Hi,
I’ve tried to run the docker image, but with HTTPS I get an SSL problem (SSL_ERROR_RX_RECORD_TOO_LONG), without it doesn’t work.
Since I’ll be using only in out LAN, how can I use with plain HTTP?
Thanks!
My bed, I left an extra S.
here is my docker-compose.yaml file that works (but without users)
version: '3'
services:
grist:
image: gristlabs/grist
environment:
GRIST_SINGLE_ORG: grist # alternatively, GRIST_ORG_IN_PATH: "true" for multi-team operation
GRIST_DEFAULT_EMAIL: myemail
APP_HOME_URL: http://nocodb.local:8484
ports:
- "8484:8484"
volumes:
# You may want to put state somewhere other than /tmp :-)
- /var/docker/getgrist/data:/persist
1 Like
Great! By the way, you should check out GitHub - gristlabs/grist-omnibus: an opinionated Grist+Dex+Traefik package for first-time self-hosters, which takes care of SSL and users/logins.
1 Like
Hi @dmitry-grist,
thanks for pointing me to grist-omnibus, but that seems an overkill, I just need a simple login for a LAN usage; isn’t it available directly in Grist?
That sounds awesome, but I don´t understand Chinese. Or is that ancient Sumerian? I don´t know, because I didn´t understand ANYTHING lol
I just tried installing today a Grist Core on a computer using Docker. Users in our network can access it using an IP.
I am using the same computer to serve XWiki in our network. It was very simple, and I created several users and they can access it.
Grist is so much more complicated.
for some reason, there is a single user “You” and I can´t add new users to it.
So I guess Grist Omnibus helps with that, but I really don´t understand why I need a Reverse Proxy, Identity Service, Authentication Middleware, etc, etc, whatever those are, if with XWiki I just installed it and did minimal configuration.
Actually with Grist Omnibus, it’s pretty simple. The complicated description is there to explain what this adds to grist-core, and how to use it to connect to auth providers, set up SSL, etc.
Perhaps we should add a section with just the simple instructions…
This should be enough for a local install:
mkdir grist-data
docker run \
-p 9999:80 \
-e URL=http://localhost:9999 \
-e TEAM=cool-beans \
-e EMAIL=owner@example.com -e PASSWORD=topsecret \
-e EMAIL2=user2@example.com -e PASSWORD2=user2password \
-e EMAIL3=user3@example.com -e PASSWORD3=extrasecret \
-v `pwd`/grist-data:/persist \
--name grist --rm \
-it gristlabs/grist-omnibus
Now go to http://localhost:9999, and sign in with the first emails and passwords listed above. You can then add the other users (EMAIL2, etc) via “Manage Team” dialog with appropriate permissions.
Of course, with no https, and with emails and passwords specified this way, it’s not really secure, and only recommended if the instance is local, that only trusted users can access at all.
For more serious uses, absence of user registration is the main issue, IMO. Handling user registration used to be possible with Dex out of the box, but they removed it. On the other hand, for serious uses, an integration with an existing auth provider is usually preferred anyway, and that’s what Dex is best for.
1 Like
If I am not mistaken, with XWiki and TikiWiki, you can define that users can register but they need superuser (admin) approval).
Or the Admin ALONE creates users and their passwords, which they can change later.
Tried Grist Omnibus.
It’s very weird. It’s working on the same server where XWiki and other programs are being served from. So I can access Grist using localhost:8484 or 9999 or 8082 (tried all those.)
But I can´t access it from anywhere else by using the server ip and the port.
Again, that happens with Grist alone. If I try the ip and 8080, the port of XWiki, it works.
tried this
docker run \
-p 8484:80 \
-e URL=http://localhost:8484 \
-e TEAM=grupopavicon \
-e EMAIL=rogerio@yyyyyyy.com.br \
-e PASSWORD=xxxxxxx \
-e EMAIL2=informatica@yyyyyy.com.br \
-e PASSWORD2=xxxxxxxx \
-v ~/grist:/persist \
--name grist --rm \
-it gristlabs/grist-omnibus
results in this
"when I try to use the ip+port, the url changes to another when it doesn´t find the address.
maybe the URL can give some clues of what is going wrong?
