tubearchivist/archived-browser-extension
1
0
Fork 0
mirror of https://github.com/tubearchivist/browser-extension.git synced 2026-03-23 20:37:07 +00:00
Code Issues 6 Projects Packages Wiki Activity

[GH-ISSUE #47] Cannot connect to server error #30

New issue
Closed
opened 2026-03-23 20:31:51 +00:00 by mirror · 12 comments
mirror commented 2026-03-23 20:31:51 +00:00
Owner
Copy link

Originally created by @tehniemer on GitHub (Oct 11, 2024).
Original GitHub issue: https://github.com/tubearchivist/browser-extension/issues/47

I'm unable to connect this to my server, every attempt ends with a Could not connect to server error. I've verified my URL and API are correct, even generated a new API key, nothing helps.

image

Not sure what my next steps should be.

Originally created by @tehniemer on GitHub (Oct 11, 2024). Original GitHub issue: https://github.com/tubearchivist/browser-extension/issues/47 I'm unable to connect this to my server, every attempt ends with a `Could not connect to server` error. I've verified my URL and API are correct, even generated a new API key, nothing helps. ![image](https://github.com/user-attachments/assets/b627e74d-4dda-4316-af9d-f92808f4dfd6) Not sure what my next steps should be.
mirror 2026-03-23 20:31:51 +00:00
  • closed this issue
  • added the
    question
         label
mirror commented 2026-03-23 20:31:52 +00:00
Author
Owner
Copy link

@Protonova commented on GitHub (Oct 15, 2024):

Just my two cents here... I had a similar problem. Are you running Traefik? Have you tried removing https://? For example on my installation I have tubearchivist.***.***.com:7081 7081 being the port I have the load balancer running on (can be anything on your end).

<!-- gh-comment-id:2415249815 --> @Protonova commented on GitHub (Oct 15, 2024): Just my two cents here... I had a similar problem. Are you running Traefik? Have you tried removing `https://`? For example on my installation I have `tubearchivist.***.***.com:7081` 7081 being the port I have the load balancer running on (can be anything on your end).
mirror commented 2026-03-23 20:31:53 +00:00
Author
Owner
Copy link

@tehniemer commented on GitHub (Oct 15, 2024):

I am running Traefik and tried your suggestion with no change in behavior.

<!-- gh-comment-id:2415256904 --> @tehniemer commented on GitHub (Oct 15, 2024): I am running Traefik and tried your suggestion with no change in behavior.
mirror commented 2026-03-23 20:31:53 +00:00
Author
Owner
Copy link

@Protonova commented on GitHub (Oct 16, 2024):

Then there's something wrong with your traefik config. I'm not sure if this is the right place for this issue to be opened. I'm just randomly contributing since I had the same issue a few hours ago when I put TA behind the load balancer.

If the admins don't mind, sure I'll help troubleshoot the issue. You need to share the labels you're using for traefik in your docker. As well as the configs you have for your traefik instance. Please share them using code blocks and remember to remove sensitive information :)

<!-- gh-comment-id:2415386424 --> @Protonova commented on GitHub (Oct 16, 2024): Then there's something wrong with your traefik config. I'm not sure if this is the right place for this issue to be opened. I'm just randomly contributing since I had the same issue a few hours ago when I put TA behind the load balancer. If the admins don't mind, sure I'll help troubleshoot the issue. You need to share the labels you're using for traefik in your docker. As well as the configs you have for your traefik instance. Please share them using code blocks and remember to remove sensitive information :)
mirror commented 2026-03-23 20:31:54 +00:00
Author
Owner
Copy link

@tehniemer commented on GitHub (Oct 16, 2024):

Thanks, I appreciate it. I've tried with and without Authelia, which has a global bypass rule for '^/api([/?].*)?$'

Here's my relevant compose stack:

