ether
Admin login fails without error" admin-auth/ 404 (Not Found)" since v2.0
Describe the bug After getting v2 to work, I just can't figure out how to log in to the admin settings page, Upon entering what's set in the settings.ini, the page tells me the login failed. Only in the browser developer console I see the error "admin-auth/ 404 (Not Found)" (and in etherpad.access.log I see >>"POST /admin-auth/ HTTP/2.0" 404 94<<). Even with v2.0.3 this isn't fixed. Running bin/run.sh does show that /admin is created though.
Server (please complete the following information):
- Etherpad version: v2.0.3
- OS: Debian 12.5
- Node.js version (
node --version): v22.1.0 - npm version (
npm --version): 10.7.0 - Is the server free of plugins: yes
You normally navigate to /admin/ and then you should see the new admin console. If it says something like 404. You first need to build the admin panel by going to admin folder and doing pnpm build and copying the dist folder to template/admin
I just had pnpm build inside admin. I guess with template/admin you mean src/templates/admin as there is no template directory in etherpads root directory. But which dist folder is supposed to be copied there? The only folders called dist are in /node_modules/.pnpm/. And there are 151 folders with that name.
There was also nothing for me at /admin, /src/templates/admin was missing. Just a
"Sorry, something bad happened"
Running "pnpm build" in the /admin subdirectory of the EP install made those files. But now got an empty page.
The problem is with paths in admin's index.html I changed
<script type="module" crossorigin src="/admin/assets/index-6MWu4lkJ.js"></script>
<link rel="stylesheet" crossorigin href="/admin/assets/index-E-lmtrZj.css">
to
<script type="module" crossorigin src="assets/index-6MWu4lkJ.js"></script>
<link rel="stylesheet" crossorigin href="assets/index-E-lmtrZj.css">
This made it work at http://localhost:9001/admin, but not https://localhost/pad/admin (how I usually access EP, via a proxypass), as there's more absolute paths in the .js files.
There was also nothing for me at /admin, /src/templates/admin was missing. Just a
"Sorry, something bad happened"
Running "pnpm build" in the /admin subdirectory of the EP install made those files. But now got an empty page.
The problem is with paths in admin's index.html I changed
<script type="module" crossorigin src="/admin/assets/index-6MWu4lkJ.js"></script> <link rel="stylesheet" crossorigin href="/admin/assets/index-E-lmtrZj.css">to
<script type="module" crossorigin src="assets/index-6MWu4lkJ.js"></script> <link rel="stylesheet" crossorigin href="assets/index-E-lmtrZj.css">This made it work at http://localhost:9001/admin, but not https://localhost/pad/admin (how I usually access EP, via a proxypass), as there's more absolute paths in the .js files.
This is also fixed and I also updated the wiki for it.
I just had pnpm build inside admin. I guess with template/admin you mean src/templates/admin as there is no template directory in etherpads root directory. But which dist folder is supposed to be copied there? The only folders called dist are in /node_modules/.pnpm/. And there are 151 folders with that name.
I added a new command in the admin directory. If you run pnpm run build-copy . It should also copy the assets in the correct directory.
I added a new command in the admin directory. If you run pnpm run build-copy . It should also copy the assets in the correct directory.
I guess that will be available in 2.0.4? Let's hope I can use that version then. Right now I had to go back to 2.0.1 as using the APIKEY in 2.0.3 is broken.
Sure I'll create a release soon so that Etherpad can be used with the APIKEY again.
This issue seems to still be present. I just updated to v2.1 and still get the error message that admin-auth/ can't be found with a 404 error. Same after running pnpm build in admin.
Also, APIKEY still won't work, even after adding Environment=APIKEY=/path/to/APIKEY.txt to the systemd service file.
@Artim96 , this should solve it? https://github.com/ether/etherpad-lite/issues/6374
In short, setting
"authenticationMethod": "${AUTHENTICATION_METHOD:apikey}",
(I'm only commenting on the apikey, I don't use /admin and hadn't looked at that).
@Artim96 , this should solve it? #6374 In short, setting
"authenticationMethod": "${AUTHENTICATION_METHOD:apikey}",(I'm only commenting on the apikey, I don't use /admin and hadn't looked at that).
That's the question if it would actually do what I intend it to do. Right now with v2.0.1 and lower, anybody can create pads. That's to be kept that way. But so that other programs can read and write to pads without limitations, it was deemed the easiest way to just use the APIKEY. So the question is, setting the Authentication Method to apikey, will it only restore that ability or will it have any side effects?
EDIT: works as expected, as far as I can tell.
@SamTV12345 It would be great if you could re-open this issue as it clearly isn't solved yet.