Chat GPT interpreted the above URL for me
http://localhost:8484/dex/auth: This is the authentication endpoint for Dex, an identity service that uses OpenID Connect to drive authentication for other apps.client_id=YlHiJG1Mm99qKY99s5UK: This is the unique identifier for the Grist application as registered in Dex.redirect_uri=http%3A%2F%2F192.168.0.95%3A8484%2F_oauth: This is where Dex should send the user after authentication. In your case, it’s set tohttp://192.168.0.95:8484/_oauth, which is Grist’s OAuth callback.response_type=code: This indicates that Grist wants an authorization code as part of the OpenID Connect flow.scope=openid+profile+email: This indicates what information Grist wants about the user. In this case, Grist is asking for the user’s OpenID, profile information, and email address.state=...: This is a security measure to prevent cross-site request forgery attacks. The Grist server will verify this state value when Dex redirects the user back.The issue you’re facing seems to be with the URL. The
localhost:8484in the URL is the address that Dex uses for internal communication with Grist, and it’s set by theURLenvironment variable in thedocker runcommand.However, if you want to access Grist from a different machine,
localhostwon’t work because that always points to the machine you’re currently on. Instead, you should set theURLenvironment variable tohttp://192.168.0.95:8484.
told me to change the docker run to this
docker run \
-p 8484:80 \
-e URL=http://192.168.0.95:8484 \
-e TEAM=grupopavicon \
-e EMAIL=rogerio@yyyyyyy.com.br \
-e PASSWORD=xyxyxyxyxyxy \
-e EMAIL2=informatica@yyyyyy.com.br \
-e PASSWORD2=xxxxxxxxxx \
-v ~/grist:/persist \
--name grist --rm \
-it gristlabs/grist-omnibus
but still not working.
when running Grist, here are some messages the log is showing
2023-07-13 13:17:31.869 - debug: Auth[GET]: 192.168.0.95:8484 / customHostSession=, method=GET, host=192.168.0.95:8484, path=/, org=grupopavicon, email=anon@getgrist.com, userId=1, altSessionId=sqaHMDkQtwxzUFFh722bDr
2023-07-13 13:17:31.871 - debug: Authorizer: redirecting to sign up
time="2023-07-13T13:17:31Z" level=warning msg="You are using \"secure\" cookies for a request that was not received via https. You should either redirect to https or pass the \"insecure-cookie\" config option to permit cookies via http." handler=Auth host="192.168.0.95:8484" method=GET proto=http rule=default source_ip=192.168.0.50 uri="/auth/login?next=%2F"
“You are using "secure" cookies for a request that was not received via https. You should either redirect to https or pass the "insecure-cookie" config option to permit cookies via http.”
hmmm… this suggests that Grist is expecting to be accessed via HTTPS, and it’s trying to set secure cookies which are only sent over HTTPS connections. However, the request is coming in over HTTP, and so the secure cookie cannot be set.
This could be part of the problem I am seeing with accessing the service from another machine. If the service is setting secure cookies, but the connection to the client is not secure (because it’s HTTP, not HTTPS), then the client may refuse to accept the cookies, which could cause problems with the session management and result in someone else being unable to login.
This warning is related to the configuration of the Traefik Forward Auth (TFA) service used in the Grist setup.
However, the insecure-cookie option is not directly configurable via the Docker run command in the current Grist setup. It’s a configuration option for the Traefik Forward Auth (TFA) service, which is a part of the Grist docker setup but its options are not exposed directly.
Dmitry, the logs SEEM to indicate my problem is exactly that I can´t use it locally without HTTPS, even using Omnibus
Here is the log
Attaching to grist_grist_1
grist_1 | Calling traefik [
grist_1 | '--providers.file.filename=/settings/traefik.yaml',
grist_1 | '--entryPoints.web.address=:80',