version: "3.8"
services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: always
    #    dns:
    #      - 1.1.1.1
    #      - 1.0.0.1
    networks:
      - traefik
      - socket_proxy
      - internal
    ports:
      - $TRAEFIKHTTP_PORT:80
      - $TRAEFIKHTTPS_PORT:443
    security_opt:
      - no-new-privileges=true
    logging:
      options:
        max-size: 2m
        max-file: "3"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /opt/docker/traefik2/traefik.yml:/etc/traefik/traefik.yml:ro # config location - touch file before starting container
      - /opt/docker/traefik2/rules:/rules:ro # file provider directory
      - /opt/docker/traefik2/acme/acme.json:/acme.json # cert location - touch file and change permissions to 600 before starting container
      - /opt/docker/traefik2/traefik.log:/traefik.log # for fail2ban - touch file before starting container
      - /opt/docker/traefik2/access.log:/access.log # touch file before starting container
    environment:
      TZ: $TIMEZONE
      #      CF_API_EMAIL: $CLOUDFLARE_EMAIL
      #      CF_API_KEY: $CLOUDFLARE_API_KEY
      CF_DNS_API_TOKEN: $CLOUDFLARE_DNS_API_TOKEN
      DOMAINNAME: $DOMAINNAME
    labels:
      - homepage.group=Containers
      - homepage.name=Traefik
      - homepage.icon=traefik
      - homepage.description=Reverse Proxy
      - homepage.href=https://traefik.$DOMAINNAME
      - traefik.enable=true
      - traefik.http.routers.traefik-rtr.entrypoints=https
      - traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)
      - traefik.http.routers.traefik-rtr.service=api@internal
      - traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file #Authelia Authentication
  tubearchivist:
    image: bbilly1/tubearchivist
    container_name: tubearchivist
    restart: unless-stopped
    networks:
      - traefik
      - internal
    ports:
      - $TUBEARCHIVIST_PORT:8000
    security_opt:
      - no-new-privileges=true
    logging:
      options:
        max-size: 2m
        max-file: "3"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /opt/docker/tubearchivist:/cache
      - $MEDIA_DIR/.temp/TubeArchivist/download:/cache/download
      - $MEDIA_DIR/.temp/TubeArchivist/import:/cache/import
      - $MEDIA_DIR/TubeArchivist:/youtube
    environment:
      TZ: $TIMEZONE
      HOST_UID: $PUID
      HOST_GID: $PGID
      TA_HOST: $HOST $HOST:$TUBEARCHIVIST_PORT https://tubearchivist.$DOMAINNAME
      TA_USERNAME: $TUBEARCHIVIST_USER
      TA_PASSWORD: $TUBEARCHIVIST_PASS
#      TA_ENABLE_AUTH_PROXY: true
#      TA_AUTH_PROXY_USERNAME_HEADER: HTTP_REMOTE_USER
#      TA_AUTH_PROXY_LOGOUT_URL: https://authelia.$DOMAINNAME
      ES_URL: http://tubearchivist-es:9200
      ELASTIC_PASSWORD: $ELASTIC_PASS
      REDIS_HOST: tubearchivist-redis
    healthcheck:
      test:
        - CMD
        - curl
        - -f
        - http://localhost:8000/health
      interval: 2m
      timeout: 10s
      retries: 3
      start_period: 30s
    labels:
      - homepage.group=Containers
      - homepage.name=TubeArchivist
      - homepage.icon=tubearchivist
      - homepage.description=YouTube Downloader
      - homepage.href=https://tubearchivist.$DOMAINNAME
      - homepage.siteMonitor=http://$HOST:$TUBEARCHIVIST_PORT
      - traefik.enable=true
      - traefik.http.routers.tubearchivist-rtr.entrypoints=https
      - traefik.http.routers.tubearchivist-rtr.rule=Host(`tubearchivist.$DOMAINNAME`)
      - traefik.http.routers.tubearchivist-rtr.middlewares=chain-authelia@file #Authelia Authentication
      #- traefik.http.routers.tubearchivist-rtr.middlewares=chain-no-auth@file #No Authentication
      - traefik.http.routers.tubearchivist-rtr.service=tubearchivist-svc
      - traefik.http.services.tubearchivist-svc.loadbalancer.server.port=8000
  tubearchivist-es:
    image: elasticsearch:8.14.3
    container_name: tubearchivist-es
    restart: unless-stopped
    networks:
      - traefik
      - internal
    ulimits:
      memlock:
        soft: -1
        hard: -1
    security_opt:
      - no-new-privileges=true
    logging:
      options:
        max-size: 2m
        max-file: 3
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /opt/docker/tubearchivist-es:/usr/share/elasticsearch/data
    environment:
      - ELASTIC_PASSWORD=$ELASTIC_PASS
      - ES_JAVA_OPTS=-Xms1g -Xmx1g
      - xpack.security.enabled=true
      - discovery.type=single-node
      - path.repo=/usr/share/elasticsearch/data/snapshot
    labels:
      - homepage.group=Containers
      - homepage.name=Tubearchivist Elasticpass
      - homepage.icon=elasticpass
  tubearchivist-redis:
    image: redis/redis-stack-server:latest
    container_name: tubearchivist-redis
    restart: always
    networks:
      - internal
    security_opt:
      - no-new-privileges=true
    logging:
      options:
        max-size: 2m
        max-file: "3"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /opt/docker/tubearchivist-redis:/data
    labels:
      - homepage.group=Containers
      - homepage.name=Tubearchivist Redis
      - homepage.icon=redis
networks:
  traefik:
    external: true
  internal:
    external: true
  socket_proxy:
    external: true

