Want to use Mattermost via PLESK


#1

I tried and tried variously and Mattermost is installed and can execute it. I use PLESK to manage servers. This time I ignored PLESK and installed Mattermost, Mattermost worked fine. But I want to go through Plesk as much as possible. Because it is the existence of Let’s Encrypt. Plesk encompasses Let’s Encrypt.


I look at multiple conf files on a server using this Plesk, for example, I listen to 443 ports two or three times. So I think that trying to specify backend with nginx’s proxy_pass will cause a redirect error repeatedly.

PLESK Knowledge Database has the following guide.

location ~ ^/(?!.well-known).*$ {
proxy_pass https://127.0.0.1:8065;
port_in_redirect off;
}
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;

If I set this, it will result in NGINX’s “502 Bad Gateway” error. Even if I see the error log of NGINX. Pointed out that the version(5.1.12) of Passenger is old.

and

[error] 4389#0: *2 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: CLIENT-IP, server: SERVER-DOMAIN, request: “GET / HTTP/2.0”, upstream: “https://SERVER-IP/index.html”, host: “MATTERMOST-URL”

“Proxy_pass https://127.0.0.1:8065;” Just specifying this will stop my site. I can not even see Index.html (ignoring the 8065 port).

This is a unique way to deal with Plesk, but who knows?

NEXT.
I do not install Mattermost in /opt, and installing in the domain may cause Mattermost to work. However, in this case, it is judged as an invalid certificate and it is an error. I thought I could give Mattermost the authority of the certificate by putting Mattermost in the domain, but it seems not to be the case. However with this method 502 Bad Gateway error does not occur. SSL error or invalid error.

I have doubts about config.json. “ConnectionSecurity” “TLSCertFile” “TLSKeyFile” in ServiceSettings section. Let’s Encrypt is enabled on PLESK, so SSL is working. Add Mattermost to it. I do not seem to work unless I type some characters on those items. If I leave “ConnectionSecurity” blank, an error will remain in Mattermost’s log.

{"level":"error","ts":1533229598.2654252,"caller":"jobs/jobs_watcher.go:70","msg":"Error occurred getting all pending statuses: SqlJobStore.GetAllByStatus: We couldn't get the jobs, Status=pending, invalid connection"}
{"level":"info","ts":1533230153.655869,"caller":"runtime/asm_amd64.s:2361","msg":"http: TLS handshake error from CLIENT-IP:20575: EOF","source":"httpserver"}
{"level":"error","ts":1533233769.2149591,"caller":"jobs/jobs_watcher.go:70","msg":"Error occurred getting all pending statuses: SqlJobStore.GetAllByStatus: We couldn't get the jobs, Status=pending, invalid connection"}
{"level":"error","ts":1533243896.2961688,"caller":"jobs/jobs_watcher.go:70","msg":"Error occurred getting all pending statuses: SqlJobStore.GetAllByStatus: We couldn't get the jobs, Status=pending, invalid connection"}
{"level":"error","ts":1533251112.7517698,"caller":"jobs/jobs_watcher.go:70","msg":"Error occurred getting all pending statuses: SqlJobStore.GetAllByStatus: We couldn't get the jobs, Status=pending, invalid connection"}

What I would like to do is to stop the function of activating SSL on Mattermost’s side. Is this possible?


#2

Hi @Babbles! I checked with a colleague on this and they said that TLS is not needed if you’re using proxy. I’ll ask our devs to look at the error messages you’re seeing.


#3

I’ll ask our devs to look at the error messages you’re seeing.

When will you reply from developers? I am looking forward to your response from the developer.

I would like to know more about the item “SecurityConnection”. Even if I use a proxy, is it necessary to enter “TLS” in this item? When I see the behavior of Mattermost, I seem to not use HTTPS completely unless I enter TLS. If I do not enter “TLS”, Mattermost seems to consciously redirect to “http”. However, when I enter TLS, I must specify the location of the file.
Currently I forcibly designate Plesk’s certificate from the outside of Plesk. In this way, I am anxious because I do not know when the relationship of certificate binding will be broken. I would solve another Let’s encrypt installation separately. But I think it is in vain from the viewpoint of server capacity.


CentOS 7.5.1 / nginx 1.13.8 / Mattermost 5.1.0 / Plesk 17.8.11


#4

I am trial and error while my acquaintance is scarce. That is what I noticed.

