How to access Vikunja docker-compose container from my home network

heeep · 7 November 2021 12:50

Hello,

I am wondering if someone can tell me how to access Vikunja in the web browser from a PC on my home network? At the moment I can only access it from the local host where the container has been deployed.

I followed these instructions exactly : Docker Walkthrough | Vikunja
and it works perfectly on the local host. I am not extremely experienced with Linux, and totally new to docker-compose, so if someone could explain in simple terms how to set up networking to be able to access Vikunja from other PCs on my network, that would be hugely appreciated.

Thank you

kolaente · 7 November 2021 13:29

Did you try to point the other device in your home network to the ip of the host you have VIkunja running on? If you’re running the config from the example you linked that should work.

On linux, you can get the ip of your host pc by running ip a in a terminal, then look for an ip address starting with 192.168.xx.

heeep · 7 November 2021 13:37

Thanks for the reply, I’m not sure if this helps but, from my home network devices I can ping/ssh the device on which Vikunja is running. But I cannot ping the docker container. I can only ping the docker container locally from the device on which Vikunja is running. Does this mean I need a route on my home network devices to point to the Vikunja container? (I use mac for my home network devices, and Vikunja is running on an Ubuntu device)

heeep · 7 November 2021 14:03

Also, the nginix config the line:
proxy_pass http://frontend:80;

should frontend be edited to be the IP address of frontend, or should be left as is? For what it is worth, I did try to edit it, but it made no difference.

kolaente · 7 November 2021 14:18

That’s expected. Did you expose the port of the proxy container?

Can you share your Vikunja docker-compose file?

It should be fine to use the public IP of the ubuntu box, but that will only work if you exposed the ports.

kolaente · 7 November 2021 14:21

That should be frontend. Since both the proxy container and the frontend container are in the same docker network, they can talk to each other via their hostname.

heeep · 7 November 2021 14:33

Ahhh, my fundamental understanding of docker has been flawed. Thank you in pointing me in the right direction. All I needed to do was to use the ubuntu address and NOT the container address! Everything works beautifully on my home network now. Regarding the docker-compose file, I am using exact copy taken from https://vikunja.io/docs/docker-walkthrough/

To access Vikunja from the internet
I now set up port forwarding on my router on port 80 to point to my Ubuntu server, and I can access it form the web perfectly well. I am however worried about security implications of this. Would you advise against this kind of set up?

kolaente · 7 November 2021 15:46

Container addresses are only valid on the host network stack, as you’ve already figured out.

It should be fine to use it like this. You might want to make it reachable from the outside (in your router) under a different port than 80, something really high to avoid automated scanners to detect your Vikunja installation. While Vikunja itself isn’t vulnerable to security issues (as far as I can tell right now) this might increase the load on your server for no good reason.

Vikunja-wise, you probably want to disable the registration if you don’t intend to use it with other people.

heeep · 7 November 2021 17:53

Ok that makes sense. Thanks! Can you please explain how to disable user registration?

I read Config options | Vikunja and following the instruction I used the provided default config.yml. I created a directory /etc/vikunja and this is where I placed the config.yml . inside the config I changed the variable enableregistration: so that it states false

at this point i restarted the container with the following commands so that the changes in the config take effect (is this required?)
sudo docker-compose down
sudo docker-compose up

but still when I go to Vikunja login screen there is a Registration box which successfully allows me to register.

What am I doing wrong?
I read your response to a similar question here, but it isn’t very clear to me Disable Registration and User management is what you are saying is that I have to mount the /etc/vikunja/config.yml ? How can I do that?

I also tried adding VIKUNJA_SERVICE_ENABLEREGISTRATION: false
to the docker-compose.yml but then when i tried running sudo docker-compose down
I received the error:
ERROR: The Compose file ‘./docker-compose.yml’ is invalid because:
services.api.environment.VIKUNJA_SERVICE_ENABLEREGISTRATION contains false, which is an invalid type, it should be a string, number, or a null

Thank you for all your help, and also for wiring such an incredible piece of software!

