@MRamadan I actually didn’t mean to quote you at all! Sorry for the confusion. You may re-read my comment in a new context now!
1 Like
Thanks all for the feedback and understanding. Just to be clear, we know that for some people it may add extra level of complexity (mostly the learning curve) to do the deployment on subdomains, but we strongly believe that the benefits outweighs the investment. Since we want to move faster and faster with the development, we won’t have time to keep testing this subfolder deployment, as it ads an extra level of complexity to our code base and CI environment. Besides, we have many new features on the pipeline, on how to interconnect server using a federation protocol, and this will strongly rely on having fixed API paths and deeper control of the TCP layer.
We know that this may be a costly transition for some and we want to give the community as much time as we can to do the move. We won’t be removing the subfolder code intentionally in the short term, but we won’t be giving support for such deployments and will be relying on the community for testing and fixing bugs.
Let’s work together to get the smooth SSO authentication mechanism among all of these subsystems working flawlessly.
1 Like
toddy
May 28, 2020, 12:28am
23
So far I have found rocket chat 3.2.2 works perfectly in a sub-folder using nginx as a reverse proxy. I could not get version 3.0.4 to work. Perhaps a bug was fixed in Meteor moving from 1.9 to 1.9.2.
1 Like
I consider this to be a regression. We have a single certificate bound to a specific hostname, were several services are hosted under a resp. subfolder. Rocketchat works like a charm (using 3.4.2 for the moment).
Can adding additonal tests that consider rocketchat being hosted in a subfolder be so difficult to realize? For my part I would have to switch to a wildcard domain certificate to allow for xx.mydomain.com to be handled by the webserver.
What kind of problems do you want to eliminate by eliminating subfolder support? Maybe these problems point to problems that identify more deep underlying problems.
4 Likes
Couple reasons why serving under a path is useful
It is much easier to set up apps under subfolders, less work when supported
I can use a single SSL cert for the whole domain
It is easy to hide services behind the main domain, paths are hard to explore
3 Likes
Yes we understand why it is easier for many.
It seems that we are going to probably continue support for this for the foreseeable future.
There are some outstanding bugs that will need to be resolved - that won’t happen until 3.16 at the earliest, but work is underway.
3 Likes
Hi. I found this after replying to a related thread:
It seems I’m having the same issue and I’m not sure how to resolve it.
I’m using rocketchat 3.16.3 on a URL suffix:
https://mydomain.com/chat I have set my ROOT_URL to https://mydomain.com/chat
Everything works fine except for /api/ecdh_proxy/initEncryptedSession
Here is a short excerpt from the console:
Navigated to https://mydomain.com/chat/_oauth/keycloak?state=eyJsb2dpblN0eWxlIjoicmVkaXJlY3QiLCJjcmVkZW50aWFsVG9rZW4iOiJXN3dkN3l1OFF6M01QS0I4a2dhOVhubmlFYmFlWWFuZGVRTDFFMXRuQU1RIiwiaXNDb3J…
Just to let you know that there is an existing issue on version 3.16.3
var syncUrl = "/_timesync";
if (__meteor_runtime_config__.ROOT_URL_PATH_PREFIX) {
syncUrl = __meteor_runtime_config__.ROOT_URL_PATH_PREFIX + syncUrl;
}
But replacing /_timesync with api/ecdh_proxy/initEncryptedSession
1 Like
Thanks Stefan.
We are aware of a number of issues that are being worked on right now.
eg
opened 03:35PM - 22 Jul 21 UTC
closed 06:11PM - 19 Aug 21 UTC
### Description:
Running RC 3.15.4 or 3.16.3 on a subpath like https://exampl… e.org/rocketchat iframe API "go" commands via postMessage fail:
```
frame.contentWindow.postMessage({externalCommand: "go", path: "/admin"}, "*")
```
adds sub-path twice, same for path ```"/account"```
Browser shows the RC 404 page and using the JS console you get the iframe url with the doubled sub-path
```
document.location.href
"https://pole.egroupware.org/rocketchat/rocketchat/admin"
```
### Steps to reproduce:
1.
2.
3.
### Expected behavior:
Admin page will be opened for an admin.
### Actual behavior:
RC 404 page is displayed.
