Direct Install Errors

When things don't work as they should.
Post Reply
jwilczek
Posts: 3
Joined: Tue Jan 07, 2020 11:00 pm

Direct Install Errors

Post by jwilczek »

I followed the direct install instructions exactly and am seeing some strange issues. Mayan seems to be mostly working OK (the site loads but I haven't done much more additional testing), but I'm seeing errors in the supervisor log that I'm not sure how to rectify.

For starters, it seems the celery workers are failing.

Code: Select all

mayan-celery-beat                STARTING
mayan-gunicorn                   RUNNING   pid 16225, uptime 0:10:35
mayan-worker-fast                FATAL     Exited too quickly (process log may have details)
mayan-worker-medium              FATAL     Exited too quickly (process log may have details)
mayan-worker-slow                FATAL     Exited too quickly (process log may have details)
user@edms:~$
I've found other posts on this forum related to these errors that mention a change with MAYAN_ALLOWED_HOSTS and a change that made with the config. However, my environment variable matches the correct format, I believe.

Code: Select all

MAYAN_ALLOWED_HOSTS="['*']",
Also, could someone point me to a guide on using mayan behind nginx or apache? I've done this successfully with numerous projects in the past, but am thus far unable to get mayan working behind either.

Thank you!

User avatar
rssfed23
Moderator
Moderator
Posts: 185
Joined: Mon Oct 14, 2019 1:18 pm
Location: United Kingdom
Contact:

Re: Direct Install Errors

Post by rssfed23 »

Thanks for trying out Mayan.

Changes to allowed hosts and other variables were only when people were upgrading from 3.2.x to 3.3.x. if this is a clean install it doesn't apply to you.

We really need the logs of those workers.
Inside /var/log/supervisor there should be files like "mayan-worker-slow-xxxxx". We need the logs from those files to see what error Celery is having (or output from docker logs <containername>)

I have a strong feeling we're either going to see "unable to connect to amqp" errors or unable to connect to the database errors in the worker logs.
Can you paste your supervisor config for me please? (/etc/supervisor/conf.d/mayan.conf). I assume you've installed into /opt/mayan-edms/ if you're doing a direct install?
What operating system are you running on? Is this a direct install or docker install?

Sorry about the questions but answering all the above should give me everything I need to get it sorted in one go :)

That allowed hosts entry looks normal to me.

In terms of behind nginx, what error are you getting? - Ultimately though your mayan install isn't currently working because the task queues aren't starting. Without those workers running document uploads won't work (and 90% of the rest of Mayan functionality won't work even though the web UI looks like it does work).
Side note: we have the traefik tutorial at viewtopic.php?f=15&t=1563 so I know reverse proxying works.
Please don't PM for general support; start a new thread with your issue instead.

jwilczek
Posts: 3
Joined: Tue Jan 07, 2020 11:00 pm

Re: Direct Install Errors

Post by jwilczek »

After digging through the supervisor logs, I was able to uncover the issue. I had installed the wrong versions of psycopg2 and redis. Another guide had listed older versions.

I'm running Mayan on Ubuntu 18.04LTS

My general steps to get it running behind nginx were to change the gunicorn command in the supervisor config to use a socket and then I setup nginx to work with that socket. However, that did not work.

Is there a sample nginx/supervisor config available?

Thanks!

User avatar
rssfed23
Moderator
Moderator
Posts: 185
Joined: Mon Oct 14, 2019 1:18 pm
Location: United Kingdom
Contact:

Re: Direct Install Errors

Post by rssfed23 »

Glad you got it resolved :)
When in doubt our docs at http://docs.mayan-edms.com/ will always be up to date - we don’t release an update until the docs are done then push all at the same time. If the supervisor config was copied from another site I’d recommend regenerating that using the platformtemplate command if you didn’t do that step already yourself.

There’s not an up to date Nginx guide no. There may be some examples from other forum members in the deployments forum (or give the forum a quick search). I’ve never done it with a socket before but my test environment just uses a nginx bound to 127.0.0.1 only (and the same for allowed_hosts to lock off gunicorn) and it works well. Doing it that way there’s nothing special/different from Mayan and any other web app being reverse proxied no special configuration is required.

When it comes to additional services/integrations or more complex deployments - especially in an enterprise - this is where we recommend users consider a Mayan support subscription or consulting engagement, as that’s when we’d work with them on additional supported integrations such as a full nginx reverse proxy setup.

If you do successfully set it up you’re welcome to share it and I’ll happily move it to the guides section of the forum for others to benefit.
Please don't PM for general support; start a new thread with your issue instead.

jwilczek
Posts: 3
Joined: Tue Jan 07, 2020 11:00 pm

Re: Direct Install Errors

Post by jwilczek »

Can you elaborate on your setup? I'm confused about nginx bound to localhost. In my mind, the point of something like nginx is that you listen on port 80 and redirect to gunicorn 8000.