I may have a lead to what's going on. Firefox' dev console tells me Firefox can’t establish a connection to the server at wss://pad.fsmuw.rwth-aachen.de/socket.io/?EIO=4&transport=websocket. index-laED_ieF.js:40:70206 and setting ninx' error log into debug verbosity does show lines like these: 2024/06/19 12:36:35 [info] 1567775#1567775: *28 client closed connection while waiting for request, client: xxx.xxx.xxx.xxx, server: 0.0.0.0:80. While I can't be 100 % certain these are related, I'm at least 95 % sure. Setting etherpad logging verbosity to debugging sadly doesn't really reveal anything. For this it only shows "POST /admin-auth/ HTTP/2.0" 404 94.
Also, since the way admin login is being handled, it's not impossible that something in the nginx config used may be interfering that previously wasn't:
server {
server_name pad.domain.tld;
root /opt/etherpad/etherpad-lite;
access_log /var/log/etherpad/etherpad.access.log;
error_log /var/log/etherpad/eplite.error.log;
# Allow normal files to pass through
location ~ ^/(locales/|locales.json|admin/|static/|pluginfw/|javascripts/|ep/|minified/|api/|ro/|error/|jserror/|favicon.ico|robots.txt) {
proxy_buffering off;
proxy_pass http://127.0.0.1:9001;
proxy_redirect off;
proxy_set_header Host $host;
}
location ^~ /socket {
rewrite ^/socket/(.*) /$1 break; #used to send request to base url
proxy_pass http://127.0.0.1:9001;
proxy_redirect off;
proxy_pass_request_headers on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
# Match the home page
location ~ ^/$ {
proxy_buffering off;
proxy_pass http://127.0.0.1:9001;
}
# Handle pad URLs here
location / {
proxy_buffering off;
rewrite ^/p/(.*) /p/$1 break;
rewrite /(.*) /p/$1;
proxy_pass http://127.0.0.1:9001/;
proxy_redirect off;
proxy_pass_header Server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
proxy_http_version 1.1; # recommended with keepalive connections
# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
#Favicon
location = /favicon.ico {
alias /etc/nginx/favicon.ico;
}
#robots.txt
location = /robots.txt {
return 200 "User-agent: *\nDisallow: /\n";
}
#Disable execution of scripts other than PHP from your document root
location ~* .(pl|cgi|py|sh|lua|asp)$ {
return 444;
}
location ~* ^.+\.(json~)$ {
deny all;
access_log off;
log_not_found off;
}
# Header
add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.domain.tld; connect-src 'self' *.domain.tld; img-src 'self' data: *.domain.tld; style-src 'self' 'unsafe-inline' *.domain.tld; object-src 'self' *.domain.tld; frame-src 'self' *.domain.tld; font-src 'self' data: *.domain.tld; base-uri 'self'; form-action 'self'; frame-ancestors 'self';" always;
listen 443 ssl;
#listen 443 quic reuseport;
ssl_certificate /etc/ssl/certs/pad.domain.tld.fullchain.pem;
ssl_certificate_key /etc/ssl/private/pad.domain.tld.private.pem;
}
server {
server_name pad.domain.tld;
return 301 https://pad.domain.tld$request_uri;
listen 80;
}
I may have a lead to what's going on. Firefox' dev console tells me
Firefox can’t establish a connection to the server at wss://pad.fsmuw.rwth-aachen.de/socket.io/?EIO=4&transport=websocket. index-laED_ieF.js:40:70206and setting ninx' error log into debug verbosity does show lines like these:2024/06/19 12:36:35 [info] 1567775#1567775: *28 client closed connection while waiting for request, client: xxx.xxx.xxx.xxx, server: 0.0.0.0:80. While I can't be 100 % certain these are related, I'm at least 95 % sure. Setting etherpad logging verbosity to debugging sadly doesn't really reveal anything. For this it only shows"POST /admin-auth/ HTTP/2.0" 404 94.Also, since the way admin login is being handled, it's not impossible that something in the nginx config used may be interfering that previously wasn't:
server { server_name pad.domain.tld; root /opt/etherpad/etherpad-lite; access_log /var/log/etherpad/etherpad.access.log; error_log /var/log/etherpad/eplite.error.log; # Allow normal files to pass through location ~ ^/(locales/|locales.json|admin/|static/|pluginfw/|javascripts/|ep/|minified/|api/|ro/|error/|jserror/|favicon.ico|robots.txt) { proxy_buffering off; proxy_pass http://127.0.0.1:9001; proxy_redirect off; proxy_set_header Host $host; } location ^~ /socket { rewrite ^/socket/(.*) /$1 break; #used to send request to base url proxy_pass http://127.0.0.1:9001; proxy_redirect off; proxy_pass_request_headers on; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; } # Match the home page location ~ ^/$ { proxy_buffering off; proxy_pass http://127.0.0.1:9001; } # Handle pad URLs here location / { proxy_buffering off; rewrite ^/p/(.*) /p/$1 break; rewrite /(.