Traefik config:

global:
  checkNewVersion: true
  sendAnonymousUsage: false

api:
  dashboard: true
  insecure: true

log:
  level: 'INFO' # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
  filePath: '/traefik.log'

accessLog:
  filePath: '/access.log'
  bufferingSize: 100 # Configuring a buffer of 100 lines
  filters:
    statusCodes:
      - '204-299'
      - '400-499'
      - '500-599'

ping: {}

entryPoints:
  # Not used in apps, but redirect everything from HTTP to HTTPS
  http:
    address: :80
    forwardedHeaders:
      trustedIPs: &trustedIps
        # Local IP range
        #- 127.0.0.1/32
        #- 10.0.0.0/8
        #- 172.16.0.0/12
        #- 192.168.0.0/16
        #- fc00::/7
        # Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
        - 173.245.48.0/20
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 141.101.64.0/18
        - 108.162.192.0/18
        - 190.93.240.0/20
        - 188.114.96.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 162.158.0.0/15
        - 104.16.0.0/12
        - 172.64.0.0/13
        - 131.0.72.0/22
        - 2400:cb00::/32
        - 2606:4700::/32
        - 2803:f800::/32
        - 2405:b500::/32
        - 2405:8100::/32
        - 2a06:98c0::/29
        - 2c0f:f248::/32
        # End of Cloudlare public IP list
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https

  # HTTPS endpoint, with domain wildcard
  https:
    address: :443
    forwardedHeaders:
      # Reuse list of Cloudflare Trusted IP's above for HTTPS requests
      trustedIPs: *trustedIps
    http:
      tls:
        certresolver: 'dns-cloudflare'
        domains:
          - main: 'mydomain.com'
          - sans:
            - '*.mydomain.com'
#        options: 'tls-opts@file'

providers:
  providersThrottleDuration: 2s
  # Docker provider for connecting all apps that are inside of the docker network
  docker:
    endpoint: 'tcp://socket-proxy:2375' #'unix:///var/run/docker.sock'
    network: 'traefik'
    exposedByDefault: false
    watch: true
  # File provider for connecting things that are outside of docker / defining middleware
  file:
    directory: '/rules'
    watch: true
#  redis:
#    endpoints:
#      - 'redis:6379'
#    db: 2

certificatesResolvers:
  dns-cloudflare:
    acme:
      email: 'jon.doe@gmail.com'
      storage: '/acme.json'
      dnsChallenge:
        provider: 'cloudflare'
        delayBeforeCheck: '5'
        resolvers:
          - '1.1.1.1:53'
          - '1.0.0.1:53'

http:
  middlewares:
    middlewares-rate-limit:
      rateLimit:
        average: 100
        burst: 50

    middlewares-https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true

    middlewares-secure-headers:
      headers:
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        accessControlMaxAge: 100
        hostsProxyHeaders:
          - 'Host'
          - 'X-Forwarded-Host'
          - 'X-Forwarded-Proto'
          - 'X-Forwarded-For'
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        customFrameOptionsValue: 'allow-from https:{{env "DOMAINNAME"}}' #CSP takes care of this but may be needed for organizr.
        contentTypeNosniff: true
        browserXssFilter: true
        referrerPolicy: 'same-origin'
        permissionsPolicy: 'camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()'
        customResponseHeaders:
          X-Robots-Tag: 'noindex,nofollow' #'none,noarchive,nosnippet,notranslate,noimageindex'
          server: ''

    middlewares-no-frame-headers:
      headers:
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        accessControlMaxAge: 100
        hostsProxyHeaders:
          - 'Host'
          - 'X-Forwarded-Host'
          - 'X-Forwarded-Proto'
          - 'X-Forwarded-For'
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        customFrameOptionsValue: 'SAMEORIGIN'
        contentTypeNosniff: true
        browserXssFilter: true
        referrerPolicy: 'same-origin'
        permissionsPolicy: 'camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()'
        customResponseHeaders:
          X-Robots-Tag: 'noindex,nofollow'
          server: ''

    middlewares-no-cors-headers:
      headers:
        hostsProxyHeaders:
          - 'Host'
          - 'X-Forwarded-Host'
          - 'X-Forwarded-Proto'
          - 'X-Forwarded-For'
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        customFrameOptionsValue: 'SAMEORIGIN'
        contentTypeNosniff: true
        browserXssFilter: true
        referrerPolicy: 'same-origin'
        permissionsPolicy: 'camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()'
        customResponseHeaders:
          X-Robots-Tag: 'noindex,nofollow'
          server: ''

    middlewares-authelia:
      forwardAuth:
        address: "http://authelia:9091/api/verify?rd=https://authelia.{{env "DOMAINNAME"}}"
        trustForwardHeader: true
        authResponseHeaders:
          - 'Remote-User'
          - 'Remote-Groups'
          - 'Remote-Email'
          - 'Remote-Name'
          
    middlewares-authelia-basic:
      forwardAuth:
        address: "https://authelia:9091/api/verify?auth=basic"
        trustForwardHeader: true
        authResponseHeaders:
          - 'Remote-User'
          - 'Remote-Groups'
          - 'Remote-Email'
          - 'Remote-Name'