### Server Setup Information:
- Version of Rocket.Chat Server: 3.15.4 and 3.16.3 tested
- Operating System: Linux
- Deployment Method: official docker container
- Number of Running Instances: 1
- DB Replicaset Oplog: yes
- NodeJS Version: v12.22.1
- MongoDB Version: 4.2.13 / wiredTiger (oplog Enabled)
### Client Setup Information
- Desktop App or Browser Version: recent Chrome Browser, probably with every browser
- Operating System: Windows, Mac or Linux
### Additional context
### Relevant logs:
via browser JS console you get for the RC iframe:
```
document.location.href
"https://pole.egroupware.org/rocketchat/rocketchat/admin"
```
Nothing in the Docker logs.
opened 10:47AM - 20 Jul 21 UTC
closed 11:31AM - 09 Aug 21 UTC
### Description:
RC creates wrong download links for uploaded files for some … domains:
https://tutorial.egroupware.net/rocketchat/ --> https://tutorial.egroupware.n/rocketchat/file-upload/...
https://bb-trunk.egroupware.de/rocketchat/ --> https://bb-trunk.egroupware.d/rocketchat/file-upload/...
while others are ok using the same configuration:
https://pole.egroupware.org/rocketchat/ --> https://pole.egroupware.org/rocketchat/file-upload/...
Other then the wrong download URL Rocket.Chat is working fine, same is always true for the links in the list of uploaded files.
Alle three domains have apart from the domain-name and URL identical configuration and are running on the same infrastructure using the same MongoDB cluster.
### Steps to reproduce:
1. You need to have an affected domain, otherwise it works fine :(
2. Upload an image eg. into #general
3. If your domain is affected you see the Retry circle, otherwise the image is displayed
### Expected behavior:
Uploaded image should always use the correct / not garbled URL, independent of the domain-name (correctly configured in RC of course).
### Actual behavior:
For some domain-names the download URL is garbled, some chars cut of the end of the domain name.
Not working domain tutorial.egroupware.net:
Working domain pole.egroupware.org:
### Server Setup Information:
- Version of Rocket.Chat Server: tested with current maintained versions: 3.16.3, 3.15.4 (screenshots) and 3.14.6
- Operating System: Linux
- Deployment Method: official docker container on Kubernetes, also got a report from a user with docker-compose
- Number of Running Instances: 1 per domain
- DB Replicaset Oplog: yes
- NodeJS Version: 12.22.1
- MongoDB Version: 4.2.13 / wiredTiger (oplog Enabled)
### Client Setup Information
- Desktop App or Browser Version: Lastest Chrome 91.0.4472.164
- Operating System: Mac, Windows and Linux tested
### Additional context
I can supply login credentials for one of the affected public accessible domains, as it's kinda hard to debug otherwise.
### Relevant logs:
- Wrong/garbled domain names make is obviously not into the webserver log
- Docker logs of the container show now errors when it happens
- Browser reports: Failed to load resource: net::ERR_NAME_NOT_RESOLVED https://tutorial.egroupware.n/rocketchat/file-upload/45K3ehP42YdKZSeJe/share%20link.jpg
opened 10:54AM - 20 May 19 UTC
closed 07:45PM - 22 Nov 21 UTC
type: improvement
feat: oauth / sso
stat: triaged
### Description:
We use current 1.0.3 container with our custom oauth configu… ration.
Beside interactive logins via browser, desktop- or mobile-client, we also generate access tokens to talk to RC api.
That api login seems to sometimes remove the user roles, if role-sync is enabled in the custom oath config. Without "user" role, you can eg. not see any channels.
Role sync works fine for interactive none-api access. So doing an interactive logout and re-login fixes the issue.
It could be linked to the issue I talked about with @geekgonecrazy that api-oauth login runs from a different code-path and eg. does not set the avatar either.
Ralf
### Steps to reproduce:
1.
2.
3.
### Expected behavior:
API access with oauth should ideally behave like interactive access, or at least not remove things like roles or avatar.
### Actual behavior:
### Server Setup Information:
- Version of Rocket.Chat Server: 1.0.3
- Operating System: rocketchat/rocket.chat container
- Deployment Method: Kubernetes
- Number of Running Instances: 1
- DB Replicaset Oplog: yes
- NodeJS Version: v8.11.4 (as of your 1.0.3 container)
- MongoDB Version: 4.0.8
### Additional context
### Relevant logs:
There is also this which seems similar to yours.
opened 11:07PM - 13 May 21 UTC
### Description:
I running Rocket Chat with a prefix path like `https://local… host:4000/test` and get the error that makes an endless request and freeze my browser.
