Using nginx as a reverse proxy

Support
1

My version of CodiMD is: master (4c0efe1237bc33b52d06eaf86a28adad9a041ec2)

I’m running it behind nginx as a reverse proxy providing https.

My HedgeDoc config 
{
    "test": {
        "db": {
            "dialect": "sqlite",
            "storage": ":memory:"
        },
        "linkifyHeaderStyle": "gfm"
    },
    "development": {
        "loglevel": "debug",
        "hsts": {
            "enable": false
        },
        "db": {
            "dialect": "sqlite",
            "storage": "./db.codimd.sqlite"
        },
        "linkifyHeaderStyle": "gfm"
    },
    "production": {
        "domain": "redacted",
        "host": "localhost",
        "port": 9000,
        "loglevel": "info",
        "hsts": {
            "enable": true,
            "maxAgeSeconds": 31536000,
            "includeSubdomains": true,
            "preload": true
        },
        "csp": {
            "enable": true,
            "directives": {
            },
            "upgradeInsecureRequests": "auto",
            "addDefaults": true,
            "addDisqus": false,
            "addGoogleAnalytics": false
        },
        "protocolUseSSL": true,
        "cookiePolicy": "lax",
        "db": {
            "username": "redacted",
            "password": "redacted",
            "database": "redacted",
            "host": "redacted",
            "port": "5432",
            "dialect": "postgres"
        },
        "imageUploadType": "filesystem",
        "email": true,
        "allowEmailRegister": false,
        "allowAnonymousEdits": true
    }
}
My nginx config 
map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
}
server {
        server_name redacted;

        location / {
                proxy_pass http://127.0.0.1:9000;
        }

        location /socket.io/ {
                proxy_pass http://127.0.0.1:9000;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
        }

    listen [::]:443 ssl http2; # managed by Certbot
    listen 443 ssl http2; # managed by Certbot
    ssl_certificate fullchain.pem; # managed by Certbot
    ssl_certificate_key privkey.pem; # managed by Certbot
    include options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = redacted) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
        listen [::]:80;
        listen 80;
        server_name redacted;
    return 404; # managed by Certbot
}

What I expected to happen:

I get logged in when I enter my credentials.

What actually happened:

I got a 302 from /login redirecting me to the homepage, without any error message.

I already tried:

When I disable https and I don’t use the proxy, it works, I get logged-in as expected.

1 Like
2

@hugopeixoto found the solution on the chat, helped by @sheogorath, @davidmehren and @DerMolly.

Wen configured for https, HedgeDoc expects the user to query /login with it. The proxy was not communicating the scheme to HedgeDoc, adding the following lines to its config fixed that.

proxy_set_header Host $host; 
proxy_set_header X-Real-IP $remote_addr; 
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
proxy_set_header X-Forwarded-Proto $scheme;
2 Likes
3

I have the same problem and does it have any reference or document about the nginx configuration? I remember there is an example nginx reverse proxy configuration example in the docker container repo in the past and it has been removed now. It would be better to add it somewhere on the official document.

4

It has been added to the doc as a separate entry: https://github.com/hedgedoc/hedgedoc/blob/master/docs/setup/reverse-proxy.md

2 Likes