OpenCloud
Missing or invalid config #2806
-
|
When I visit my opencloud web UI I get an error mentioning: https://cloud.domain.dev/config.json shows: {
"server": "https://cloud.domain.dev:4443/",
"theme": "https://cloud.domain.dev:4443/themes/opencloud/theme.json",
"openIdConnect": {
"metadata_url": "https://cloud.domain.dev:4443/.well-known/openid-configuration",
"authority": "https://cloud.domain.dev:4443",
"client_id": "web",
"response_type": "code",
"scope": "openid profile email"
},
"apps": [
"files",
"search",
"text-editor",
"pdf-viewer",
"external",
"admin-settings",
"epub-reader",
"preview",
"app-store"
],
"options": {
"contextHelpersReadMore": true,
"tokenStorageLocal": true,
"embed": {},
"concurrentRequests": {
"shares": {}
}
}
}In my I expose my public services via a tunnel. In my tunnel dashboard I set http://opencloud:9200 as target for my https://cloud.domain.dev subdomain. I also enabled TLS for this target. This is my compose file: ---
services:
opencloud:
# renovate: depName=opencloudeu/opencloud-rolling
image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-6.2.0}
container_name: opencloud
# changelog: https://github.com/opencloud-eu/opencloud/tree/main/changelog
# release notes: https://docs.opencloud.eu/opencloud_release_notes.html
user: ${OC_CONTAINER_UID_GID:-1000:1000}
networks:
- proxy_net
entrypoint:
- /bin/sh
# run opencloud init to initialize a configuration file with random secrets
# it will fail on subsequent runs, because the config file already exists
# therefore we ignore the error and then start the opencloud server
command: ["-c", "opencloud init || true; opencloud server"]
environment:
# enable services that are not started automatically
OC_ADD_RUN_SERVICES: ${START_ADDITIONAL_SERVICES}
OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
OC_LOG_LEVEL: ${LOG_LEVEL:-info}
OC_LOG_COLOR: "${LOG_PRETTY:-false}"
OC_LOG_PRETTY: "${LOG_PRETTY:-false}"
# do not use SSL between the reverse proxy and OpenCloud
PROXY_TLS: "false"
# INSECURE: needed if OpenCloud / reverse proxy is using self generated certificates
OC_INSECURE: "${INSECURE:-false}"
# basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
# demo users
IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
# admin password
IDM_ADMIN_PASSWORD: "${INITIAL_ADMIN_PASSWORD}"
# email server (if configured)
NOTIFICATIONS_SMTP_HOST: "${SMTP_HOST}"
NOTIFICATIONS_SMTP_PORT: "${SMTP_PORT}"
NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-OpenCloud Notifications <notifications@cloud.opencloud.test>}"
NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}"
NOTIFICATIONS_SMTP_PASSWORD: "${SMTP_PASSWORD}"
NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE:-false}"
NOTIFICATIONS_SMTP_AUTHENTICATION: "${SMTP_AUTHENTICATION}"
NOTIFICATIONS_SMTP_ENCRYPTION: "${SMTP_TRANSPORT_ENCRYPTION:-none}"
FRONTEND_ARCHIVER_MAX_SIZE: "10000000000"
FRONTEND_CHECK_FOR_UPDATES: "${CHECK_FOR_UPDATES:-true}"
PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
# enable to allow using the banned passwords list
OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt
# control the password enforcement and policy for public shares
OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD:-true}"
OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD:-false}"
OC_PASSWORD_POLICY_DISABLED: "${OC_PASSWORD_POLICY_DISABLED:-false}"
OC_PASSWORD_POLICY_MIN_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_CHARACTERS:-8}"
OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS:-1}"
OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS:-1}"
OC_PASSWORD_POLICY_MIN_DIGITS: "${OC_PASSWORD_POLICY_MIN_DIGITS:-1}"
OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS:-1}"