    # https://stackoverflow.com/questions/49717670/how-to-config-upload-body-size-restriction-in-traefik
    middlewares-buffering:
      buffering:
        maxRequestBodyBytes: 53687091000
        memRequestBodyBytes: 209715200
        maxResponseBodyBytes: 53687091000
        memResponseBodyBytes: 209715200
        retryExpression: 'IsNetworkError() && Attempts() <= 2'

    middlewares-nextcloud-redirect:
      redirectRegex:
        permanent: true
        regex: "https://(.*)/.well-known/(card|cal)dav"
        replacement: "https://${1}/remote.php/dav/"

http:
  middlewares:
    chain-no-auth:
      chain:
        middlewares:
          - middlewares-rate-limit
          - middlewares-https-redirectscheme
          - middlewares-secure-headers

    chain-authelia:
      chain:
        middlewares:
          - middlewares-rate-limit
          - middlewares-https-redirectscheme
          - middlewares-secure-headers
          - middlewares-authelia
<!-- gh-comment-id:2415541105 --> @tehniemer commented on GitHub (Oct 16, 2024): Thanks, I appreciate it. I've tried with and without Authelia, which has a global bypass rule for `'^/api([/?].*)?$'` Here's my relevant compose stack: ``` version: "3.8" services: traefik: image: traefik:latest container_name: traefik restart: always # dns: # - 1.1.1.1 # - 1.0.0.1 networks: - traefik - socket_proxy - internal ports: - $TRAEFIKHTTP_PORT:80 - $TRAEFIKHTTPS_PORT:443 security_opt: - no-new-privileges=true logging: options: max-size: 2m max-file: "3" volumes: - /etc/localtime:/etc/localtime:ro - /opt/docker/traefik2/traefik.yml:/etc/traefik/traefik.yml:ro # config location - touch file before starting container - /opt/docker/traefik2/rules:/rules:ro # file provider directory - /opt/docker/traefik2/acme/acme.json:/acme.json # cert location - touch file and change permissions to 600 before starting container - /opt/docker/traefik2/traefik.log:/traefik.log # for fail2ban - touch file before starting container - /opt/docker/traefik2/access.log:/access.log # touch file before starting container environment: TZ: $TIMEZONE # CF_API_EMAIL: $CLOUDFLARE_EMAIL # CF_API_KEY: $CLOUDFLARE_API_KEY CF_DNS_API_TOKEN: $CLOUDFLARE_DNS_API_TOKEN DOMAINNAME: $DOMAINNAME labels: - homepage.group=Containers - homepage.name=Traefik - homepage.icon=traefik - homepage.description=Reverse Proxy - homepage.href=https://traefik.$DOMAINNAME - traefik.enable=true - traefik.http.routers.traefik-rtr.entrypoints=https - traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`) - traefik.http.routers.traefik-rtr.service=api@internal - traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file #Authelia Authentication tubearchivist: image: bbilly1/tubearchivist container_name: tubearchivist restart: unless-stopped networks: - traefik - internal ports: - $TUBEARCHIVIST_PORT:8000 security_opt: - no-new-privileges=true logging: options: max-size: 2m max-file: "3" volumes: - /etc/localtime:/etc/localtime:ro - /opt/docker/tubearchivist:/cache - $MEDIA_DIR/.temp/TubeArchivist/download:/cache/download - $MEDIA_DIR/.temp/TubeArchivist/import:/cache/import - $MEDIA_DIR/TubeArchivist:/youtube environment: TZ: $TIMEZONE HOST_UID: $PUID HOST_GID: $PGID TA_HOST: $HOST $HOST:$TUBEARCHIVIST_PORT https://tubearchivist.$DOMAINNAME TA_USERNAME: $TUBEARCHIVIST_USER TA_PASSWORD: $TUBEARCHIVIST_PASS # TA_ENABLE_AUTH_PROXY: true # TA_AUTH_PROXY_USERNAME_HEADER: HTTP_REMOTE_USER # TA_AUTH_PROXY_LOGOUT_URL: https://authelia.