Pushing password on website still '"Pushing" #1193
Comments
|
Hello @grulicht, thanks for contributing to the Password Pusher community! We will respond as soon as possible. |
|
Hi, I have the same problem! Inspecting the requests from Chrome, even though the PWP__OVERRIDE_BASE_URL variable is properly set (https://...), the system is returning a URL via http:, which is being blocked by the browser: Mixed Content: The page at 'https://desa*****.****.com/' was loaded over HTTPS, but requested an insecure resource 'https://desa*****.****.com/es/p/hgkoics401s/preview'. This request has been blocked; the content must be served over HTTPS. If you change the blocked URL to https, in another browser tab it displays correctly and the link provided there is correct. Is there any way to solve this? |
|
Hello, I have exactly the same problem with an Ubuntu + Docker + Apache (as reverse proxy). |
|
@selkopb I do not know solution and still I checking on solution. :) |
|
Hi all – apologies for the late reply. I'm traveling for the next couple weeks, but I'll take a closer look once I get back. Summer vacations... |
|
Having the same issue, retried many times. Did not dig into it deeper but seems logic with it returning HTTP. Also having an issue with file uploads, think that's the same issue or related. When I upload for exampe 3 files, it does the first or maybe 2. And then gets stuck so to say. Tried in many browsers, and also incognito. Same issue. Just wanted to start using Password Pusher. Hope that this will be fixed asap, so we can start using it. |
|
Hi @kayvanaarssen are you also running nginx in front of your Password Pusher instance? |
|
Yes, with the Nginx Proxy Manager that comes with the predefined Docker Configs. |
|
I'm not sure what the issue is yet but I there are a few issues (e.g. #794) that are all running with nginx in the front end. I suspect there is a configuration issue that is causing all of these issues. Needs investigation though. Can you reproduce the issue when accessing the backend app directly? |
|
I'm on holiday now, and deleted the server that it was running on so cannot test it now🙈 |
|
For sure it works without nginx as pwpush.com doesn't use nginx and the local test suite either. I've tested with nginx in the past but not recently. No rush - enjoy your vacation. I'll loop back to this hopefully soon. |
|
@pglombardo Just tested without https/nginx just ip:5100 same issue...
This is the same with either S3 storage or local (via mount volume) Log with Debug on |
|
Thanks @kayvanaarssen. Really odd. pwpush.com works, my local container tests work, the built in test suite that mocks a browser works... If I can eventually reproduce this, I'm sure it'll be easy to fix. A few questions:
Much appreciated |
|
See here also Browser console. This is with local storage.
Logs from latest version Log with debug on Some more logs |
Yes - any S3 compatible bucket.
At least for the local storage, there was a permissions issue. When uploading the file, it couldn't be written. The specific error is with a |
|
Does not matter really.
It works for mysql it created the folders in there without an issue. Any idea what could cause this? |
|
Ok I think I have a few ideas: I was able to reproduce this with local storage. I ran 
So whenever you see the red upload bar and a greyed out "Pushing..." button, it means that it couldn't write the file (for whatever reason). I think what we're missing is a CORS configuration for the S3 buckets. For reference, this is the related documentation for the upload library. Could you try and add this CORS configuration to your S3 buckets? |
|
Strange right that this happens even in the local storage option while Password Pusher (docker) creates the folders itself... As for S3 all sources are allowed. I can also access it via Transmit on mac or cyberduck. They use Ceph for S3 storage and make it public. |
Yeah this is an odd issue that is hard to nail down. I get the sense it's a mix of issues so my best idea is to fix each smaller issue as I find them. Just to confirm, did you try the CORS configuration? I don't doubt it works with the other tools. I think CORS is specifically when an upload is started from your browser by being referred from a third party URL. |
|
Where do we need to add that exactly. |
|
In the S3 provider dashboard. If that's not possible, let me see if I can figure out another option. |
|
Right its not possible there. And like I wrote. Other thinks work without an issue. Also for example Nextcloud to point out an other more usual product. The service is from: dadup.eu |
|
I also created credentials for you; Server URL: nl.dadup.eu |
|
Okay,,, just tested. That's the folder on the host, that I mapped to the Volume. PWP__FILES_STORAGE="amazon"
PWP__FILES__S3__ENDPOINT="nl.dadup.eu"
PWP__FILES__S3__ACCESS_KEY_ID=""
PWP__FILES__S3__SECRET_ACCESS_KEY=""
PWP__FILES__S3__REGION='us-east-1'
PWP__FILES__S3__BUCKET="pwpush-files-1"Than the push works but saved the file locally Whut! No files in S3 |
|
That's odd - are you sure you restarted the application? Thanks for the S3 creds. I just substituted out the credentials for yours and I got a CORS error: 
|
|
Yes, I do a restart of the Docker after I change anything. |
|
I thought about removing the direct upload feature although it would be non-trivial. Direct uploads really help when people are uploading multi gigabyte files. Without it, it would be equivalent of the application undergoing a denial of service - 1 dedicated process to handle a 5 minute upload. 5-10 people do that and the application would be unresponsive. Hopefully you can set that in your bucket. I've updated the Configuration document to explain this requirement. I'm AFK for the next couple hours but will be back later. Thanks for all the help @kayvanaarssen! |
|
I'll also test it with some other S3 Storage and let you know. |
|
Even tried it with Digital Ocean Spaces. And set CORS. Still does not work; Upload seems to finish. But saved local in the Docker container.