I had dig into the problem and I found that if I define prefix path, a request to `/api/ecdh_proxy/initEncrptedSession` on frontend will get `404 Not Found` (prefix path not apply to it) that makes an endless request to `/api/v1/method.callAnon/getSetupWizardParameters`
### Steps to reproduce:
1. Get docker-compose file from https://github.com/RocketChat/Rocket.Chat/blob/develop/docker-compose.yml
2. Change ROOT_URL to `http://localhost:3000/test`
3. Run and open rocketchat URL
### Expected behavior:
- Normal setup wizard page (a request to `/api/v1/method.callAnon/getSetupWizardParameters` successfully)
- Add prefix to `/api/ecdh_proxy/initEncrptedSession` to prevent the endless request
### Actual behavior:
### Server Setup Information:
- Version of Rocket.Chat Server: 3.14.0
- Deployment Method: Docker Image
- MongoDB Version: 4.2.14
### Client Setup Information
- Browser: Google Chrome Version 90.0.4430.212 (Official Build) (64-bit)
- Operating System: Windows 10 64-bit
I suspect that might be cleared by fixes to the others.
Linked comment here:
[rc_root_url_error]
I have an environment variable ROOT_URL configured as http://localhost:3000/rocketchat
It seems the RC client isn’t realizing that those api calls should be mad…
1 Like
Great to hear that it’s getting attention.
2 Likes
@john.crisp I’ve discovered another bug relating to the subdirectory as discussed in this post.
opened 03:53PM - 04 Aug 21 UTC
### Description:
When configuring RocketChat to use keycloak using custom OAu… th configuration and rocketChat is configured to run on a sub path (example http://testserver/chat) instead of on the root path, login fails because of an error raised by keycloak.
The error log from RocketChat is as follows:
```
Exception while invoking method login Error: Failed to complete OAuth handshake with keycloak at http://testserver/iam/auth/realms/Affectli/protocol/openid-connect/token. failed [400] {"error":"invalid_grant","error_description":"Incorrect redirect_uri"}
at CustomOAuth.getAccessToken (app/custom-oauth/server/custom_oauth_server.js:148:18)
at Object.handleOauthRequest (app/custom-oauth/server/custom_oauth_server.js:205:26)
at OAuth._requestHandlers.<computed> (packages/oauth2/oauth2_server.js:10:33)
at middleware (packages/oauth/oauth_server.js:170:5)
at /app/bundle/programs/server/npm/node_modules/meteor/promise/node_modules/meteor-promise/fiber_pool.js:43:40
=> awaited here:
at Promise.await (/app/bundle/programs/server/npm/node_modules/meteor/promise/node_modules/meteor-promise/promise_server.js:60:12)
at Server.apply (packages/ddp-server/livedata_server.js:1638:22)
at Server.call (packages/ddp-server/livedata_server.js:1607:17)
at Object.post (app/api/server/v1/misc.js:263:26)
at app/api/server/api.js:394:82
at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)
at Object._internalRouteActionHandler [as action] (app/api/server/api.js:394:39)
at Route.share.Route.Route._callEndpoint (packages/nimble_restivus/lib/route.coffee:150:32)
at packages/nimble_restivus/lib/route.coffee:59:33
at packages/simple_json-routes.js:98:9
```
The reason that keycloak returns `Incorrect redirect_uri` is because the redirect URI sent in the `../token` request does not match the redirect URI sent in the previous `.../auth` request.
I captured the requests in my reverse proxy log. and they look as follows:
For .../auth : `redirect_uri=http%3A%2F%2Ftestserver%2Fchat%2F_oauth%2Fkeycloak`
For .../token : `redirect_uri=http%3A%2F%2Ftestserver%2F_oauth%2Fkeycloak`
The difference is that .../auth includes the **/chat** sub-path and .../token **does not**.