$DOMAINNAME ES_URL: http://tubearchivist-es:9200 ELASTIC_PASSWORD: $ELASTIC_PASS REDIS_HOST: tubearchivist-redis healthcheck: test: - CMD - curl - -f - http://localhost:8000/health interval: 2m timeout: 10s retries: 3 start_period: 30s labels: - homepage.group=Containers - homepage.name=TubeArchivist - homepage.icon=tubearchivist - homepage.description=YouTube Downloader - homepage.href=https://tubearchivist.$DOMAINNAME - homepage.siteMonitor=http://$HOST:$TUBEARCHIVIST_PORT - traefik.enable=true - traefik.http.routers.tubearchivist-rtr.entrypoints=https - traefik.http.routers.tubearchivist-rtr.rule=Host(`tubearchivist.$DOMAINNAME`) - traefik.http.routers.tubearchivist-rtr.middlewares=chain-authelia@file #Authelia Authentication #- traefik.http.routers.tubearchivist-rtr.middlewares=chain-no-auth@file #No Authentication - traefik.http.routers.tubearchivist-rtr.service=tubearchivist-svc - traefik.http.services.tubearchivist-svc.loadbalancer.server.port=8000 tubearchivist-es: image: elasticsearch:8.14.3 container_name: tubearchivist-es restart: unless-stopped networks: - traefik - internal ulimits: memlock: soft: -1 hard: -1 security_opt: - no-new-privileges=true logging: options: max-size: 2m max-file: 3 volumes: - /etc/localtime:/etc/localtime:ro - /opt/docker/tubearchivist-es:/usr/share/elasticsearch/data environment: - ELASTIC_PASSWORD=$ELASTIC_PASS - ES_JAVA_OPTS=-Xms1g -Xmx1g - xpack.security.enabled=true - discovery.type=single-node - path.repo=/usr/share/elasticsearch/data/snapshot labels: - homepage.group=Containers - homepage.name=Tubearchivist Elasticpass - homepage.icon=elasticpass tubearchivist-redis: image: redis/redis-stack-server:latest container_name: tubearchivist-redis restart: always networks: - internal security_opt: - no-new-privileges=true logging: options: max-size: 2m max-file: "3" volumes: - /etc/localtime:/etc/localtime:ro - /opt/docker/tubearchivist-redis:/data labels: - homepage.group=Containers - homepage.name=Tubearchivist Redis - homepage.icon=redis networks: traefik: external: true internal: external: true socket_proxy: external: true ``` Traefik config: ``` global: checkNewVersion: true sendAnonymousUsage: false api: dashboard: true insecure: true log: level: 'INFO' # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC filePath: '/traefik.log' accessLog: filePath: '/access.log' bufferingSize: 100 # Configuring a buffer of 100 lines filters: statusCodes: - '204-299' - '400-499' - '500-599' ping: {} entryPoints: # Not used in apps, but redirect everything from HTTP to HTTPS http: address: :80 forwardedHeaders: trustedIPs: &trustedIps # Local IP range #- 127.0.0.1/32 #- 10.0.0.0/8 #- 172.16.0.0/12 #- 192.168.0.0/16 #- fc00::/7 # Start of Clouflare public IP list for HTTP requests, remove this if you don't use it - 173.245.48.0/20 - 103.21.244.0/22 - 103.22.200.0/22 - 103.31.4.0/22 - 141.101.64.0/18 - 108.162.192.0/18 - 190.93.240.0/20 - 188.114.96.0/20 - 197.234.240.0/22 - 198.41.128.0/17 - 162.158.0.0/15 - 104.16.0.0/12 - 172.64.0.0/13 - 131.0.72.0/22 - 2400:cb00::/32 - 2606:4700::/32 - 2803:f800::/32 - 2405:b500::/32 - 2405:8100::/32 - 2a06:98c0::/29 - 2c0f:f248::/32 # End of Cloudlare public IP list http: redirections: entryPoint: to: https scheme: https # HTTPS endpoint, with domain wildcard https: address: :443 forwardedHeaders: # Reuse list of Cloudflare Trusted IP's above for HTTPS requests trustedIPs: *trustedIps http: tls: certresolver: 'dns-cloudflare' domains: - main: 'mydomain.com' - sans: - '*.mydomain.com' # options: 'tls-opts@file' providers: providersThrottleDuration: 2s # Docker provider for connecting all apps that are inside of the docker network docker: endpoint: 'tcp://socket-proxy:2375' #'unix:///var/run/docker.sock' network: 