|
|
@jnbalbona - did you ever fix your issue? I'm having the same problem using local storage. We just attempted to update from 1.14 which was working fine but now see the same http/https mismatch when attempting to push. I tried setting |
|
Related update for "Stuck on 'Pushing...'" in #794:
|
|
Hi. |
|
I answer myself: Thank you very much anyway. |
|
Hello, I also remove the SSL-related options in my docker-compose file: Thank you very much for the help anyway ! |
For reference there is an example Password Pusher with nginx setup here. |
|
After more investigation we determined that our configuration of an |
The other option is This setting assures that generated secret URLs are generated with that base URL. This doesn't apply to the HTTP back and forth between the application and the proxy. |
|
Thanks for the response. We had already experimented with setting that override base url setting but the issue was the communication between the backend and proxy. The generate secret would fail because it was attempting to request http resources from an https page. I think we could have made it work with the |
|
Thanks for the nice words @WarpRat. There was talk about deprecating https://guides.rubyonrails.org/configuring.html#config-force-ssl |
|
I believe this issue should be resolved for most. If so I'd like to close this issue. But to summarise:
Thanks everyone for your patience, help and input. Waiting for feedback, but I'll aim to close this issue soon if I don't hear anything. |
|
@pglombardo I'll try to setup a clone of our existing one and test like I did before and let you know. @pglombardo With the dadup service its still not working... But that could be because of the CORS settings on their side. Going to test backblaze now. For some reason with backblaze even after setting the CORS rules i still cannot push.
|
|
@kayvanaarssen let's break that testing out to a separate issue specifically for CORS. Could you file a new issue with your findings? Even a copy/paste would be appreciated. |
thanks a lot! same thing helped me, with Ubuntu + Docker + Apache Reverse Proxy configuration via before this, I thought I needed to edit the
|
|
In case someone uses F5 BIG-IP in front. Create a custom HTTP profile to insert X-Forwarded-Proto:https header (as per K43444200) and attach it to the VS. Thanks! |
|
Thank you @nov1c3 for the help! I believe this issue should be fully resolved now. Is anyone here still experiencing this issue? |
@pglombardo thanks, unless I Any other troubleshooting I can be doing? |
|
The pwpush container is a non-root container - that might have something to do with it. Inside the container, the application runs with That would probably be the best place to start. It most likely has to do with something between the container identity and the external identity on the volume. Hope this helps. |
Thanks for your rely. I will try. |
|
Hi all - do any issues remain here? I'll close out this issue eventually unless I hear otherwise. To summarize a few key points: Stuck "Pushing" button can happen if a proxy doesn't send the X-Forwarded-* headers or if using file uploads, CORS isn't properly setup. There is some great investigation above. Checking browser console for errors is key. In older versions of Password Pusher, the rate limiter was to aggressive and would block file uploads in the back and forth requests to upload a file. This has since been fixed. If anyone is still having any issues, please feel free to open a new issue and we can tackle remaining individual issues separately. Thanks all for the help & input! |
|
One off topic update here but for any users that use F5 BIG-IP, CloudFlare or any external proxy: A security research team reported a vulnerability related to proxies here. In v1.49.0 only local network proxies are trusted by default. For that release and going forward, when using a proxy that is not on the local network, you will likely have to specifically authorize the external IP to act as a proxy. Documentation here. If you have any questions, let me know. |
Hi, regarding this issue using nginx reverse proxy: We are unable to set: proxy_set_header X-Forwarded-Port $server_port; We set: Via docker compose. Unfortunately still no luck: Mixed Content: The page at 'https:// **************.de/' was loaded over HTTPS, but requested an insecure resource 'http:// .de/p/1eq/preview'. This request has been blocked; the content must be served over HTTPS. Any ideas? |
|
Hi @DediCATeD88 - I moved your comment into a new issue. I'll respond there so we don't clutter up this issue which I believe is now resolved. |
|
As a final summary and resolution for this issue: See this comment. I'll close this issue out but if anyone has further problems, please file a new issue and we'll pick up from there. Thanks all for the input/help in investigating! |
Hello,
I have a problem:
Pushing password on website still '"Pushing", but in log of docker container I see path for create password for example "emf3kuvvyebu" and when I use my domain and path password i push everybody, but not automatically like in your pwpush web after "Push it" password on website. I do not know where is a problem.
Thanks for tips.
The text was updated successfully, but these errors were encountered: