this post was submitted on 28 Apr 2024
14 points (100.0% liked)

Selfhosted

40397 readers
380 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Edit: Solution is in Nginx I disabled these: Cache Assets, Block Common Exploits, Websockets Support.

I can login using the local IP 192.168.1.2:9101, but when I route that with Nginx, It won't.

I have the GUI listen address as : 0.0.0.0:9101

I've been googling for hours but I can't find anything, In browser console it says

Failed to load resource: the server responded with a status of 403 ()
syncthing.my.domain.com/:1  Refused to execute script from 'https://syncthing.my.domain.com/meta.js' because its MIME type ('text/plain') is not executable, and strict MIME type checking is enabled.
top 15 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 7 months ago (1 children)

I'm a bit confused about those ports (9000 and 9101) because afaik Syncthing only listens on 8384 (GUI) and 22000 (transfers).

I'm using it with NPM as well and I haven't needed to do anything special to access the GUI through NPM beyond pointing NPM at the syncthing address and port (which, again, I used 8384).

Please note that 22000 is unrelated to the GUI, that needs to be handled as a stream. It's not HTTP so you won't be able to do domain routing with it. You can add it as a stream host in NPM but it will use the IP/name of the machine/container that NPM runs on.

I currently expose 22000 to Tailscale through the tailnet IP/name. But you only need to define that in the other syncthing clients anyway, shouldn't impact using the GUI.

[–] [email protected] 1 points 7 months ago (1 children)

Sorry it's just 9101, I updated it.

In GUI you can change the port of the GUI and that's what I did, so I can right now actually access it using 192.168.1.2:9101 and it works. Do you have NPM configured in anyway other than pointing? have you made any changes in Syncthing itself to give it a domain name or an address?

[–] [email protected] 1 points 7 months ago (1 children)

No relevant changes in Syncthing. The GUI is on 0.0.0.0:8384, transfer is on tcp4://0.0.0.0:22000.

NPM is a simple forward to IP:8384. I have unchecked cache, block exploits and websockets in NPM.

[–] [email protected] 1 points 7 months ago

The forwarding is actually taking place, the problem is that when I write credintials and try to login it doesn't

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
nginx Popular HTTP server

3 acronyms in this thread; the most compressed thread commented on today has 13 acronyms.

[Thread #721 for this sub, first seen 29th Apr 2024, 04:15] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago) (1 children)

My npm has web sockets enabled and blocking common exploits.

Just checked syncthing and it's set to 0.0.0.0:8384 internally but that shouldn't matter if you changed the port.

When Syncthing is set to listen on 0.0.0.0, it means it's listening on all available network interfaces on the device. This allows it to accept connections from any IP address on the network, rather than just the local interface. Essentially, it makes Syncthing accessible from any device within the network.

Just make sure you open those firewall ports on the server syncthing is running on.

Btw the syncthing protocol utilizes port 22000 tcp and udp. Udp utilizing a type of quic if you let it.

So it's a good idea to allow udp and tcp on 22000 if you have a firewall configured on the syncthing server.

Edit

Wording for firewall ports and the purpose of 0.0.0.0

[–] [email protected] 1 points 7 months ago

I have it set to 0.0.0.0, and I can access it from another pc using the ip:port address. But when I try to access using the domain name it shows the login page but I can't login, it just refresh the page and I can see the error above in the logs.

[–] [email protected] 0 points 7 months ago (1 children)

Can you post the syncthing logs, as well as the nginx logs?

I assume you've seen this: https://stackoverflow.com/questions/48626459/refused-to-execute-script-because-strict-mime-type-checking-is-enabled

Can you post your nginx config? Is it just this one with different variables? https://docs.syncthing.net/users/reverseproxy.html

[–] [email protected] 0 points 7 months ago (1 children)

I'm using the Web GUI Nginx Proxy Manager https://nginxproxymanager.com/

I tried to add what's in the docs.syncthing using the GUI but it failed, I wasn't sure if I should modify something inside the ngnix docker container or not.

[–] [email protected] 1 points 7 months ago (1 children)

I'd definitely take a look at the syncthing logs...

[–] [email protected] 1 points 7 months ago (1 children)

The log doesn't mention anything regarding a login attempt

[–] [email protected] 1 points 7 months ago (1 children)

403 Forbidden doesn't necessarily mean a bad login attempt. Are you sure that's the error? My troubleshooting steps would be to access directly (no nginx), and look at the logs for a successful login. Then, look try to login with nginx, and look at those logs (both access.log and error.log on nginx, and any/all logs from syncthing). Find out where the two cases diverge and go from there.

Does syncthing have a domain name specified? If it doesn't know its domain name it may work from IP directly but not via reverse proxy. Just a hunch.

[–] [email protected] 1 points 7 months ago (1 children)

In Syncthing logs the difference between success and fail

Success

2024-04-29 00:46:58 http: POST "/rest/noauth/auth/password": status 204, 0 bytes in 62.48 ms
2024-04-29 00:46:58 http: GET "/rest/events?since=174": status 200, 240 bytes in 54538.81 ms
2024-04-29 00:46:58 http: GET "/": status 304, 0 bytes in 0.00 ms
2024-04-29 00:46:58 http: GET "/vendor/bootstrap/css/bootstrap.css": status 304, 0 bytes in 1.24 ms
2024-04-29 00:46:58 http: GET "/vendor/daterangepicker/daterangepicker.css": status 304, 0 bytes in 0.00 ms
2024-04-29 00:46:58 http: GET "/vendor/fork-awesome/css/fork-awesome.css": status 304, 0 bytes in 0.00 ms
2024-04-29 00:46:58 http: GET "/assets/font/raleway.css": status 304, 0 bytes in 0.00 ms

Fail

2024-04-29 00:44:09 http: POST "/rest/noauth/auth/password": status 403, 10 bytes in 237.16 ms
2024-04-29 00:44:09 http: GET "/modal.html": status 304, 0 bytes in 0.00 ms
2024-04-29 00:44:09 http: GET "/syncthing/core/editShareTemplate.html": status 304, 0 bytes in 0.07 ms
2024-04-29 00:44:10 http: POST "/rest/noauth/auth/password": status 204, 0 bytes in 85.43 ms
2024-04-29 00:44:11 http: GET "/": status 304, 0 bytes in 0.00 ms
2024-04-29 00:44:11 http: GET "/rest/svc/lang": status 200, 22 bytes in 0.00 ms

Does syncthing have a domain name specified I can't find an option to do so

[–] [email protected] 1 points 7 months ago (1 children)

This suggests nginx options to use re: hostname. Unsure of your nginx config...

https://forum.syncthing.net/t/web-gui-over-nginx-proxy-only/13767

[–] [email protected] 2 points 7 months ago

I managed to get it to work finally, I disabled these Cache Assets, Block Common Exploits, Websockets Support.