Hi everyone,
I’m trying to set up Grist Omnibus behind an Nginx reverse proxy to enable HTTPS. I’ve managed to get my other service (XWiki) working with this setup, but Grist is proving to be a challenge. I seem to be stuck on the final step and would appreciate any guidance.
My Environment:
-
OS: Ubuntu Server
-
Grist: gristlabs/grist-omnibus:latest running via Docker Compose.
-
Nginx: Running in a separate Docker container with network_mode: host.
-
Certificates: Self-signed certs generated with mkcert.
-
Goal: Access Grist at https://grist.internal.lan (hostname is resolved via /etc/hosts on the server).
After some initial errors (“Please define URL” and “HTTPS must be auto, external, or manual”), I’ve settled on the following docker-compose.yml for Grist. This configuration allows the container to start and run successfully.
services:
grist:
image: gristlabs/grist-omnibus:latest
ports:
- "8484:80"
environment:
- URL=https://grist.internal.lan
- HTTPS=external
- TEAM=myteam
volumes:
- ./data:/persist
With Grist running, I can confirm it’s alive on the host machine. A curl to its HTTP port results in the expected redirect, which tells me it’s waiting for a secure proxy:
# On the host server
$ curl -I http://127.0.0.1:8484
HTTP/1.1 308 Permanent Redirect
Location: https://localhost/
The Problem:
When I try to access https://grist.internal.lan through my Nginx proxy, I get a 502 Bad Gateway error.
Here is my nginx.conf file. The block for XWiki on port 8080 works perfectly, but the Grist block does not.
events {}
http {
# Redirect all HTTP to HTTPS
server {
listen 80;
server_name grist.internal.lan xwiki.internal.lan;
return 301 https://$host$request_uri;
}
# Grist Proxy (NOT WORKING)
server {
listen 443 ssl http2;
server_name grist.internal.lan;
ssl_certificate /certs/grist.internal.lan.pem;
ssl_certificate_key /certs/grist.internal.lan-key.pem;
location / {
proxy_pass http://127.0.0.1:8484;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
# XWiki Proxy (WORKING)
server {
listen 443 ssl http2;
server_name xwiki.internal.lan;
# ... (config is similar, proxy_pass to http://127.0.0.1:8080)
}
}
When the 502 error occurs, the Nginx error log shows the following:
[error] 24#24: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.0.X, server: grist.internal.lan, request: “GET / HTTP/2.0”, upstream: “http://127.0.0.1:8484/”, host: “grist.internal.lan”
This is confusing, because a curl from the host can connect, but Nginx (also on the host network) gets a “Connection refused”.
Am I missing a specific header or configuration that this version of Grist Omnibus requires? Any insight would be greatly appreciated.
Thanks!