EDIT: could you also advise on creating a self signed certificate so that the connection is https instead of http ? I looked through all the docs but can’t see anything pointing to this. Thanks!

kolaente · 7 November 2021 20:21

You should use environment variables, just as you tried in your second attempt. Try putting in a '0' instead of false and it should work.

Vikunja running in the container does not have access to your host file system so if you add a config.yml file on your host, the container has no way of knowing this until you tell it to. That’s what mounts are for. The docker docs on volumes (that’s the docker term for mounts) provides a bit more information if you’re curious about it.

For configuration, environment variables is generally preferred over config files mounted in the container because that keeps everything in one place.

For that you’ll need a proxy that sits between Vikunja’s proxy container and the outside world. There’s a few options available, you can do it with a self signed certificate and Vikunja’s proxy container you already have, or use something like traefik to handle all of this. There’s examples for traefik in the docs, for self signed just search for something like “nginx with self signed TLS”. If you go down that road, I’d advise you to read up a bit on how reverse proxies work.

heeep · 8 November 2021 18:50

Thanks for the comments above. I got the registration disabled now. One final outstanding issue is that of https. I really need to get this to work before allowing Vakunja it to be accessible from the web.

The traefik instructions are sadly over my head by some distance… but i am trying to set up self signed certificate inside the vikunja proxy (nginx) docker container. I created the certificate using this line

openssl req -x509 -nodes -days 365 -subj “/C=CA/ST=QC/O=Company, Inc./CN=mydomain.com” -addext “subjectAltName=DNS:mydomain.com” -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt;

I followed parts of this guide to help me. This guide is about setting up container from scratch, but obviously I am working in the existing container.

I tried the different lines in the nginx config file from the guide, but non of them get me to be able to access Vikunja from https://

So I really have no idea what to put in the nginx.conf file. As it stands, it is very basic:

server {
listen 80;

location / {
    proxy_pass http://frontend:80;
}

location ~* ^/(api|dav|\.well-known)/ {
    proxy_pass http://api:3456;
    client_max_body_size 20M;
}

}

heeep · 8 November 2021 19:37

I’ve been reading about mounting different files and so now I tried to create certificate on my host system and mount them. This is successful, but when I do docker-compose up I get the following error
proxy_1
I nginx: [emerg] cannot load certiftcate “/etc/ngtnx/my-stte.con.crt”: PEM_read_bto_X509_AUX() fatled (SSL: error: 0909006C:PEN routtnes:get_name:no start ltne:Expecting: TRUSTED CERTIFICATE)

I do understand this is perhaps a bit much to help on a forum board, but if you could point me in the right direction, that would be awesome, i feel like I’m so damn close!

(I get the above by trying to follow parts of this guide: Using Self-Signed SSL Certificates with Docker and Nginx )

kolaente · 9 November 2021 18:03

The Vikunja Frontend docker container actually already contains a self-signed certificate. You should be able to use parts of that as a blueprint.

Something like this should work for the proxy container (untested):

Dockerfile:

FROM nginx

RUN apt-get update && apt-get install -y apt-utils openssl && \
  mkdir -p /etc/nginx/ssl && \
  openssl genrsa -out /etc/nginx/ssl/dummy.key 2048 && \
  openssl req -new -key /etc/nginx/ssl/dummy.key -out /etc/nginx/ssl/dummy.csr -subj "/C=DE/L=Berlin/O=Vikunja/CN=Vikunja Snakeoil" && \
  openssl x509 -req -days 3650 -in /etc/nginx/ssl/dummy.csr -signkey /etc/nginx/ssl/dummy.key -out /etc/nginx/ssl/dummy.crt

COPY nginx.conf /etc/nginx/nginx.conf

nginx.conf (you will need to put that in the same directory as the Dockerfile):

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    server {
        listen 80;
        listen 443 default_server ssl http2;

        server_name  _;

        expires $expires;

        ssl_certificate       /etc/nginx/ssl/dummy.crt;
        ssl_certificate_key   /etc/nginx/ssl/dummy.key;

        location / {
            proxy_pass http://frontend:80;
        }

        location ~* ^/(api|dav|\.well-known)/ {
            proxy_pass http://api:3456;
            client_max_body_size 20M;
        }
    }
}