*) /p/$1; proxy_pass http://127.0.0.1:9001/; proxy_redirect off; proxy_pass_header Server; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used proxy_http_version 1.1; # recommended with keepalive connections # WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } #Favicon location = /favicon.ico { alias /etc/nginx/favicon.ico; } #robots.txt location = /robots.txt { return 200 "User-agent: *\nDisallow: /\n"; } #Disable execution of scripts other than PHP from your document root location ~* .(pl|cgi|py|sh|lua|asp)$ { return 444; } location ~* ^.+\.(json~)$ { deny all; access_log off; log_not_found off; } # Header add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.domain.tld; connect-src 'self' *.domain.tld; img-src 'self' data: *.domain.tld; style-src 'self' 'unsafe-inline' *.domain.tld; object-src 'self' *.domain.tld; frame-src 'self' *.domain.tld; font-src 'self' data: *.domain.tld; base-uri 'self'; form-action 'self'; frame-ancestors 'self';" always; listen 443 ssl; #listen 443 quic reuseport; ssl_certificate /etc/ssl/certs/pad.domain.tld.fullchain.pem; ssl_certificate_key /etc/ssl/private/pad.domain.tld.private.pem; } server { server_name pad.domain.tld; return 301 https://pad.domain.tld$request_uri; listen 80; }
Can you try this? There seems to be errors in your config. If I want to access the manifest.json file I'm getting redirected to a pad
server {
listen 80;
listen [::]:80;
location /pad {
rewrite /pad/(.*) /$1 break;
rewrite ^/pad$ /pad/ permanent;
proxy_redirect / /pad/;
proxy_pass http://127.0.0.1:9001;
proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
proxy_set_header Host $host;
proxy_pass_header Server;
# Note you might want to pass more headers etc too. See above configs.
}
location /pad/socket.io {
rewrite /pad/socket.io/(.*) /socket.io/$1 break;
proxy_redirect / /pad/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:9001;
proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
proxy_set_header Host $host;
proxy_pass_header Server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Note you might want to pass more headers etc too. See above configs.
}
location /pad/admin {
rewrite /pad/admin/(.*) /admin/$1 break;
proxy_redirect / /pad/;
proxy_set_header X-Proxy-Path /pad;
proxy_pass http://127.0.0.1:9001;
proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
proxy_set_header Host $host;
proxy_pass_header Server;
# Note you might want to pass more headers etc too. See above configs.
}
location /pad/admin-auth {
rewrite /pad/admin-auth/(.*) /admin-auth/$1 break;
proxy_redirect / /pad/;
proxy_set_header X-Proxy-Path /pad;
proxy_pass http://127.0.0.1:9001;
proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
proxy_set_header Host $host;
proxy_pass_header Server;
# Note you might want to pass more headers etc too. See above configs.
}
location /pad/static {
rewrite /pad/static/(.*) /static/$1 break;
proxy_pass http://127.0.0.1:9001;
proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
proxy_set_header Host $host;
proxy_pass_header Server;
# Note you might want to pass more headers etc too. See above configs.
}
}
Thanks. Unfortunately that doesn't seem to help. First off, I have no clue how my config worked in the first place. The root directory /opt/etherpad/etherpad-lite doesn't exist for a while now, I had moved everything up a level and it's all under /opt/etherpad now. Just fixing that doesn't change anything, probably to no much surprise.
Now, your config with the wrong root directory gives the obvious error *1 "/opt/etherpad/etherpad-lite/index.html" is not found (2: No such file or directory). Changing it to /opt/etherpad though results in *1 directory index of "/opt/etherpad/" is forbidden. Removing the entry entirely only changes it to *1 directory index of "/etc/nginx/html/" is forbidden. Even adding back the various headers from the old config doesn't help. Until now, I had /opt/etherpad and all files inside be owned by etherpad. Is that now outdated?
I just found a very simple fix which must have been just too obvious. I let pnpm run from bash with sudo -u etherpad NODE_ENV=production APIKEY=/opt/etherpad/APIKEY.txt pnpm run prod --loglevel debug. There I noticed the lines
[2024-07-09T12:53:17.861] [DEBUG] http - 200, GET /admin/login
[2024-07-09T12:53:18.114] [DEBUG] http - 200, GET /admin/assets/index-B3wQbGLu.js
[2024-07-09T12:53:18.115] [DEBUG] http - 200, GET /admin/assets/index-CUUN4gNN.css
[2024-07-09T12:53:18.116] [DEBUG] http - 200, GET /admin/Karla-Regular.ttf
[2024-07-09T12:53:18.480] [DEBUG] http - 200, GET /admin/Karla-Regular.ttf
[2024-07-09T12:53:33.306] [DEBUG] http - 404, POST /p/admin-auth/
which gave me the idea to change one of the first lines of my nginx config to also let admin-auth/ pass through:
location ~ ^/(locales/|locales.json|admin/|admin-auth/|static/|pluginfw/|javascripts/|ep/|minified/|api/|ro/|error/|jserror/|favicon.ico|robots.txt) {
Now I can access the admin page.