When I access http://example.com, repeat redirect error or 502 Bad Gateway error. However, I find that I can connect if I intentionally specify URL such as http://example.com/login, http://example.com/admin_console. I have not entered the port number. At this time, the content of /etc/nginx/nginx.conf is only the upstream item and the proxy_cache_path item and basic setting item. I put index.html right under the domain for testing, but it seems I can not access index.html. When I access test.html(file name other than index.html) instead of index.html, I seem to be redirecting to Mattermost as “login?redirect_to=%2Ftest.html”.
*When I do not use Plesk, I can use Mattermost on http://example.com.
*I will not display login or admin_console by typing http://example.com. If via Plesk, it is stopped at “https://example.com/”.

At this time, I did not enter the setting of nginx in the Plesk knowledge database shown at the beginning of this topic. I have not changed the behavior of Mattermost even if I enter it or do not enter it. What I currently set in Plesk is the contents of nginx.conf which is introduced in the official guide. In this state, the certificate by Let’s encrypt is valid.

Of course, the problem of config.json’s SecurityConnections setting is not solved. I need to enter TLS and certification paths in them. And if I do not have root privilege yet, I can not work Mattermost. *I think that this is to acquire a certificate from outside of Plesk.

I can not connect to Mattermost only by domain, but I can connect by inputting login and admin_console. Is there a workaround?


#5

I can not connect to Mattermost only by domain, but I can connect by inputting login and admin_console. Is there a workaround?

I solved this. However, it does not know what effect it will have on long-term use.

location ~ /api/v[0-9]+/(users/)?websocket$ {
....
	proxy_pass https://backend;
}

location ~ ^/(?!.well-known).*$ {
...
	proxy_pass https://backend$request_uri;
}

or

location / {
...
	proxy_pass https://backend$request_uri;
}

Non websocket “proxy_pass” required “$request_uri”. It is not necessary when Plesk is not used.

The remaining issue is the continuous use of Plesk’s Let’s Encrypt. Currently I give Mattermost root privileges to use certificates. I want to avoid this as much as possible.


#6

I tried too much and I do not know the root cause. As a result I succeeded in the setting I was trying in the early days. And I can use it even if I am not currently root.

Point for Plesk use:

  • Installation location can be ‘/opt’.
  • Users and groups are also mattermost.
  • Unlike the official guide, only proxy_pass needs “$request_uri”. websocket does not need ‘$request_uri’. And not “https”, “http” is correct. This is also websocket.
  • All “SecurityConnections” and “TLSCertFile” and “TLSKeyFile” items of ServerSetthings in config.json are blank.
  • The database hostname designation in SqlSettings of Config.json specifies the IP address of the server, not “localhost or 127.0.0.1”. Of course grant authority with MariaDB.
  • Prepare a config file for Mattermost in /etc/nginx/conf.d/. And write upstream and proxy_cache_path settings.
  • Change the mattermost user’s home directory to ‘/opt/mattermost’. Is not this a problem?

I have a basic operation in these.


#7

Probrem found.
I can not invite users. It seems that there is an error in the invitation link. I get a 404 error when I access the invitation URL.

https://MY-MATTERMOST-URL/signup_user_complete/?id=tkyhzc775byfidak3zgj7o1ptr

“/” Is inserted between “_complete” and “?id=”. I will proceed to sign up if I remove “/”.
Is the existence of “/” correct?

Is this a problem with the nginx config file? I can not solve this problem by removing ‘$request_uri’ of proxy_pass.

Is the following errors negligible?

{"level":"info","ts":1533777669.0099797,"caller":"mux/mux.go:162","msg":"Invalid session","error":"GetSession: Invalid session token=g8dd9zyc8br7xkgsccrncyd4ih, err=<no value>, "}

{"level":"error","ts":1533790947.8532639,"caller":"web/handlers.go:142","msg":"Login failed because email address has not been verified","path":"/api/v4/users/login","request_id":"tgmc1y9gd7ggffccfeaz8eaz3w","ip_addr":"CLIENT-IP-ADDRESS","user_id":"","method":"POST","err_where":"Login","http_code":401,"err_details":"user_id=4sctn67dwj847mkn1w7qn6ze8e"}

This error seems to occur when removing the “/” from the invitation link and transitioning to the sign up screen. After that account creation itself is possible. However, it is necessary to enable “open server”. I can not create an account with invitation.
The above error occurs when logging in, reloading the login page. I see that error 9 times when I access the login page once.


#8

Hi @Babbles - Apologies for late reply!

The url formatting looks correct. Is Enable Account Creation setting turned on?

Would you have the complete url so that I can test it out?


#9

I am off the team, account is on.

Currently Mattermost returns to non-Plesk. After all, invitation link works well with non-Plesk.

I’m sorry, I’m not building a public site. So I can not let you know my site here.