Save both files next to your docker-compose.yml file as Dockerfile and nginx.conf and change the proxy service in to this:

  proxy:
    build: .
    ports:
      - 443:443
    depends_on:
      - api
      - frontend
    restart: unless-stopped

In theory, you could also just mount the nginx.conf from above to /etc/nginx/nginx.conf and mount the ssl certificates generated in the previous step.

heeep · 9 November 2021 23:39

Thanks for all that, it looked very promising the first time I run docker-compose up. The Dockerfile has been executed. Unfortunately https still did not work, I tried again and now I keep getting this error and the proxy container keeps restarting

proxy_1 | 2021/11/09 23:31:26 [emerg] 1#1: unknown “expires” variable
proxy_1 | nginx: [emerg] unknown “expires” variable

Each time I run docker-compose up I do not see the certificates being generated (only saw it the first time), does this mean that the first time it run, they got saved (committed) inside the docker container?

kolaente · 10 November 2021 18:24

I guess I should’ve tested the config before posting

Try this nginx.conf:

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;

    keepalive_timeout  65;

    server {
        listen 80;
        listen 443 default_server ssl http2;

        server_name  _;

        ssl_certificate       /etc/nginx/ssl/dummy.crt;
        ssl_certificate_key   /etc/nginx/ssl/dummy.key;

        location / {
            proxy_pass http://frontend:80;
        }

        location ~* ^/(api|dav|\.well-known)/ {
            proxy_pass http://api:3456;
            client_max_body_size 20M;
        }
    }
}

You’ll need to run docker-compose build and then docker-compose up again to make sure the changes are picked up.

The steps to generate it are set in the Dockerfile. That means they will only be executed when the image is built.

heeep · 10 November 2021 19:23

Thank you for the correction, but it looks like something is still not right, now I keep getting the following

proxy_1 | 2021/11/10 19:22:37 [emerg] 1#1: unknown directive “ser” in /etc/nginx/nginx.conf:1
proxy_1 | nginx: [emerg] unknown directive “ser” in /etc/nginx/nginx.conf:1

ops… looks like when I revert the nginx.conf and docker-compose.xml to the original version, I still get the error next time I will be taking a Timeshift snapshot before anything

kolaente · 10 November 2021 19:49

What does your nginx.conf look like? The error message sounds like there’s a u missing in the very first line - that should be user.

Did you rebuild the container?

heeep · 10 November 2021 21:04

I must of skipped the letter in the user field as you said! All works fine over https now!

Thank you for all your help!

Two hopefully final questions

What is the update procedure for when there is a new version of Vikunja
I am doing daily Timeshift snapshots at the moment, but if I wanted to back up the db manually, how can I do that?

Thank you
heeep

kolaente · 10 November 2021 21:23

Glad to hear it works now!

Pretty much pulling the containers and restarting them, if you’re using the :latest tag on them (that will always contain the latest stable version.

The full commands are

docker-compose pull
docker-compose down
docker-compose up -d

There’s a bit of instructions in the docs (actually, I just noticed the docs are slightly outdated on that page, will work fine for the db though).

In your case on docker that would be something like this (assuming you did not change the default username and db name from the tutorial):

docker-compose exec db mysqldump -u vikunja -p vikunja > backup.sql

It will ask you for the db password from the you set in the compose file as MYSQL_PASSWORD.

heeep · 10 November 2021 22:04

nice one, the mysql dump works great.

I wanted to test out
docker-compose pull
docker-compose down
docker-compose up -d

and it appears to of broken something. I have done the commands above, but now I get Network Error on the Vikunja login page when trying to log in?

I also tried
docker-compose pull
docker-compose down
docker-compose build
docker-compose up -d

but that did not help either

edit:
I figured it would be good opportunity to test the Timeshift restore. It restored successfully, and I can see that the files were reverted to previous versions, but sadly the issue persists

edit2:
It is all working, I am not sure what was wrong, but I have re-run the commands a couple of times ( down / build / up) and everything is working again. I also cleared cache in Firefox in case that was causing an issue, I thought to do this as initially it worked in Safari while I was still receiving Network Error in Firefox.