Spioune
Spioune•3d ago

http actions via traefik

No it does not. Does it need to? Traefik just act as a reverse proxy, for example requests to https://convexpublic.mydomain.com/.well-known/openid-configuration are proxied to http://localhost:3211/.well-known/openid-configuration
25 Replies
lee
lee•3d ago
(let's start a thread) does curling http://localhost:3211/.well-known/openid-configuration work?
Spioune
SpiouneOP•3d ago
nope same error What should I use for CONVEX_CLOUD_ORIGIN and CONVEX_SITE_ORIGIN if I am behind a reverse proxy ? localhost or the https url ?
lee
lee•3d ago
the error is still invalid URL, scheme is not http ? i would expect all of this to work, so i'm mostly suggesting ideas until our networking expert wakes up 🙂
Spioune
SpiouneOP•3d ago
ok let me double check and recap my errors
lee
lee•3d ago
CONVEX_CLOUD_ORIGIN and CONVEX_SITE_ORIGIN should be set to the urls that can be accessed from the public internet, so that would be the https url
Spioune
SpiouneOP•3d ago
ok about appending /http to the url, when I access http://localhost:3211/.well-known/openid-configuration I don't need to append anything ? So the reverse proxy shouldn't have to append anything right ?
lee
lee•3d ago
the idea is that http://localhost:3211/* is equivalent to http://localhost:3210/http/*
Spioune
SpiouneOP•3d ago
ohhh
lee
lee•3d ago
you might want to try redirecting to the latter, although i'm not sure why it would be different
Spioune
SpiouneOP•3d ago
Ok i will try so, in my docker-compose I have CONVEX_CLOUD_ORIGIN=https://convexbackend.mydomain.com CONVEX_SITE_ORIGIN=https://convexpublic.mydomain.com and when I go to https://convexpublic.mydomain.com/.well-known/openid-configuration I get: ERROR common::errors: Caught error (RUST_BACKTRACE=1 RUST_LOG=info,common::errors=debug for full trace): client error (Connect): invalid URL, scheme is not http same with curl http://localhost:3211/.well-known/openid-configuration from inside the docker container where the convex backend is running oh, accessing https://convexbackend.mydomain.dev/http/.well-known/openid-configuration works! So, I solve my problem by setting in docker-compose.yml: CONVEX_CLOUD_ORIGIN=https://convexbackend.mydomain.dev CONVEX_SITE_ORIGIN=https://convexbackend.mydomain.dev/http and in auth.config.ts (to avoid auth provider no found error): 
export default {
  providers: [
    {
      domain: "https://convexbackend.mydomain.dev/http",
      applicationID: "convex",
    },
  ],
};
export default {
  providers: [
    {
      domain: "https://convexbackend.mydomain.dev/http",
      applicationID: "convex",
    },
  ],
};
this is a bit hacky, hopefully the team can find a solution
lee
lee•2d ago
i think i see the problem. we should be able to fix it. thanks for reporting!
Spioune
SpiouneOP•2d ago
Nice Thanks for your help !
lee
lee•2d ago
in case it helps understanding, the issue i see is that http://localhost:3211/* isn't proxying to http://localhost:3210/http/*, it's proxying to $CONVEX_CLOUD_ORIGIN/http/* , and it's using a library that doesn't support https, only http. So the fix is to make it work like i originally thought it worked 😄
Spioune
SpiouneOP•2d ago
What if I set CONVEX_CLOUD_ORIGIN and CONVEX_SITE_ORIGIN to be localhost? Are they used for anything else? This means the request goes out of the local network to the public internet and back in ? Despite the fact that this is all on the same server I manage to setup traefik proxy to prefix with /http which is much cleaner. One thing I don't understand though, where does CONVEX_SITE_URL comes from inside auth.config.ts? 
export default {
  providers: [
    {
      domain: process.env.CONVEX_SITE_URL,
      applicationID: "convex",
    },
  ],
};
export default {
  providers: [
    {
      domain: process.env.CONVEX_SITE_URL,
      applicationID: "convex",
    },
  ],
};
It is equal to https://convexbackend.mydomain.dev. Shouldn't it be convexpublic.mydomain.dev (the http actions url) ?
lee
lee•2d ago
process.env.CONVEX_SITE_URL should be equal to CONVEX_SITE_ORIGIN -- if it's not, that would be unusual
Spioune
SpiouneOP•2d ago
it is not it is equal to CONVEX_CLOUD_ORIGIN but on Convex Cloud it is equal to the .convex.site url
lee
lee•2d ago
CONVEX_CLOUD_ORIGIN and CONVEX_SITE_ORIGIN are used for the process.env variables and also for file storage urls. maybe some other things i'm not remembering
Spioune
SpiouneOP•2d ago
and also for the JWT issuer so it should definetely not be the localhost so I set them back to https url nevermind, CONVEX_SITE_URL in the auth.config.ts has nothing to do with the server config. It comes from the CONVEX_SELF_HOSTED_URL in .env.local in the convex application but still, it is equals to the cloud url (since CONVEX_SELF_HOSTED_URL should point to the cloud url) instead of the site url which is wrong
lee
lee•2d ago
that's also very strange. i don't see anything in the code that would cause process.env.CONVEX_SITE_URL to come from anywhere other than CONVEX_SITE_ORIGIN
Spioune
SpiouneOP•2d ago
hmm i deleted auth.config.ts and create it and now its back to https://convexpublic.mydomain.dev So now everything is working correctly (without using convex port 3211) so the only "bug" is convex backend proxy to 3211
lee
lee•2d ago
that's great to hear! i don't know why the auth config wouldn't get synced, but that sounds like a more isolated issue (cc @ballingt 🙂 i have a PR up to fix the proxy port 3211. hopefully it'll get released in the next few days
Spioune
SpiouneOP•2d ago
amazing time to sleep thanks again for your help
ballingt
ballingt•2d ago
@Spioune It's possible auth.config.ts is not resynced if the file hasn't changed? curious about reproing this
lee
lee•2d ago
oh yeah maybe the file didn't change but the backend restarted & changed process.env.CONVEX_SITE_URL. i think in that case we don't resync
Spioune
SpiouneOP•2d ago
Yes. I changed CONVEX_SITE_ORIGIN and restarted the backend, the authentication page still shows the old CONVEX_SITE_ORIGIN value. I had to run npx convex dev and edit auth.config.ts from process.env.CONVEX_SITE_URL to 'https://example.com' to process.env.CONVEX_SITE_URL again to get the new value

Did you find this page helpful?