XMLHttpRequest error on preview of uploaded Documents files

Hey all, on the web client I’m getting this error in every place where an uploaded/attached document should be showing a preview. The documents do appear to be successfully uploaded and stored as I can download them later. But the previews don’t work.

This is running v5 (latest) on Docker. I have an SSL-secured server proxying back unencrypted for now.

Any insight on what I’ve done wrong?

On the same documents using the beta iOS app, the error is different but the result is the same; I can see attached documents and attach more photos, but instead of the presumable preview I’m suposed to see I just get an empty white box with this text in it:

Bad state: Insecure HTTP is not allowed by platform: http://in…co/api/v1/documents/l4xbq2dprO/download: http://in…co/api/v… (the error is cut off at this point)

EDIT: fixed badly redacted domain which created confusion

Hi,

Thanks for reporting this, I assume it’s related to the proxy.

@david, @ben any thoughts?

This is probably the internal resolution of the files from within the application. ie, your docker container isn’t resolving the URL back to itself.

the quickest way i could think to test if it was dns was to open a shell on the invoiceninja app container and try to ping my URL, to test resolution. it worked.

image

i’m goign to fix my redacted URL which does actaully exist in the original error messages, sorry.

now, do note that i have external resolution working but i also have a static dns entry set for my invoceninja url (in…co) in my router so it performs local resolution to my proxy’s local IP address.

oh, maybe i misinterpreted. invoiceninja has three containers right? app, server, and db. i have the in…co domain resolving to the server not the app. i think that’s how it must work, correct? how can i configure the app to resolve itself instead of the server?

hey team, i have been thrashing around a bit and i’m pretty sure i’ve got ssl enabled between my proxy and invoiceninja now…but i’m still having the same problems.

to enable ssl between my proxy (linuxserver.io’s swag container which uses nginx reverse proxy and letsencrypt ssl) i believe this is a comprehensive list of all the changes:

  1. added fastcgi_param HTTPS 1; and ssl on; (plus pointing to dummy certs) to config/nginx/in-vhost.conf like so:
server {
    listen 80 default_server;
    listen 443 default_server;
    listen 49142 default_server;
    listen 44143 default_server;
    server_name _;

    root /var/www/app/public/;
    index index.php;
#not a default option, see github issue invoiceninja/dockerfiles 319
    client_max_body_size 2048M;

#not default, from https://reinout.vanrees.org/weblog/2017/05/02/https-behind-proxy.html
    ssl on;
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass invoiceninja-app:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#not default, found in https://github.com/invoiceninja/dockerfiles/issues/14#issuecomment-241860289
        fastcgi_param HTTPS 1;
        fastcgi_intercept_errors off;
        fastcgi_buffer_size 16k;
        fastcgi_buffers 4 16k;
    }
}

  1. changed my nginx proxy conf to point to the https port passed through to my container

proxy conf:

    server {
        listen 443 ssl;
        listen [::]:443 ssl;

        server_name in....co;

        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
        ssl_session_tickets off;

        # intermediate configuration
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDH
        E-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;

        # OCSP stapling
        ssl_stapling on;
        ssl_stapling_verify on;


        ### Linuxserver.io Defaults

        # Certificates
        ssl_certificate /config/keys/letsencrypt/fullchain.pem;
        ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
        # verify chain of trust of OCSP response using Root CA and Intermediate certs
        ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;

        # Diffie-Hellman Parameters
        ssl_dhparam /config/nginx/dhparams.pem;

        # Enable TLS 1.3 early data
        ssl_early_data on;


        client_max_body_size 0;

        location / {

            include /config/nginx/proxy.conf;
            include /config/nginx/resolver.conf;
            set $upstream_app invoiceninja-server;
    #        set $upstream_port 49142;
    #        set $upstream_proto http;
            set $upstream_port 44143;
            set $upstream_proto https;
            proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        }
    }

