Can't open any document -> Not connected

I try to install grist on my server using docker, nginx reverse proxy and authentik for authentication. The connection to the side and different teams is possible and authentikation works like a charm but if i open up ore create a new document i always got the information that i’m offline ore the connection is lost.

My docker-compose.yaml:

version: '3'

services:
 grist:
    image: gristlabs/grist
    restart: always
    env_file:
      - .env
    ports:
      - "9844:8484"
    volumes:
      - ./persist:/persist

My .env file:

TZ="Europe/Berlin"
APP_HOME_URL="https://grist.domain.tdl"
APP_DOC_URL="https://grist.domain.tdl"
#APP_DOC_INTERNAL_URL="http://localhost:8484"
GRIST_PAGE_TITLE_SUFFIX=" - Grist"
GRIST_DEFAULT_EMAIL=mymailaddress@local.host
GRIST_SESSION_SECRET=<SomeSecret>
GRIST_SANDBOX_FLAVOR=gvisor
#GRIST_ORG_IN_PATH=true
#GRIST_DATA_DIR=/persist/docs
#GRIST_SINGLE_ORG=grist
# Authentik
GRIST_SAML_IDP_LOGIN=https://login.domain.tdl/application/saml/grist/sso/binding/redirect/
GRIST_SAML_IDP_LOGOUT=https://login.domain.tdl/if/session-end/grist
GRIST_SAML_SP_HOST=https://grist.domain.tdl
GRIST_SAML_SP_KEY=/persist/Grist_private_key.pem
GRIST_SAML_SP_CERT=/persist/Grist_certificate.pem
GRIST_SAML_IDP_CERTS=/persist/authentik.pem
GRIST_SAML_IDP_UNENCRYPTED=0

My reverseproxy setting:

server {                                                                                                                                                                                                                    
     listen 0.0.0.0:80 ;                                                                                                                                                                                                           
     listen [::0]:80 ;                                                                                                                                                                                                             
     server_name grist.domain.tdl;                                                                                                                                                                                        
     location /.well-known/acme-challenge {                                                                                                                                                                                        
             root /var/lib/acme/acme-challenge;                                                                                                                                                                                    
             auth_basic off;                                                                                                                                                                                                       
     }                                                                                                                                                                                                                             
     location / {                                                                                                                                                                                                                  
              return 301 https://$host$request_uri;                                                                                                                                                                                 
     }                                                                                                                                                                                                                             
}                                                                                                                                                                                                                                     
server {                                                                                                                                                                                                                              
     listen 0.0.0.0:443 http2 ssl ;                                                                                                                                                                                                
     listen [::0]:443 http2 ssl ;                                                                                                                                                                                                  
     server_name grist.domain.tdl;
     location /.well-known/acme-challenge {
              root /var/lib/acme/acme-challenge;
              auth_basic off;
     }
    ssl_certificate /var/lib/acme/grist.domain.tdl/fullchain.pem;
    ssl_certificate_key /var/lib/acme/grist.domain.tdl/key.pem;
    ssl_trusted_certificate /var/lib/acme/grist.domain.tdl/chain.pem;
    location / {
            proxy_pass http://localhost:9844;
            proxy_set_header        Host $host;
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header        X-Forwarded-Proto $scheme;
           proxy_set_header        X-Forwarded-Host $host;
           proxy_set_header        X-Forwarded-Server $host;
    }    
}

i tried to set the APP_DOC_URL to the grist url and i tried to use APP_DOC_INTERNAL_URL=http://localhost:8484 and i tried it without booth. I run the container without persist volume and without authentik setup only the APP_HOME_URL to the domain i use for grist. But everytime the same issue. The only thing i can figure out is, that the reverse proxy need some modifications but i don’t know which!

Hello @Sebastian_P.

I’m not an export on this topic, but have you checked this thread Grist + Authelia: Custom logout path - #3 by Ray, it has some example config files you might find helpful. Maybe you are missing a websocket support in your nginx configuration file.