'traefik' exposedByDefault: false watch: true # File provider for connecting things that are outside of docker / defining middleware file: directory: '/rules' watch: true # redis: # endpoints: # - 'redis:6379' # db: 2 certificatesResolvers: dns-cloudflare: acme: email: 'jon.doe@gmail.com' storage: '/acme.json' dnsChallenge: provider: 'cloudflare' delayBeforeCheck: '5' resolvers: - '1.1.1.1:53' - '1.0.0.1:53' ``` ``` http: middlewares: middlewares-rate-limit: rateLimit: average: 100 burst: 50 middlewares-https-redirectscheme: redirectScheme: scheme: https permanent: true middlewares-secure-headers: headers: accessControlAllowMethods: - GET - OPTIONS - PUT accessControlMaxAge: 100 hostsProxyHeaders: - 'Host' - 'X-Forwarded-Host' - 'X-Forwarded-Proto' - 'X-Forwarded-For' stsSeconds: 63072000 stsIncludeSubdomains: true stsPreload: true forceSTSHeader: true customFrameOptionsValue: 'allow-from https:{{env "DOMAINNAME"}}' #CSP takes care of this but may be needed for organizr. contentTypeNosniff: true browserXssFilter: true referrerPolicy: 'same-origin' permissionsPolicy: 'camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()' customResponseHeaders: X-Robots-Tag: 'noindex,nofollow' #'none,noarchive,nosnippet,notranslate,noimageindex' server: '' middlewares-no-frame-headers: headers: accessControlAllowMethods: - GET - OPTIONS - PUT accessControlMaxAge: 100 hostsProxyHeaders: - 'Host' - 'X-Forwarded-Host' - 'X-Forwarded-Proto' - 'X-Forwarded-For' stsSeconds: 63072000 stsIncludeSubdomains: true stsPreload: true forceSTSHeader: true customFrameOptionsValue: 'SAMEORIGIN' contentTypeNosniff: true browserXssFilter: true referrerPolicy: 'same-origin' permissionsPolicy: 'camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()' customResponseHeaders: X-Robots-Tag: 'noindex,nofollow' server: '' middlewares-no-cors-headers: headers: hostsProxyHeaders: - 'Host' - 'X-Forwarded-Host' - 'X-Forwarded-Proto' - 'X-Forwarded-For' stsSeconds: 63072000 stsIncludeSubdomains: true stsPreload: true forceSTSHeader: true customFrameOptionsValue: 'SAMEORIGIN' contentTypeNosniff: true browserXssFilter: true referrerPolicy: 'same-origin' permissionsPolicy: 'camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()' customResponseHeaders: X-Robots-Tag: 'noindex,nofollow' server: '' middlewares-authelia: forwardAuth: address: "http://authelia:9091/api/verify?rd=https://authelia.{{env "DOMAINNAME"}}" trustForwardHeader: true authResponseHeaders: - 'Remote-User' - 'Remote-Groups' - 'Remote-Email' - 'Remote-Name' middlewares-authelia-basic: forwardAuth: address: "https://authelia:9091/api/verify?auth=basic" trustForwardHeader: true authResponseHeaders: - 'Remote-User' - 'Remote-Groups' - 'Remote-Email' - 'Remote-Name' # https://stackoverflow.com/questions/49717670/how-to-config-upload-body-size-restriction-in-traefik middlewares-buffering: buffering: maxRequestBodyBytes: 53687091000 memRequestBodyBytes: 209715200 maxResponseBodyBytes: 53687091000 memResponseBodyBytes: 209715200 retryExpression: 'IsNetworkError() && Attempts() <= 2' middlewares-nextcloud-redirect: redirectRegex: permanent: true regex: "https://(.*)/.well-known/(card|cal)dav" replacement: "https://${1}/remote.php/dav/" ``` ``` http: middlewares: chain-no-auth: chain: middlewares: - middlewares-rate-limit - middlewares-https-redirectscheme - middlewares-secure-headers chain-authelia: chain: middlewares: - middlewares-rate-limit - middlewares-https-redirectscheme - middlewares-secure-headers - middlewares-authelia ```
mirror commented 2026-03-23 20:31:54 +00:00
Author
Owner
Copy link