User avatar
rssfed23
Moderator
Moderator
Posts: 185
Joined: Mon Oct 14, 2019 1:18 pm
Location: United Kingdom
Contact:

Re: Direct Install Errors

Post by rssfed23 »

This is why one shouldn't reply to forum posts at 3am from bed on an iPhone! - I phrased that part of my answer very badly.
I meant to convey have Mayan/gunicorn listening on 127.0.0.1 only (through the allowed_hosts setting). Nginx would be open to the world but sending all internal traffic over localhost to Mayan.

Here's my config for it (although do NOT copy it directly as it's a really locked down nginx only designed to accept connections from cloudflare. The https block is what you're most likely interested in and the redirect http block)

Code: Select all

root@mayan:/etc/nginx# cat nginx.conf
load_module modules/ngx_http_brotli_filter_module.so;
load_module modules/ngx_http_brotli_static_module.so;

user www-data;
pid /run/nginx.pid;
worker_processes 8;
worker_rlimit_nofile 65535;

events {
        multi_accept on;
        worker_connections 65535;
}

http {
        charset utf-8;
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        server_tokens off;
        log_not_found off;
        types_hash_max_size 2048;
        client_max_body_size 16M;

        # MIME
        include mime.types;
        default_type application/octet-stream;

        # logging
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log warn;

        # SSL
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off;

        # Mozilla Modern configuration
        ssl_protocols TLSv1.3;

        # OCSP Stapling
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 1.1.1.1 1.0.0.1 valid=60s;
        resolver_timeout 2s;

        # load configs
        include /etc/nginx/conf.d/*.conf;

        # mayan.decanha-knight.net
        server {
                listen 443 ssl http2;
                listen [::]:443 ssl http2;

                server_name mayan.decanha-knight.net;
                root /var/www/html;
                # SSL
                ssl_certificate /etc/nginx/cloudflare-certs/certificate.pem;
                ssl_certificate_key /etc/nginx/cloudflare-certs/key.pem;
                ssl_trusted_certificate /etc/nginx/cloudflare-certs/chain.pem;
               ssl_client_certificate /etc/nginx/cloudflare-certs/client-cert.crt;
                ssl_verify_client on;
                # security headers
                add_header X-Frame-Options "SAMEORIGIN" always;
                add_header X-XSS-Protection "1; mode=block" always;
                add_header X-Content-Type-Options "nosniff" always;
                add_header Referrer-Policy "no-referrer-when-downgrade" always;
                add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline' 'unsafe-eval'" always;
                add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
                # . files
                location ~ /\.(?!well-known) {
                        deny all;
                }

                # reverse proxy
                location / {
                        proxy_pass http://127.0.0.1:8000;
                        proxy_http_version      1.1;
                        proxy_cache_bypass      $http_upgrade;

                        proxy_set_header Upgrade                        $http_upgrade;
                        proxy_set_header Connection             "upgrade";
                        proxy_set_header Host                           $host;
                        proxy_set_header X-Real-IP                      $remote_addr;
                        proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
                        proxy_set_header X-Forwarded-Proto      $scheme;
                        proxy_set_header X-Forwarded-Host       $host;
                        proxy_set_header X-Forwarded-Port       $server_port;
                        proxy_redirect off;
                }

                # favicon.ico
                location = /favicon.ico {
                        log_not_found off;
                        access_log off;
                }

                # robots.txt
                location = /robots.txt {
                        log_not_found off;
                        access_log off;
                }

                # gzip
                gzip on;
                gzip_vary on;
                gzip_proxied any;
                gzip_comp_level 6;
                gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

                # brotli
                brotli on;
                brotli_comp_level 6;
                brotli_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
        }

        # HTTP redirect
        server {
                listen 80;
                listen [::]:80;

                server_name mayan.decanha-knight.net;

                # ACME-challenge
                location ^~ /.well-known/acme-challenge/ {
                        root /var/www/_letsencrypt;
                }

                location / {
                        return 301 https://mayan.decanha-knight.net$request_uri;
                }
        }
}
Please don't PM for general support; start a new thread with your issue instead.

User avatar
rssfed23
Moderator
Moderator
Posts: 185
Joined: Mon Oct 14, 2019 1:18 pm
Location: United Kingdom
Contact:

Re: Direct Install Errors

Post by rssfed23 »

Side note: I remember now why we avoid nginx: it causes issues with Django.

See viewtopic.php?f=9&t=290 & https://gitlab.com/mayan-edms/mayan-edms/issues/500 where this is being tracked.
If you're getting a 403 when you try to upload a document with nginx as the backend then this is why. It's got the workarounds for both port and socket based backend connections.

For port based proxying you need to add:

Code: Select all

proxy_set_header X-Alt-Referer https://$host$http_x_alt_referer;
To your nginx conf.
Please don't PM for general support; start a new thread with your issue instead.

Post Reply