The following are my configuration settings:
```
- ROOT_URL=http://testserver/chat
- OVERWRITE_SETTING_Site_Url=http://testserver
- Accounts_OAuth_Custom_keycloak=true
#clientId
- Accounts_OAuth_Custom_keycloak_id=testserver
#clientSecret
- Accounts_OAuth_Custom_keycloak_secret=
- Accounts_OAuth_Custom_keycloak_url=http://testserver/iam/auth
- Accounts_OAuth_Custom_keycloak_token_path=/realms/Affectli/protocol/openid-connect/token
- Accounts_OAuth_Custom_keycloak_identity_path=/realms/Affectli/protocol/openid-connect/userinfo
- Accounts_OAuth_Custom_keycloak_authorize_path=/realms/Affectli/protocol/openid-connect/auth
- Accounts_OAuth_Custom_keycloak_scope=openid
- Accounts_OAuth_Custom_keycloak_access_token_param=access_token
- Accounts_OAuth_Custom_keycloak_button_label_text=redacted
- Accounts_OAuth_Custom_keycloak_button_label_color=#FFFFFF
- Accounts_OAuth_Custom_keycloak_login_style=redirect
- Accounts_OAuth_Custom_keycloak_button_color=#13679A
- Accounts_OAuth_Custom_keycloak_token_sent_via=payload
- Accounts_OAuth_Custom_keycloak_identity_token_sent_via=header
- Accounts_OAuth_Custom_keycloak_key_field=username
- Accounts_OAuth_Custom_keycloak_username_field=preferred_username
- Accounts_OAuth_Custom_keycloak_name_field=name
- Accounts_OAuth_Custom_keycloak_email_field=email
- Accounts_OAuth_Custom_keycloak_roles_claim=
- Accounts_OAuth_Custom_keycloak_groups_claim=
- Accounts_OAuth_Custom_keycloak_groups_channel_map=
- Accounts_OAuth_Custom_keycloak_channels_admin=rocket.cat
- Accounts_OAuth_Custom_keycloak_merge_users=true
- Accounts_OAuth_Custom_keycloak_map_channels=
- Accounts_OAuth_Custom_keycloak_merge_roles=false
- Accounts_OAuth_Custom_keycloak_show_button=true
- Accounts_OAuth_Custom_keycloak_avatar_field=
```
### Steps to reproduce:
1. Configure the server to run on a sub-path
2. Configure a custom oAuth for keycloak
3. Try to log in using SSO
### Expected behavior:
Login is successful
### Actual behavior:
On the browser side, the page just refreshes and the user is back at the login page.
On the server, an error log is produced as described above.
### Server Setup Information:
- Version of Rocket.Chat Server: rocketchat/rocket.chat:3.16.3
- Operating System: Docker
- Deployment Method: docker
- Number of Running Instances: 1
- DB Replicaset Oplog: 1
- NodeJS Version: Unknown
- MongoDB Version: 4.0
### Client Setup Information
- Desktop App or Browser Version: Chromium
- Operating System: Linux Mint
### Relevant logs:
See description.
2 Likes
Our subfolder installation is broken since 6.2.0 (or 6.2.2) with nginx using reverse proxy (produce many unwanted redirects for every click but “works”).
Our ticket about this issue was closed with “not official subfolder supported”.
opened 07:44AM - 22 May 23 UTC
closed 08:53AM - 22 May 23 UTC
wontfix
### Description:
We have a docker-compose installation behind nginx with a fo… lder. Our ROOT_URL looks like: `https://domain.tld/rocketchat/`
Since 6.2.0 all links to chats/channels are broken, because the folder is not included anymore.
### Expected behavior:
Link to chat: https://domain.tld/rocketchat/direct/5e5CAP6pCH7p4eYYZhBQECNRkSXxfxMQFa
Link to channel: https://hq.domainprofi.com/rocketchat/channel/IT-chat
### Actual behavior:
A link to a chat: https://domain.tld/direct/5e5CAP6pCH7p4eYYZhBQECNRkSXxfxMQFa
Link to channel: https://hq.domainprofi.com/channel/IT-chat
### Server Setup Information:
- Version of Rocket.Chat Server: 6.2.2
- Operating System: Debian
- Deployment Method: docker
- Number of Running Instances: 1
- DB Replicaset Oplog:
- NodeJS Version:
- MongoDB Version: 5.0
### Client Setup Information
- Desktop App or Browser Version: latest chrome
- Operating System: Ubuntu
So this is the end of proper subfolder installation or has anyone a working example with the current version?
Also is there perhaps a change in the general “official unsupported” decision?
1 Like
Just upgraded to 6.3.5 from 5.x and am sad to see that admin links no longer work because they are not taking into account the base URL (/chat).
Just to elaborate, this is really awful. You’re just about pushing us to switch to an alternative chat provider!
Now that we must host RC on a different domain (read: subdomain) from where our application is hosted, local storage cannot be shared between the subdomains. This means that our SSO will no longer work without introducing some hacky iframe or redirect solution. This is because Meteor keeps its token / user id in local storage rather than a cookie (which would be supported between a domain and its subdomains).
This decision seems extremely short-sighted. It’s really not hard to prepend a base URL to URLs used within an app. Frameworks like React even do it for you. This is standard stuff.
1 Like
Here another user (with a team) that runs RC on a subfolder and would very much like to keep it that way. Moving everything (running a lot more services on subfolders here) to subdomains is not an option.
We are using RocketChat with Docker and /rocketchat fqdn extension. It’s a nightmare, that the support for this type of installation has ended. If that’s not going to change, we need to move to a different solution, because the current situation causes permanent manual adjustments in our setup, when doing updates.
