Pydio Cells and Let's Encrypt reverse proxy - gRPC sync

Hi,

Thanks for providing so many great Docker images!

I’ve installed Pydio Cells and have it working with the Let’s Encrypt reverse proxy container. I’m using an unaltered version of pydio-cells.subdomain.conf, save for the server_name.

Everything is working great, except that I can’t get CellsSync to work. Reading the docs, the reverse proxy will have to be modified to allow through gRPC traffic on port 33060 and the port has to be selected using environment variable PYDIO_GRPC_EXTERNAL .

I have set up the extra port mapping and environment variable in my docker create command. The rest is equal to the command found here.

The trouble I have is with adding a gRPC section to pydio-cells.subdomain.conf. I’d think it should look something like this:

server {

  listen 33060 ssl http2;
  listen [::]:33060 ssl http2;

  include /config/nginx/ssl.conf;

  keepalive_timeout 600s;

  location / {
    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_app pydio-cells;
    set $upstream_port 33060;
    set $upstream_proto grpcs;
    grpc_pass $upstream_proto://$upstream_app:$upstream_port;
  }
}

This does however result in the Let’s Encrypt container endlessly spewing this line:

nginx: [emerg] invalid host in upstream "$upstream_proto://$upstream_app:$upstream_port" in /config/nginx/proxy-confs/pydio-cells.subdomain.conf:71

I’ve tried countless variations of this with no luck. I’m no expert on Nginx and hope I’ve just made some silly mistake. Some help would be appreciated :slight_smile:

Cheers,
Michael

Don’t pass the env var for grpc port, we already hardcode it as 33060 in the start arguments.

You just have to map port 33060 for access through the host. If you use docker network to access via container name as dns hostname, you don’t have to map that port in pydio-cells either.

If I recall correctly, the grpc_pass directive in nginx does not support variables unlike the proxy_pass directive. So you should use grpc_pass grpcs://pydio-cells:33060; instead. Keep in mind that if pydio-cells is not accessible when letsencrypt is starting up, nginx will likely throw an error and refuse to come up. I wasn’t able to figure out a way to mitigate it (that’s why we didn’t add the grpc info into the proxy conf for cells).

Also make sure that port 33060 is mapped in the letsencrypt container as -p 33060:33060.

Hi @aptalca,

Thanks, using grpc_pass grpcs://pydio-cells:33060; seems to have solved the nginx config issues. I’ve also removed the env var for the gRPC port in pydio-cells and the port mapping too.

I instead added the port mapping to the lets encrypt container as you suggested. Finally, I forwarded port 33060 on the router to the same port on the box running this setup.

After all this I still have issues with the CellsSync desktop app not working. When I add my server under Accounts, it performs a bunch of redirects in my web browser, but rather than handing back to CellsSync at the end, the browser gives me the following error:

Safari can’t open the page “https://localhost:3636/servers/callback?code=3sj_iAb8JdEERNpyN8Q0vsNwOHCIFAVKT-S44WDqfSc.3mFjc2DqXeViuBdoGbGds_aoceDxW1R3Giwds4kKsgE&scope=openid%20profile%20email%20pydio%20offline&state=568643e3507e42f6830414c0725a0ae2” because Safari can’t establish a secure connection to the server “localhost”.

I have tried Chrome with the same result.

I’m guessing this means gRPC still isn’t working properly, though I’m not quite sure where to take this next.

Thanks,
Michael

Oh yeah, I had that, too. The address somehow wasn’t correct and I had to edit it. I can’t remember the exact details but maybe I had to change https to http in the address bar and hit enter and it worked (it was a minor change to the address I had to do, can’t remember exactly what it was)

Wow, that was it! I changed the faulty URL to read http://... instead of https://... and that took care of it.

Thanks a lot!

Glad you got it sorted. I only set mine up to test (so I could provide support) but I was quite underwhelmed by the implementation and the app. Ended up not including it in the docs because it doesn’t seem like a production ready feature yet. It may be fully functional, but doesn’t seem polished.

It wasn’t even a signed windows app.