Reverse proxy & Docker : localhost:8080 is used instead of right URL

[DB-CL]

Please confirm you have done the following before posting your bug report:

• I have enabled debug mode
• I have read checked the Common Issues page

Describe the bug
I cannot get SnipeIT to work properly in a docker container behind NGINX configured as a reverse proxy for this container.

I can put whatever I want into APP_URL, APP_TRUSTED_PROXIES and clear the cache with
php artisan config:clear && php artisan config:cache

SnipeIT has always the same behavior : the url are wrong (always localhost:8080)

I've read all related issues (most of them are closed by the bot with no updates). One interesting is this one : https://github.com/snipe/snipe-it/issues/6852 but I'm not sure I'm concerned since I think my problem is more a problem of APP_URL instead of APP_TRUSTED_PROXIES

Here is my setup:

My host has a public IP (212.x.x.x) and my container also has an IP (10.254.1.3 )

I'm accessing snipe it like this :
https://mydomain/snipeit which point to my public IP (212.x.x.x)

Docker is configured to map localhost:8080 (host) to localhost:80 (container)

NGINX on the host is configured like this :

location /snipeit/ {
     proxy_pass http://localhost:8080/;
     proxy_http_version 1.1;
     proxy_set_header X-Forwarded-Proto $scheme;
 }

And the SSL is managed by NGINX on the host

In the APP_URL I think I should have
APP_URL=https://mydomain/snipeit
But I also tried the public IP, the container IP, almost every single possibility.

In the APP_TRUSTED_PROXIES I think I should have
APP_TRUSTED_PROXIES=212.x.x.x,10.254.1.3
But like APP_URL, I tried everything I could think of.

The result is snipe it always trying to get the assets from http://localhost:8080/js/... I never had another result than this one, no matter what I put in APP_URL or APP_TRUSTED_PROXIES, and no matter how hard I try to rebuild the container, clear the cache, etc.

To Reproduce
Get the latest doker image and try to make it works behind NGINX as a reverse proxy.

Expected behavior
The SnipeIT setup page should display properly, getting the assets from this URL : https://mydomain/snipeit/js/.... instead of http://localhost:8080/js/...

Server (please complete the following information):

• Snipe-IT Version I think this is 4.7.5
• OS: [e.g. Ubuntu, CentOS] host is debian 9
• Web Server: [e.g. Apache, IIS] host is nginx
• PHP Version : the one in docker

I don't know if I'm missing something or if there is some sort of a bug.

Thanks for your help

[acidicX]

@DB-CL same issue for me, also almost the same setup - but I am running without the subdir, my nginx serves https://snipe.mydomain.tld and forwards to the docker port. Can't get it to work with any of the entries...

[Jekotia]

I cannot provide an exact working config, as I do not use NGINX, but hopefully this can be of use.

My environment uses Caddy with the Docker Proxy plugin, with the following configurations:

Relevant parts of docker-compose.yml

services:
  snipeit:
    environment:
      - "APP_URL=http://assets.example.com"
    networks:
    - "proxy"
    labels:
      caddy.address: assets.example.com
      caddy.tls: "off"
      caddy.proxy._1: "transparent"

networks:
  proxy:
    external:
      name: core_proxy

Note that the explicit lack of port declarations is because in my case the proxy server is also a Docker container, and thus it does not need an exposed port on the proxy destination.

The labels are used to generate the following configuration for Caddy:

assets.example.com {
  proxy / 10.10.8.10 {
    transparent
  }
  tls off
}

Note that the proxied IP address is the internal Docker IP; in your case I believe that it should be localhost and the port number. I hope this helps to shed some light on a functional reverse-proxy configuration between Snipe-IT and a local proxy server.

As a more general troubleshooting step, I would also suggest adjusting your configuration to use the root path (https://mydomain/) instead of the subdirectory (https://mydomain/snipeit). This would allow you to narrow down the scope of the problem.

[straussCS]

For the record - with apache I got it working with:

RequestHeader set X-Forwarded-Proto "https"

ProxyPreserveHost on
ProxyPass / http://localhost:8081/ nocanon
ProxyPassReverse / http://localhost:8081/

[acidicX]

I have it working now, check my post in the other issue: https://github.com/snipe/snipe-it/issues/6852#issuecomment-517305411

One remaining problem is the missing https scheme if you do TLS termination on the reverse proxy though.

[stale[bot]]

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

[stale[bot]]

This issue has been automatically closed because it has not had recent activity. If you believe this is still an issue, please confirm that this issue is still happening in the most recent version of Snipe-IT and reply to this thread to re-open it.

[troyygan]

@acidicX would you be able to share your setup? Thank you!!!

[acidicX]

@troyygan it's linked in the other issue: https://github.com/snipe/snipe-it/issues/6852#issuecomment-517305411 - but that was a few years ago. I'm not with the company that used Snipe anymore, so I'm not sure if that is still relevant or even working today. Sorry ;)

[troyygan]

Appreciate the reply mate @acidicX !!! Manage to make it working but not with reverse proxy, change some configs on its own apache and just terminate the ssl and redirection there. Will update the thread once I make the reverse proxy running :)

[snipe]

I've put @uberbrady on this, but we're not back online until Tuesday, so please give us a few days to address this.

[cljk]

For the record - with apache I got it working with:

RequestHeader set X-Forwarded-Proto "https"

ProxyPreserveHost on
ProxyPass / http://localhost:8081/ nocanon
ProxyPassReverse / http://localhost:8081/

Works for me on apache2