grist_1 | '--entrypoints.websecure.address=:443'
grist_1 | ]
grist_1 | LOGOUT_REDIRECT=http://192.168.0.95:8484/signed-out
grist_1 | TEAM=grupopavicon
grist_1 | GRIST_DATA_DIR=/persist/docs
grist_1 | APP_HOST=192.168.0.95
grist_1 | GRIST_ORG_IN_PATH=true
grist_1 | NODE_VERSION=14.21.3
grist_1 | GVISOR_FLAGS=-unprivileged -ignore-cgroups
grist_1 | WHOAMI_PORT=17102
grist_1 | HOSTNAME=bfe07cc4647c
grist_1 | URL=http://192.168.0.95:8484
grist_1 | YARN_VERSION=1.22.19
grist_1 | GRIST_FORCE_LOGIN=true
grist_1 | HOME=/root
grist_1 | APP_HOME_URL=http://192.168.0.95:8484
grist_1 | EXT_PORT=8484
grist_1 | GRIST_HIDE_UI_ELEMENTS=helpCenter,billing,templates,multiSite,multiAccounts
grist_1 | GRIST_SANDBOX_FLAVOR=unsandboxed
grist_1 | GRIST_FORWARD_AUTH_LOGOUT_PATH=_oauth/logout
grist_1 | DEX_PORT=9999
grist_1 | GRIST_SESSION_COOKIE=grist_core
grist_1 | DEFAULT_PROVIDER=oidc
grist_1 | PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
grist_1 | EMAIL=rogerio@pavicon.com.br
grist_1 | GRIST_SINGLE_ORG=grupopavicon
grist_1 | GRIST_DEFAULT_EMAIL=rogerio@pavicon.com.br
grist_1 | PROVIDERS_OIDC_CLIENT_ID=IBASUhMaFWmy6Vq0rJDC
grist_1 | PROVIDERS_OIDC_CLIENT_SECRET=1RzqGTOevXPHqMB4W5T9
grist_1 | SECRET=El0Gaui92zWquIMtvqmF
grist_1 | GRIST_SERVE_SAME_ORIGIN=true
grist_1 | TYPEORM_DATABASE=/persist/home.sqlite3
grist_1 | GRIST_SESSION_SECRET=laLcRCYrJNaYj1jpk9yW
grist_1 | GRIST_HOST=0.0.0.0
grist_1 | PWD=/grist
grist_1 | TFA_PORT=17101
grist_1 | HTTPS=external
grist_1 | PASSWORD=n0g4m3n0l1f3
grist_1 | PROVIDERS_OIDC_ISSUER_URL=http://192.168.0.95:8484/dex
grist_1 | PYTHON_VERSION_ON_CREATION=3
grist_1 | GRIST_FORWARD_AUTH_HEADER=X-Forwarded-User
grist_1 | GRIST_SINGLE_PORT=true
grist_1 | GRIST_INST_DIR=/persist
grist_1 | GRIST_PORT=17100
grist_1 | 2023/07/13 17:15:36 Starting up on port 17102
grist_1 | time="2023-07-13T17:15:36Z" level=info msg="Configuration loaded from flags."
grist_1 | No /custom/dex.yaml
grist_1 | Checking dex... at http://192.168.0.95:8484/dex/.well-known/openid-configuration
grist_1 | not ready: TypeError [ERR_INVALID_PROTOCOL]: Protocol "http:" not supported. Expected "https:"
grist_1 | Checking dex... at http://192.168.0.95:8484/dex/.well-known/openid-configuration
grist_1 | not ready: TypeError [ERR_INVALID_PROTOCOL]: Protocol "http:" not supported. Expected "https:"
grist_1 | Checking dex... at http://192.168.0.95:8484/dex/.well-known/openid-configuration
grist_1 | not ready: TypeError [ERR_INVALID_PROTOCOL]: Protocol "http:" not supported. Expected "https:"
grist_1 | time="2023-07-13T17:15:36Z" level=info msg="Dex Version: v2.33.1-dirty, Go Version: go1.18.4, Go OS/ARCH: linux amd64"
grist_1 | time="2023-07-13T17:15:36Z" level=info msg="config using log level: debug"
grist_1 | time="2023-07-13T17:15:36Z" level=info msg="config issuer: http://192.168.0.95:8484/dex"
grist_1 | Checking dex... at http://192.168.0.95:8484/dex/.well-known/openid-configuration
grist_1 | not ready: TypeError [ERR_INVALID_PROTOCOL]: Protocol "http:" not supported. Expected "https:"
grist_1 | Checking dex... at http://192.168.0.95:8484/dex/.well-known/openid-configuration
grist_1 | not ready: TypeError [ERR_INVALID_PROTOCOL]: Protocol "http:" not supported. Expected "https:"
grist_1 | Checking dex... at http://192.168.0.95:8484/dex/.well-known/openid-configuration
grist_1 | not ready: TypeError [ERR_INVALID_PROTOCOL]: Protocol "http:" not supported. Expected "https:"
grist_1 | Checking dex... at http://192.168.0.95:8484/dex/.well-known/openid-configuration
grist_1 | not ready: TypeError [ERR_INVALID_PROTOCOL]: Protocol "http:" not supported. Expected "https:"
grist_1 | Checking dex... at http://192.168.0.95:8484/dex/.well-known/openid-configuration
grist_1 | not ready: TypeError [ERR_INVALID_PROTOCOL]: Protocol "http:" not supported. Expected "https:"
grist_1 | time="2023-07-13T17:15:38Z" level=info msg="config storage: sqlite3"
grist_1 | time="2023-07-13T17:15:38Z" level=info msg="config static client: Grist"