@Protonova commented on GitHub (Oct 16, 2024):

Nothing crazy pops out, I'll take a better look after dinner. However, I noticed that you have:

trustedIPs: &trustedIps
        # Local IP range
        #- 127.0.0.1/32
        #- 10.0.0.0/8
        #- 172.16.0.0/12

I am assuming that this is a local wildcard domain you're using? If so I suggest allowing local network access. If not, confirm that you can ping/nslookup/dig the TA server. Also ensure the path it takes is the correct network hops you expect.

As far as your labels go:

      - traefik.enable=true
      - traefik.http.routers.tubearchivist-rtr.entrypoints=https
      - traefik.http.routers.tubearchivist-rtr.rule=Host(`tubearchivist.$DOMAINNAME`)
      - traefik.http.routers.tubearchivist-rtr.middlewares=chain-authelia@file #Authelia Authentication
      - traefik.http.routers.tubearchivist-rtr.service=tubearchivist-svc
      - traefik.http.services.tubearchivist-svc.loadbalancer.server.port=8000

I would also add (just to ensure the headers are passed through the balancer:

      - traefik.http.services.tubearchivist-svc.loadbalancer.passhostheader=true
<!-- gh-comment-id:2415573458 --> @Protonova commented on GitHub (Oct 16, 2024): Nothing crazy pops out, I'll take a better look after dinner. However, I noticed that you have: ``` trustedIPs: &trustedIps # Local IP range #- 127.0.0.1/32 #- 10.0.0.0/8 #- 172.16.0.0/12 ``` I am assuming that this is a local wildcard domain you're using? If so I suggest allowing local network access. If not, confirm that you can ping/nslookup/dig the TA server. Also ensure the path it takes is the correct network hops you expect. As far as your labels go: ``` - traefik.enable=true - traefik.http.routers.tubearchivist-rtr.entrypoints=https - traefik.http.routers.tubearchivist-rtr.rule=Host(`tubearchivist.$DOMAINNAME`) - traefik.http.routers.tubearchivist-rtr.middlewares=chain-authelia@file #Authelia Authentication - traefik.http.routers.tubearchivist-rtr.service=tubearchivist-svc - traefik.http.services.tubearchivist-svc.loadbalancer.server.port=8000 ``` I would also add (just to ensure the headers are passed through the balancer: ``` - traefik.http.services.tubearchivist-svc.loadbalancer.passhostheader=true ```
mirror commented 2026-03-23 20:31:54 +00:00
Author
Owner
Copy link

@tehniemer commented on GitHub (Oct 16, 2024):

I'm not using Traefik for serving anything locally, it all goes through Cloudflare. Adding the load balancer label didn't change the behavior, and according to the Traefik docs, host headers are passed by default. I bypassed Traefik locally and the companion does connect, so you're right something is up with my reverse proxy.

I've been scouring logs and can't seem to find anywhere that indicates the companion is getting through to Traefik, I'm now wondering if it's getting stopped by Cloudflare.

<!-- gh-comment-id:2416580224 --> @tehniemer commented on GitHub (Oct 16, 2024): I'm not using Traefik for serving anything locally, it all goes through Cloudflare. Adding the load balancer label didn't change the behavior, and according to the Traefik docs, host headers are passed by default. I bypassed Traefik locally and the companion does connect, so you're right something is up with my reverse proxy. I've been scouring logs and can't seem to find anywhere that indicates the companion is getting through to Traefik, I'm now wondering if it's getting stopped by Cloudflare.
mirror commented 2026-03-23 20:31:55 +00:00
Author
Owner
Copy link

@Protonova commented on GitHub (Oct 18, 2024):

Sorry it's been a crazy busy week for me. Have you had any luck in finding the issue? As I suspected it wasn't related to the TA companion. I would say just start troubleshooting 1 by 1.

  • I would start off with bypassing authelia (domain to bypass).
  • Comment out 1 middleware at a time.
  • Move on to looking into if CF is blocking something (maybe start with this 1st? Maybe check if WAF is getting in the way first lol).
<!-- gh-comment-id:2423050692 --> @Protonova commented on GitHub (Oct 18, 2024): Sorry it's been a crazy busy week for me. Have you had any luck in finding the issue? As I suspected it wasn't related to the TA companion. I would say just start troubleshooting 1 by 1. - I would start off with bypassing authelia (domain to bypass). - Comment out 1 middleware at a time. - Move on to looking into if CF is blocking something (maybe start with this 1st? Maybe check if WAF is getting in the way first lol).
mirror commented 2026-03-23 20:31:55 +00:00
Author
Owner
Copy link

@MightyDjinn commented on GitHub (Oct 24, 2024):

This is due to the proxy intercepting the request to the api (Which uses its own api keys). Add a configuration like this:

  rules:
  - domain: 'app.example.com'
    policy: 'bypass'
    resources:
    - '^/api([/?].*)?$'
<!-- gh-comment-id:2436177862 --> @MightyDjinn commented on GitHub (Oct 24, 2024): This is due to the proxy intercepting the request to the api (Which uses its own api keys). Add a configuration like this: ```access_control: rules: - domain: 'app.example.com' policy: 'bypass' resources: - '^/api([/?].*)?$'
mirror commented 2026-03-23 20:31:56 +00:00
Author
Owner
Copy link

@tehniemer commented on GitHub (Oct 24, 2024):

I have that rule in my Authelia config, which is working for other services that use an API for access, furthermore the behavior here is the same whether Authelia is in the middle or not. I'm unable to see this subdomain pop up in any cloudflare or traefik logs, so I'm a bit stuck at the moment.

<!-- gh-comment-id:2436214426 --> @tehniemer commented on GitHub (Oct 24, 2024): I have that rule in my Authelia config, which is working for other services that use an API for access, furthermore the behavior here is the same whether Authelia is in the middle or not. I'm unable to see this subdomain pop up in any cloudflare or traefik logs, so I'm a bit stuck at the moment.
mirror commented 2026-03-23 20:31:56 +00:00
Author
Owner
Copy link

@bbilly1 commented on GitHub (Nov 8, 2024):

Do we have any logs? Do you see the requests coming in to TA when opening the extension popup? But that sounds mostly like a reverse proxy issue.