# default language for services/WebUI; defaults to English, language code (ISO 639-1, e.g. de, en, fr)
OC_DEFAULT_LANGUAGE: ${DEFAULT_LANGUAGE}
volumes:
- ${OC_CONFIG_DIR}/csp.yaml:/etc/opencloud/csp.yaml
- ${OC_CONFIG_DIR}/banned-password-list.txt:/etc/opencloud/banned-password-list.txt
# external sites needs to have additional routes configured in the proxy
- ${OC_CONFIG_DIR}/proxy.yaml:/etc/opencloud/proxy.yaml
# configure the .env file to use own paths instead of docker internal volumes
- ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
- ${OC_DATA_DIR:-opencloud-data}:/var/lib/opencloud
# - ${OC_APPS_DIR:-./config/opencloud/apps}:/var/lib/opencloud/web/assets/apps
labels:
# traefik
- "traefik.enable=true"
# define middleware here, to make sure its loaded with the first defined container (opencloud)
# if defined in the traefik container with a disabled dashboard it won't be loaded fast enough
- "traefik.http.middlewares.hsts-header.headers.stsSeconds=31536000"
- "traefik.http.middlewares.hsts-header.headers.stsIncludeSubdomains=true"
- "traefik.http.middlewares.hsts-header.headers.stsPreload=true"
- "traefik.http.middlewares.hsts-header.headers.forceSTSHeader=true"
- "traefik.http.routers.opencloud.entrypoints=https"
- "traefik.http.routers.opencloud.rule=Host(`${OC_DOMAIN:-cloud.opencloud.test}`)"
- "traefik.http.routers.opencloud.service=opencloud"
- "traefik.http.routers.opencloud.middlewares=hsts-header"
- "traefik.http.services.opencloud.loadbalancer.server.port=9200"
- "traefik.http.routers.opencloud.${TRAEFIK_SERVICES_TLS_CONFIG}"
logging:
driver: ${LOG_DRIVER:-local}
traefik:
image: traefik:v3.6.14
# release notes: https://github.com/traefik/traefik/releases
container_name: traefik
user: ${TRAEFIK_CONTAINER_UID_GID:-0:0}
networks:
proxy_net:
aliases:
- ${OC_DOMAIN:-cloud.opencloud.test}
entrypoint: [ "/bin/sh", "/opt/traefik/bin/docker-entrypoint-override.sh"]
environment:
- "TRAEFIK_SERVICES_TLS_CONFIG=${TRAEFIK_SERVICES_TLS_CONFIG:-tls.certresolver=letsencrypt}"
- "TRAEFIK_ACME_MAIL=${TRAEFIK_ACME_MAIL:-example@example.org}"
- "TRAEFIK_ACME_CASERVER=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
- "TRAEFIK_LOG_LEVEL=${TRAEFIK_LOG_LEVEL:-ERROR}"
- "TRAEFIK_ACCESS_LOG=${TRAEFIK_ACCESS_LOG:-false}"
- "TRAEFIK_PORT_HTTP=${TRAEFIK_PORT_HTTP:-80}"
- "TRAEFIK_PORT_HTTPS=${TRAEFIK_PORT_HTTPS:-443}"
ports:
- "${TRAEFIK_PORT_HTTP:-80}:${TRAEFIK_PORT_HTTP:-80}"
- "${TRAEFIK_PORT_HTTPS:-443}:${TRAEFIK_PORT_HTTPS:-443}"
volumes:
- "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro"
- "${TRAEFIK_CONFIG_DIR}/docker-entrypoint-override.sh:/opt/traefik/bin/docker-entrypoint-override.sh"
- "${TRAEFIK_CERTS_DIR:-./certs}:/certs"
- "${TRAEFIK_CONFIG_DIR}/dynamic:/etc/traefik/dynamic"
labels:
- "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
# defaults to admin:admin
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.opencloud.test}`)"
- "traefik.http.routers.traefik.middlewares=traefik-auth"
- "traefik.http.routers.traefik.${TRAEFIK_SERVICES_TLS_CONFIG}"
- "traefik.http.routers.traefik.service=api@internal"
logging:
driver: ${LOG_DRIVER:-local}
radicale:
image: ${RADICALE_DOCKER_IMAGE:-opencloudeu/radicale}:${RADICALE_DOCKER_TAG:-latest}
container_name: radicale
user: ${OC_CONTAINER_UID_GID:-1000:1000}
networks:
- proxy_net
logging:
driver: ${LOG_DRIVER:-local}
volumes:
- ${RADICALE_CONFIG_DIR}/config:/etc/radicale/config
- ${RADICALE_DATA_DIR:-radicale-data}:/var/lib/radicale
networks:
proxy_net:
external: true |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 7 replies
-
|
hmm. Tunnel seems difficult. OpenCloud is assuming that the OC_DOMAIN is publicly available for all clients and also resolves from inside the opencloud container. |
Beta Was this translation helpful? Give feedback.
