Phoenix seemingly failing to rewrite internal URLs when using Nginx as reverse proxy. (Docker)

1

Despite EXTERNAL_URL in the .env file being set to https://laboratory.example.tld/firezone/, websocket connections and the like still attempt to connect to https://laboratory.example.tld/live/websocket etc. which results in a 404.
Additionally, certain resources (like fonts) also fail to load. As they’re attempting to access https://laboratory.example.tld/dist/fira-sans-all-etc etc instead of https://laboratory.example.tld/firezone/dist/fira-sans-all-etc etc.

My nginx config is akin to this

  location /firezone/ {
    proxy_pass http://firezone:13000/firezone/;
    proxy_redirect     default;
    proxy_http_version 1.1;

    proxy_set_header   Host              $host;
    proxy_set_header   X-Real-IP         $remote_addr;
    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Proto $scheme;
    proxy_max_temp_file_size 0;

    proxy_set_header   Connection        "Upgrade";
    proxy_set_header   Upgrade           $http_upgrade;

    proxy_buffering off;
    proxy_request_buffering off;
  }

My docker-compose is the same as stock except with the removal of caddy and the addition of a “nginx_proxy” network to allow my nginx docker to connect to the firezone container via http://firezone:13000/

Any help with this would be greatly appreciated, I’m at my wits end

2

Hi @mechanopixel – thanks for the detailed info. This may be a bug, but let’s first make sure Phoenix is picking up your external URL correctly. Could you run this on your host and reply with the output here:

# Run this from your Firezone root dir, e.g. $HOME/.firezone
docker-compose exec -it firezone bin/firezone rpc "IO.inspect(Application.fetch_env!(:fz_http, FzHttpWeb.Endpoint))"
3

Thank you for the reply! Here is the output from the command (with certain sensitive info redacted)

ubuntu@ip-<amazon ec2 internal ip>:~/containers/firezone$ docker-compose up -d
[+] Running 3/3
 ✔ Network firezone_firezone-network  Created                                                                                                                                                                                          0.1s 
 ✔ Container firezone-postgres-1      Started                                                                                                                                                                                          0.7s 
 ✔ Container firezone-firezone-1      Started                                                                                                                                                                                          1.3s 
ubuntu@ip-<amazon ec2 internal ip>:~/containers/firezone$ docker-compose exec -it firezone bin/firezone rpc "IO.inspect(Application.fetch_env!(:fz_http, FzHttpWeb.Endpoint))"
[
  render_errors: [view: FzHttpWeb.ErrorView, accepts: ["html", "json"]],
  pubsub_server: FzHttp.PubSub,
  cache_static_manifest: "priv/static/cache_manifest.json",
  server: true,
  http: [ip: {0, 0, 0, 0}, port: 13000, protocol_options: []],
  url: [
    scheme: "https",
    host: "laboratory.example.tld",
    port: 443,
    path: "/firezone/"
  ],
  secret_key_base: "<redacted>",
  live_view: [signing_salt: "<redacted>"],
  check_origin: ["//127.0.0.1", "//localhost", "//laboratory.example.tld"]
]
ubuntu@ip-<amazon ec2 internal ip>:~/containers/firezone$

Judging from the output, it seems like it should be recognizing that it should be serving data with https://laboratory.example.tld/firezone/ being prefixed

4

Here is a screenshot of my browser’s console output. Just in case, I’ve tried this in Chromium and in Incognito mode, as well (to rule out addons being the culprit). The only thing being censored is the domain name.

Screenshot_20230712_124746
Screenshot_20230712_1247461920×1080 278 KB