ERPNext breaks behind Reverse Proxy

ERPNext
1

Hello, I managed to do a fresh install of ERPNext v13 in a Linux VirtualBox VM using these instructions. But my access to the webpage from the internet constantly breaks.

I have correctly setup my DNS for the subdomain erpnext.mydomain.com to point to my router.

My router has port forwarding enabled for incoming port 443, to a Synology NAS running inside my lan with a Reverse Proxy listening on port 443.

I have the Synology NAS with a Reverse Proxy setup to redirect internet traffic from https://erpnext.mydomain.com:443 to http://192.168.1.99:80

I installed the SSL Certificate for *.mydomain.com on the Synology NAS, and configured it for the erpnext.mydomain.com subdomain.

I am using this setup since I am running several other webserver apps using this same setup. However with this one, it keeps breaking all the time. When I go to https://erpnext.mydomain.com:443 I can login and use the site for a while, until it breaks and I get a Synology page saying “Sorry, the page you are looking for is not found.” with a Synology logo. See attached screenshot.

image
image1276×626 49.7 KB

If I refresh the browser, I get the same page for a while. But if I point my browser (inside my lan) to the machine’s ip address http://192.168.1.99:80, I am able to see and navigate the site without any problem.

After maybe 10-15 minutes or so, the https://erpnext.mydomain.com:443 page starts working again.

This makes me think the problem is with the Synology NAS Reverse Proxy which for some reason stops communicating with the erpnext box. See attached screenshot.

Maybe there’s a custom header that I have to configure on the reverse proxy to avoid breaking the connection?

Or maybe I have to change something in the erpnext nginx configuration?

Any help trying to figure this out is greatly appreciated. Thanks.

Here is my frappe-bench.conf file on /etc/nginx/conf.d/frappe-bench.conf:

upstream frappe-bench-frappe {
	server 127.0.0.1:8000 fail_timeout=0;
}

upstream frappe-bench-socketio-server {
	server 127.0.0.1:9000 fail_timeout=0;
}



# setup maps


# server blocks





server {
	
	listen 80;
	

	server_name
		site1.local
		;

	root /home/erpnext/frappe-bench/sites;

	
	
	proxy_buffer_size 128k;
	proxy_buffers 4 256k;
	proxy_busy_buffers_size 256k;

	

	add_header X-Frame-Options "SAMEORIGIN";
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";

	location /assets {
		try_files $uri =404;
	}

	location ~ ^/protected/(.*) {
		internal;
		try_files /site1.local/$1 =404;
	}

	location /socket.io {
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_set_header X-Frappe-Site-Name site1.local;
		proxy_set_header Origin $scheme://$http_host;
		proxy_set_header Host $host;

		proxy_pass http://frappe-bench-socketio-server;
	}

	location / {

 		rewrite ^(.+)/$ $1 permanent;
  		rewrite ^(.+)/index\.html$ $1 permanent;
  		rewrite ^(.+)\.html$ $1 permanent;

		location ~ ^/files/.*.(htm|html|svg|xml) {
			add_header Content-disposition "attachment";
			try_files /site1.local/public/$uri @webserver;
		}

		try_files /site1.local/public/$uri @webserver;
	}

	location @webserver {
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Frappe-Site-Name site1.local;
		proxy_set_header Host $host;
		proxy_set_header X-Use-X-Accel-Redirect True;
		proxy_read_timeout 120;
		proxy_redirect off;

		proxy_pass  http://frappe-bench-frappe;
	}

	# error pages
	error_page 502 /502.html;
	location /502.html {
		root /home/erpnext/.bench/bench/config/templates;
		internal;
	}

	# optimizations
	sendfile on;
	keepalive_timeout 15;
	client_max_body_size 50m;
	client_body_buffer_size 16K;
	client_header_buffer_size 1k;

	# enable gzip compresion
	# based on https://mattstauffer.co/blog/enabling-gzip-on-nginx-servers-including-laravel-forge
	gzip on;
	gzip_http_version 1.1;
	gzip_comp_level 5;
	gzip_min_length 256;
	gzip_proxied any;
	gzip_vary on;
	gzip_types
		application/atom+xml
		application/javascript
		application/json
		application/rss+xml
		application/vnd.ms-fontobject
		application/x-font-ttf
		application/font-woff
		application/x-web-app-manifest+json
		application/xhtml+xml
		application/xml
		font/opentype
		image/svg+xml
		image/x-icon
		text/css
		text/plain
		text/x-component
		;
		# text/html is always compressed by HttpGzipModule
}
2

@DonDowner this issue is caused by fail2ban you will need to configure fail2ban for it understand you are behind a proxy.

Disable fail2ban is also an option, but it will make your instance vulnerable to force-brute attacks!