-
|
I don't understand the tunnel config. If i get it right, you want to have traefik as ingress. That means public access to opencloud is via Client -> Tunnel -> Traefik on port 4444 -> reverse proxy to http://opencloud:9200 |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the reply! This is how I set up my tunnel: 
I didn't want to use the port in the browser. I updated my URL to: -- # OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-}
++ OC_URL: https://${OC_DOMAIN}After this change I can successfully access my web UI via https://cloud.domain.dev. However now I run into: After I try to log in with my admin credentials. My browser console shows {
"message": "Request failed with status code 401",
"name": "AxiosError",
"stack": "<STACK>",
"config": {
"transitional": {
"silentJSONParsing": true,
"forcedJSONParsing": true,
"clarifyTimeoutError": false
},
"adapter": [
"xhr",
"http",
"fetch"
],
"transformRequest": [
null
],
"transformResponse": [
null
],
"timeout": 0,
"xsrfCookieName": "XSRF-TOKEN",
"xsrfHeaderName": "X-XSRF-TOKEN",
"maxContentLength": -1,
"maxBodyLength": -1,
"env": {},
"headers": {
"Accept": "application/json, text/plain, */*",
"Content-Type": "application/json",
"Initiator-ID": "663a3b29-e433-49eb-82c6-8cb74effbf40",
"X-Requested-With": "XMLHttpRequest",
"Accept-Language": "en",
"X-Request-ID": "239a3500-fa15-43b1-9dec-90cbf5088779",
"Authorization": "Bearer <TOKEN>"
},
"baseURL": "https://cloud.domain.dev/",
"cancelToken": {
"promise": {},
"_listeners": []
},
"method": "post",
"url": "/api/v0/settings/roles-list",
"data": "{}",
"allowAbsoluteUrls": true
},
"code": "ERR_BAD_REQUEST",
"status": 401
}And opencloud logs: I did set |
Beta Was this translation helpful? Give feedback.
-
|
I think the problem is that something is trying to access |
Beta Was this translation helpful? Give feedback.
-
|
The opencloud container cannot resolve https://cloud.domain.dev/ inside the container. This is what the log tells us. The error is on the tcp layer. We normally achieve that via the alias config in the traefik container. In your setup you might need to add extra_hosts to the container to point the local .dev domain to the correct ip. |
Beta Was this translation helpful? Give feedback.
-
|
To what would I set the extra host as I cannot specify a port in the mapping? It seems like the alias is doing it's job, but the wrong port is being looked up: |
Beta Was this translation helpful? Give feedback.
-
|
It turns out I can actually |
Beta Was this translation helpful? Give feedback.
-
|
This looks like a public URL / ingress mismatch. Your generated "server": "https://cloud.domain.dev:4443/"That means the browser will try to use I would choose one canonical public URL and make every layer agree with it. If the public browser URL is: then not Also avoid mixing two ingress paths at the same time. Either:
or:
Right now the compose labels are set up for Traefik, but the tunnel description says it targets The other important requirement from @micbar is internal resolution: from inside the OpenCloud container, So I would first fix curl -k https://cloud.domain.dev/config.jsonand from inside the OpenCloud container: getent hosts cloud.domain.devIf this solves it, please mark this comment as the answer so other people can find it faster. |
Beta Was this translation helpful? Give feedback.
-
|
I updated OC_URL to the domain and also
opencloud logs: |
Beta Was this translation helpful? Give feedback.
-
|
I got rid of traefik and it works now. Thanks for that insight! |
Beta Was this translation helpful? Give feedback.
This looks like a public URL / ingress mismatch.
Your generated
config.jsonadvertises this as the server URL:That means the browser will try to use
https://cloud.domain.dev:4443/for OpenCloud/OIDC/theme URLs. If your tunnel exposes the public service ashttps://cloud.domain.devon normal HTTPS port 443, then the config is telling the browser to go to the wrong public URL.I would choose one canonical public URL and make every layer agree with it.
If the public browser URL is:
then
OC_URLshould also be exactly:not
https://cloud.domain.dev:4443.Also avoid mixing two ingress paths at the sam…