grist_1 | time="2023-07-13T17:15:38Z" level=info msg="config connector: google"
grist_1 | time="2023-07-13T17:15:38Z" level=info msg="config connector: microsoft"
grist_1 | time="2023-07-13T17:15:38Z" level=info msg="config connector: local passwords enabled"
grist_1 | time="2023-07-13T17:15:38Z" level=info msg="config skipping approval screen"
grist_1 | time="2023-07-13T17:15:38Z" level=info msg="config refresh tokens rotation enabled: true"
grist_1 | Checking dex... at http://192.168.0.95:8484/dex/.well-known/openid-configuration
grist_1 | not ready: TypeError [ERR_INVALID_PROTOCOL]: Protocol "http:" not supported. Expected "https:"
grist_1 | time="2023-07-13T17:15:38Z" level=info msg="keys expired, rotating"
grist_1 | time="2023-07-13T17:15:38Z" level=info msg="keys rotated, next rotation: 2023-07-13 23:15:38.547137619 +0000 UTC"
grist_1 | time="2023-07-13T17:15:38Z" level=info msg="listening (http) on 0.0.0.0:9999"
grist_1 | Checking dex... at http://192.168.0.95:8484/dex/.well-known/openid-configuration
grist_1 | not ready: TypeError [ERR_INVALID_PROTOCOL]: Protocol "http:" not supported. Expected "https:"
grist_1 | Checking dex... at http://192.168.0.95:8484/dex/.well-known/openid-configuration
grist_1 | not ready: TypeError [ERR_INVALID_PROTOCOL]: Protocol "http:" not supported. Expected "https:"
grist_1 | Checking dex... at http://192.168.0.95:8484/dex/.well-known/openid-configuration
grist_1 | not ready: TypeError [ERR_INVALID_PROTOCOL]: Protocol "http:" not supported. Expected "https:"
grist_1 | Checking dex... at http://192.168.0.95:8484/dex/.well-known/openid-configuration
grist_1 | not ready: TypeError [ERR_INVALID_PROTOCOL]: Protocol "http:" not supported. Expected "https:"
grist_1 | Checking dex... at http://192.168.0.95:8484/dex/.well-known/openid-configuration
grist_1 | not ready: TypeError [ERR_INVALID_PROTOCOL]: Protocol "http:" not supported. Expected "https:"
here is ChatGPT’s interpretation of it
Looking at the logs, it seems the application is expecting a secure (HTTPS) connection but it’s receiving an insecure (HTTP) one. This is evident from the error message
TypeError [ERR_INVALID_PROTOCOL]: Protocol "http:" not supported. Expected "https:".This is likely because the
URLenvironment variable in thedocker-compose.ymlis set tohttp://192.168.0.95:8484. However, the application is expecting the protocol to behttps, nothttp.If you are confident that your network is secure, one way to resolve this might be to configure the application to accept HTTP connections. This could involve changing a setting in the application’s configuration or in its Docker container.
This was the docker-compose yaml that I used
version: '3'
services:
grist:
image: gristlabs/grist-omnibus
ports:
- "8484:80"
environment:
EMAIL: "rogerio@pavicon.com.br"
PASSWORD: "xxxxxxxxxxxxx"
TEAM: "grupopavicon"
URL: "http://192.168.0.95:8484"
HTTPS: "external"
GRIST_SINGLE_ORG: "grupopavicon"
GRIST_FORCE_LOGIN: "true"
GRIST_HIDE_UI_ELEMENTS: "helpCenter,billing,templates,multiSite,multiAccounts"
volumes:
- "/mnt/data:/persist"
restart: unless-stopped
Ah, I think I found the problem. Remove the “HTTPS” environment variable, and add the variable INSECURE_COOKIE: true, which is what traeffik needs to work without HTTPS:
#HTTPS: "external"
INSECURE_COOKIE: true
If this resolves the issue, I think we could make it automatic by adding this to run.js and rebuilding the docker image:
Change to run.js
diff --git a/run.js b/run.js
index 62b8e99..dbdae97 100755
--- a/run.js
+++ b/run.js
@@ -74,6 +74,9 @@ function startTraefik() {
if (process.env.HTTPS) {
flags.push("--entrypoints.websecure.address=:443")
}
+ if (!process.env.HTTPS) {
+ flags.push("--insecure-cookie")
+ }
console.log("Calling traefik", flags);
console.log(child_process.execSync('env', { encoding: 'utf-8' }));
2 Likes
SUCCESS!!! I was trying for over a week to install it! Thanks Dmitry!
1 Like