docker-compose.yml entry showing port passthroughs to server

    invoiceninja-server:
        image: nginx
        container_name: invoiceninja-server
        env_file: ./invoiceninja/invoiceninja.env
        restart: unless-stopped
        volumes:
            # Vhost configuration
            - ./invoiceninja/config/nginx/in-vhost.conf:/etc/nginx/conf.d/in-vhost.conf:ro
            - ./invoiceninja/docker/app/public:/var/www/app/public:ro
        depends_on:
            - invoiceninja-app
        ports: 
            - 49142:80
            - 44143:443

specified asset_url in env file and set require https per env examle doc

APP_URL=https://in....co/
#not default, comes from https://github.com/invoiceninja/invoiceninja/issues/3278
ASSET_URL=https://in....co/
APP_KEY=base64:<redacted>
APP_DEBUG=false
MULTI_DB_ENABLED=false
DB_HOST1=mariadb
DB_PORT1=3306
DB_USERNAME1=<redacted>
DB_PASSWORD1=<redacted>
DB_DATABASE1=<redacted>
TRUSTED_PROXIES='192.168.xx.xx/32'
API_SECRET=<redacted>
REQUIRE_HTTPS=true

MAIL_DRIVER=smtp
MAIL_PORT=587
MAIL_ENCRYPTION=tls
MAIL_HOST=<redacted>
MAIL_USERNAME=<redacted>
MAIL_FROM_ADDRESS=<redacted>
MAIL_FROM_NAME=<redacted>
MAIL_PASSWORD=<redacted>

#this is a system variable please do not remove
IS_DOCKER=true

PHANTOMJS_PDF_GENERATION=false

##V4 env vars
#DB_STRICT=false
#DB_HOST=db
#DB_DATABASE=ninja
#DB_USERNAME=ninja
#DB_PASSWORD=ninja
#APP_CIPHER=AES-256-CBC

but even still, i’m getting an error in the same place:

same error from iOS app on WAN link so my local DNS server isn’t involved:

i’m pretty new to re-encrypting connections like this so i might be way off base.

are you guys unable to replicate this? do you see any obvious flaws in my configuration?

um, lol. even as i read this i can tell the error has changed, no longer a “Bad state: Insecure HTTP is not allowed by platform” but now a 500 error. sorry, so not the same error but the same basic behaviour. does 500 point in a useful direction?

There may be more details about the error in storage/logs/

thanks!

last night i updated to the latest in v5 in case it made a difference; no change to this particular setup.

here’s the errors associated with trying to view…is it still attemtping on http?:

[2021-06-03 20:36:55] production.ERROR: file_get_contents(https://in.mounga.eco//storage/TRcuPeuktAyz84z2HhYCmDJwIcY0yfV8g4STx60QbCy51AfCneTCKdmxa4uo1tTz/documents/rjIYcN0tnGFV372UTQB1pHZklMw2bdDcVAHXYTr7
.png): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found
 {"userId":4,"exception":"[object] (ErrorException(code: 0): file_get_contents(https://in.mounga.eco//storage/TRcuPeuktAyz84z2HhYCmDJwIcY0yfV8g4STx60QbCy51AfCneTCKdmxa4uo1tTz/documents/rjIYcN0tnGFV372UTQB
1pHZklMw2bdDcVAHXYTr7.png): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found
 at /var/www/app/app/Http/Controllers/DocumentController.php:118)
[stacktrace]
#0 [internal function]: Illuminate\\Foundation\\Bootstrap\\HandleExceptions->handleError()
#1 /var/www/app/app/Http/Controllers/DocumentController.php(118): file_get_contents()
#2 /var/www/app/vendor/symfony/http-foundation/StreamedResponse.php(109): App\\Http\\Controllers\\DocumentController->App\\Http\\Controllers\\{closure}()
#3 /var/www/app/vendor/symfony/http-foundation/Response.php(394): Symfony\\Component\\HttpFoundation\\StreamedResponse->sendContent()
#4 /var/www/app/public/index.php(61): Symfony\\Component\\HttpFoundation\\Response->send()
#5 {main}

image

@david any ideas to debug this?

Hey team, just following up here - does this preview feature work on your docker installs? keen to know if it’s simply something i’ve messed up or a bug.

also happy to help in whatever way i can to diagnose it.

Most likely this is an issue with DNS resolution from inside the container.