<!-- gh-comment-id:2463930937 --> @bbilly1 commented on GitHub (Nov 8, 2024): Do we have any logs? Do you see the requests coming in to TA when opening the extension popup? But that sounds mostly like a reverse proxy issue.
mirror commented 2026-03-23 20:31:56 +00:00
Author
Owner
Copy link

@tehniemer commented on GitHub (Nov 17, 2024):

I think you're probably right, if I use the host IP and port in the extension it works, I'll close this issue.

<!-- gh-comment-id:2481277597 --> @tehniemer commented on GitHub (Nov 17, 2024): I think you're probably right, if I use the host IP and port in the extension it works, I'll close this issue.
mirror commented 2026-03-23 20:31:56 +00:00
Author
Owner
Copy link

@welshtralian commented on GitHub (Nov 18, 2024):

Authelia can be a royal pain in the arse sometimes. I inspected the extension and was getting CORS errors (same with another extension, say 2FAuth). Like you have /api globally bypassed on the Authelia config but it wasn't having it.

What you have to do is create an auth bypass with Traefik. Shouldn't be much of a security risk because one still has to provide an API key for this extension to work.
This is with Traefik 2, 3 should be similar replace your Routers with:

      ## HTTP Routers Auth Bypass
      - "traefik.http.routers.tubearchivist-rtr-bypass.entrypoints=https"
      - "traefik.http.routers.tubearchivist-rtr-bypass.tls=true"
      - "traefik.http.routers.tubearchivist-rtr-bypass.priority=100"
      - "traefik.http.routers.tubearchivist-rtr-bypass.rule=Host(`tubearchivist.$DOMAINNAME_CLOUD_SERVER3`) && PathPrefix(`/api`)"
      ## HTTP Routers
      - "traefik.http.routers.tubearchivist-rtr.entrypoints=https"
      - "traefik.http.routers.tubearchivist-rtr.tls=true"
      - "traefik.http.routers.tubearchivist-rtr.priority=99"
      - "traefik.http.routers.tubearchivist-rtr.rule=Host(`tubearchivist.$DOMAINNAME_CLOUD_SERVER3`)"

Edit: You may also need to add a line to add the bypass router to the service like this:
- 'traefik.http.routers.tubearchivist-rtr-bypass.service=tubearchivist-svc'

<!-- gh-comment-id:2483417681 --> @welshtralian commented on GitHub (Nov 18, 2024): Authelia can be a royal pain in the arse sometimes. I inspected the extension and was getting CORS errors (same with another extension, say 2FAuth). Like you have /api globally bypassed on the Authelia config but it wasn't having it. What you have to do is create an auth bypass with Traefik. Shouldn't be much of a security risk because one still has to provide an API key for this extension to work. This is with Traefik 2, 3 should be similar replace your Routers with: ``` ## HTTP Routers Auth Bypass - "traefik.http.routers.tubearchivist-rtr-bypass.entrypoints=https" - "traefik.http.routers.tubearchivist-rtr-bypass.tls=true" - "traefik.http.routers.tubearchivist-rtr-bypass.priority=100" - "traefik.http.routers.tubearchivist-rtr-bypass.rule=Host(`tubearchivist.$DOMAINNAME_CLOUD_SERVER3`) && PathPrefix(`/api`)" ## HTTP Routers - "traefik.http.routers.tubearchivist-rtr.entrypoints=https" - "traefik.http.routers.tubearchivist-rtr.tls=true" - "traefik.http.routers.tubearchivist-rtr.priority=99" - "traefik.http.routers.tubearchivist-rtr.rule=Host(`tubearchivist.$DOMAINNAME_CLOUD_SERVER3`)" ``` Edit: You may also need to add a line to add the bypass router to the service like this: ` - 'traefik.http.routers.tubearchivist-rtr-bypass.service=tubearchivist-svc'`
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
release-TA-v0.5.0
v0.4.2
v0.4.1
v0.4.0
v0.3.2
v0.3.1
v0.3.0
v0.2.2
v0.2.1
v0.2.0
v0.1.4
v0.1.3
v0.1.2
v0.1.1
v0.1.0
v0.0.3
v0.0.2
v0.0.1-1
v0.0.1
Labels
Clear labels   
bug

   
bug

   
duplicate

   
enhancement

   
help wanted

   
invalid

   
not an issue

   
not an issue

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
wontfix
No labels
bug
bug
duplicate
enhancement
help wanted
invalid
not an issue
not an issue
pull-request
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
tubearchivist/archived-browser-extension#30
No description provided.