

adam commented

@gilbrotheraway commented on GitHub (May 28, 2025):

here on> dial tcp myipxxxxx:8443

is this supposed to be my external address?

i enabled debug logs on pocket-id and theres nothing either

Creating group 1000...
Creating user 1000...
2025/05/28 08:27:38 Starting job scheduler
2025/05/28 08:27:38 Server listening on 0.0.0.0:1411
2025/05/28 08:27:38 Updating GeoLite2 City database
2025/05/28 08:27:38 Job "SyncLdap" run successfully
2025/05/28 08:27:39 Job "SendHeartbeat" run successfully
2025/05/28 08:27:40 GeoLite2 City database successfully updated.
2025/05/28 08:27:40 Job "UpdateGeoLiteDB" run successfully

@gilbrotheraway commented on GitHub (May 28, 2025): here on> `dial tcp myipxxxxx:8443` is this supposed to be my external address? i enabled debug logs on pocket-id and theres nothing either ``` Creating group 1000... Creating user 1000... 2025/05/28 08:27:38 Starting job scheduler 2025/05/28 08:27:38 Server listening on 0.0.0.0:1411 2025/05/28 08:27:38 Updating GeoLite2 City database 2025/05/28 08:27:38 Job "SyncLdap" run successfully 2025/05/28 08:27:39 Job "SendHeartbeat" run successfully 2025/05/28 08:27:40 GeoLite2 City database successfully updated. 2025/05/28 08:27:40 Job "UpdateGeoLiteDB" run successfully ```

adam commented

@yusing commented on GitHub (May 28, 2025):

service went down name=http.autentication

GoDoxy was unable to connect to your pocket-id, add proxy.autentication.port: 1411 and see if it's gone

dial tcp myipxxxxx:8443: connect: connection refused

Is the ip GoDoxy's IP? Make sure you don't have network_mode: host removed and have correct DNS config

@yusing commented on GitHub (May 28, 2025): > service went down name=http.autentication GoDoxy was unable to connect to your pocket-id, add `proxy.autentication.port: 1411` and see if it's gone > dial tcp myipxxxxx:8443: connect: connection refused Is the ip GoDoxy's IP? Make sure you don't have `network_mode: host` removed and have correct DNS config

adam commented