elabftw behind a firewall/proxy: update - email - timestamp - blockchain

[MisterCodeRalf]

Detailed description of the problem

We are running elabftw now behind a firewall. Access to the outside world is only possible through a proxy server.

Updating the docker images with elabctl was successful by telling docker the proxy configuration via the systemd method (read carfully https://docs.docker.com/config/daemon/systemd/)

However email - timestamp and blockchain is still not possible, despite giving the proxy server information to the sysadmin panel > server > Address of the proxy

Expected Behavior

access possible

Steps to reproduce the behavior

1. put elabftw behind restrictive firewall with access to the outside world though a proxy server
2. giving the right proxy information via web frontend to sysadmin panel > server > Address of the proxy
3. try to timestamp experiment --> no response
4. try to blockchain -> error message
5. try to send email -> error message

outside the firewall everything worked great

Do you have any idea what may have caused this?

proxy setting not known to these functions

Do you have an idea how to solve the issue?

give the functions access to proxy information

What is your docker-compose configuration?

version: '3'
services:
  web:
    image: elabftw/elabimg:5.0.4
    restart: always
    container_name: elabftw
    cap_drop:
        - SYS_ADMIN
        - AUDIT_WRITE
        - MKNOD
        - SYS_CHROOT
        - SETFCAP
        - NET_RAW
        - SYS_PTRACE
    environment:
        - DB_HOST=mysql
        - DB_PORT=3306
        - DB_NAME=elabftw
        - DB_USER=elabftw
        - PHP_TIMEZONE=Europe/Paris
        - TZ=Europe/Paris
        - SITE_URL=http://enlab.uni-jena.de
        - SERVER_NAME=enlab.uni-jena.de
        - DISABLE_HTTPS=true
        - ENABLE_LETSENCRYPT=true
    ports:
        - '8080:443'
    volumes:
        - /var/elabftw/web:/elabftw/uploads
        - /etc/letsencrypt:/ssl
    networks:
      - elabftw-net
  mysql:
    image: mysql:8.0
    restart: always
    command: --default-authentication-plugin=mysql_native_password
    container_name: mysql
    cap_drop:
        - AUDIT_WRITE
        - MKNOD
        - SYS_CHROOT
        - SETFCAP
        - NET_RAW
    cap_add:
        - SYS_NICE
    environment:
        - MYSQL_DATABASE=elabftw
        - MYSQL_USER=elabftw
        - TZ=Europe/Paris
    volumes:
        - /var/elabftw/mysql:/var/lib/mysql
    expose:
      - '3306'
    networks:
      - elabftw-net
networks:
  elabftw-net:

Output of uname -a

Linux enlab-app.vmguest.uni-jena.de 5.4.0-181-generic #201-Ubuntu SMP Thu Mar 28 15:39:01 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Output of cat /etc/os-release

Linux enlab-app.vmguest.uni-jena.de 5.4.0-181-generic #201-Ubuntu SMP Thu Mar 28 15:39:01 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
root@enlab-app:~# cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

Output of docker info

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Docker Buildx (Docker Inc., v0.8.2-docker)
  compose: Docker Compose (Docker Inc., v2.24.5)
  scan: Docker Scan (Docker Inc., v0.23.0)

Server:
 Containers: 4
  Running: 2
  Paused: 0
  Stopped: 2
 Images: 19
 Server Version: 25.0.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
 Kernel Version: 5.4.0-181-generic
 Operating System: Ubuntu 20.04.6 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 1.925GiB
 Name: enlab-app.vmguest.uni-jena.de
 ID: b508cb1c-f0f7-4545-9ef9-0ce61cb9d8c0
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http://internet4nzm.rz.uni-jena.de:3128
 HTTPS Proxy: http://internet4nzm.rz.uni-jena.de:3128
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

Relevant php error log entry

2024/05/10 15:19:20 [error] 152#152: *169 FastCGI sent in stderr: "PHP message: [2024-05-10T17:19:20.867091+02:00] elabftw.ERROR:  {"exception":"[object] (Symfony\\Component\\Mailer\\Exception\\TransportException(code: 0): Connection could not be established with host \"mail.smtp2go.com:587\": stream_socket_client(): Unable to connect to mail.smtp2go.com:587 (Connection refused) at /elabftw/vendor/symfony/mailer/Transport/Smtp/Stream/SocketStream.php:154)"} []" while reading response header from upstream, client: 141.35.XX.XX, server: enlab.uni-jena.de, request: "POST /app/controllers/SysconfigAjaxController.php HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm.sock:", host: "enlab.uni-jena.de"

Additional information

Thank you for your great work.

[NicolasCARPi]

Hello,

I know for a fact that eLabFTW is deployed in very restrictive environments, ,exactly like the one you describe, and works well.

What is the value of proxy in config table? Does it contain protocol and port? Did you try with IP address of proxy server instead of domain name? Using curl in the container, with configured proxy env, can you reach outside world?

[MisterCodeRalf]

Hello,

OK, this sounds very good.
I can perform the tests beginning of next week.
Would it be possible to obtain an example config file from such an restricted environment with all the required proxy entries in the environment section of /etc/elabftw.yml?

What is the point of providing the proxy server information in the admin panel when this is provided in the /etc/elabftw.yml ?

Thank you!

Best regards from Jena

[NicolasCARPi]

What is the point of providing the proxy server information in the admin panel when this is provided in the /etc/elabftw.yml ?

What do you mean? The YAML file has no options for egress proxy configuration. It's only that setting in the config table that is used by php/curl for performing external requests, basically these two lines:

elabftw/src/Make/MakeBloxberg.php

Lines 67 to 68 in b193d9f

	// add proxy if there is one
	'proxy' => $this->configArr['proxy'] ?? '',

I know for rfc3161 timestamps and bloxberg timestamps, it uses this setting, but for smtp you'll need to allow trafic on the smtp port from the vm to your smtp server.

For example, one such system has this value for proxy setting in Sysconfig Panel: http://10.12.1.32:3128.

[MisterCodeRalf]

Thank you for the the clarification. We will test it with the proxy admin.