Rewrite or internal redirection cycle (monica:fpm)
o-pteron opened this issue · comments
Hello,
I really appreciate your work and I hope you can help with this issue.
I think "Photos" and "Documents" in the docker monica:fpm are broken.
Photos:
Photos are "empty":
and I get errors like this:
app_1 | 172.24.0.4 - 21/Aug/2021:20:42:33 +0000 "GET /index.php" 200
web_1 | 2021/08/21 20:42:33 [error] 32#32: *91 rewrite or internal redirection cycle while internally redirecting to "/index.php/store/photos/WXG28Cm1XvswjH0IeNgfRdXzE4iUplkXddH5qAM2.jpg", client: 192.168.9.1, server: monica, request: "GET /store/photos/WXG28Cm1XvswjH0IeNgfRdXzE4iUplkXddH5qAM2.jpg HTTP/1.1", host: "m.mydomain.dk"
nginx.conf is not altered:
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
real_ip_header X-Real-IP;
# Connect to app service
upstream php-handler {
server app:9000;
}
server {
listen 80;
server_name monica;
## HSTS ##
# Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# removed from this list could take several months.
#
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
root /var/www/html/public;
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ ^/(?:robots.txt|security.txt) {
allow all;
log_not_found off;
access_log off;
}
error_page 404 500 502 503 504 /index.php;
location ~ /\.well-known/(?:carddav|caldav) {
return 301 $scheme://$host/dav;
}
location = /.well-known/security.txt {
return 301 $scheme://$host/security.txt;
}
location ~ /\.(?!well-known).* {
deny all;
}
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location ~ \.php$ {
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
fastcgi_pass php-handler;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif|json)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
## HSTS ##
# Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# Note it is intended to have those duplicated to the ones above.
# WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# removed from this list could take several months.
#
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to assets
access_log on;
}
# deny access to .htaccess files
location ~ /\.ht {
deny all;
}
}
}
docker-compose.yml
version: "3.4"
services:
app:
image: monica:fpm
depends_on:
- db
environment:
- APP_ENV=production
- APP_DEBUG=true
- APP_KEY=38KOVH4VUMpATaIpyuQ1lMJaWY7lw6FM
- HASH_SALT=7VOlCvzfDRvPhDC6NF+5HVA93Lk
- HASH_LENGTH=18
- APP_URL=https://m.mydomain.dk
- APP_FORCE_URL=false
- APP_TRUSTED_PROXIES=*
- DB_HOST=db
- DB_USERNAME=monica
- DB_PASSWORD=secret
volumes:
- ./appdata:/var/www/html/storage
restart: always
web:
build: ./web
ports:
- 8554:80
depends_on:
- app
volumes:
- ./webdata:/var/www/html/storage:ro
restart: always
db:
image: mysql:5.7
environment:
- MYSQL_RANDOM_ROOT_PASSWORD=true
- MYSQL_DATABASE=monica
- MYSQL_USER=monica
- MYSQL_PASSWORD=secret
volumes:
- ./mysqldata:/var/lib/mysql
restart: always
I've tried running the container behind reverse proxy and local, with and without https, with docker volumes and with binds like above. Nothing works with nginx/fpm - however it works fine with apache instead.
I've read that this endless loop can be fixed in nginx.conf, but that the real error resides in the app code(?)
Documents:
Documents works sometimes when uploading, but sometimes it fails saying: "There was an error uploading the document. Please try again below. " I get the same error with apache. Some files just wont upload no matter how many times you try (like "gifs_08 (1).gif") but I cant find a pattern regarding filenames or sizes.
Output from the container logs:
web_1 | 2021/08/21 20:51:56 [warn] 32#32: *178 a client request body is buffered to a temporary file /var/cache/nginx/client_temp/0000000015, client: 192.168.9.1, server: monica, request: "POST /people/h:5mME4pW0e2PNlDn9dv/documents HTTP/1.1", host: "m.mydomain.dk"
app_1 | 172.24.0.4 - 21/Aug/2021:20:51:56 +0000 "POST /index.php" 422
web_1 | 192.168.9.1 - - [21/Aug/2021:20:51:56 +0000] "POST /people/h:5mME4pW0e2PNlDn9dv/documents HTTP/1.1" 422 109 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0" "192.168.9.1"
I hope you can help me
Thank you in advance :)
Also, when downloading uploaded documents I get the the rewrite or internal redirection cycle error:
web_1 | 2021/08/22 06:42:58 [error] 32#32: *147 rewrite or internal redirection cycle while internally redirecting to "/index.php/store/documents/OAck3Cbste8qHJvvKsV7fNEJPV5lrn0eQwsASHbr.jpg", client: 192.168.9.1, server: monica, request: "GET /store/documents/OAck3Cbste8qHJvvKsV7fNEJPV5lrn0eQwsASHbr.jpg HTTP/1.1", host: "m.mydomain.dk"