Drone

Unable to login to Drone (Docker with LetsEncrypt Nginx proxy)

Hi, I have installed Drone in Docker and connect it with Gitea.

$ curl https://drone.halfakop.ru/login
<a href="https://git.halfakop.ru/login/oauth/authorize?client_id=aa50fd5d-9449-4223-ada3-e3347076703d&amp;redirect_uri=https%3A%2F%2Fdrone.halfakop.ru%2Flogin&amp;response_type=code&amp;state=56ec3f2525632186">See Other</a>.

$ curl https://drone.halfakop.ru/login\?code\=t2O1jE_y1mMba3XFUZMqCCTzQvwD4woo6MqeJc1eEaw%3D\&state\=30b95ff183c471d4
<a href="/login/error?message=http: named cookie not present">See Other</a>.

$ curl 'https://drone.halfakop.ru/login?code=t2O1jE_y1mMba3XFUZMqCCTzQvwD4woo6MqeJc1eEaw%3D&state=30b95ff183c471d4' -H 'authority: drone.halfakop.ru' -H 'cache-control: max-age=0' -H 'upgrade-insecure-requests: 1' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 OPR/66.0.3515.44' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H 'sec-fetch-site: cross-site' -H 'sec-fetch-mode: navigate' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-GB,en-US;q=0.9,en;q=0.8' -H 'cookie: _oauth_state_=30b95ff183c471d4' --compressed
<html>
<head><title>504 Gateway Time-out</title></head>
<body>
<center><h1>504 Gateway Time-out</h1></center>
<hr><center>nginx/1.17.8</center>
</body>
</html>

I use LetsEncrypt proxy from https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion

It seems that proxy unable to pass the latest request:

Feb 07 09:50:20 dev-ams3-01 docker-compose[10809]: nginx          | 2020/02/07 09:50:20 [error] 100#100: *938 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 185.62.193.101, server: drone.halfakop.ru, request: "GET /login?code=iJad8v8hQiBpMenwVGXtUQwdAA1Id7TtGGN6OLOD3o0%3D&state=4d65822107fcfd52 HTTP/2.0", upstream: "http://172.18.0.7:80/login?code=iJad8v8hQiBpMenwVGXtUQwdAA1Id7TtGGN6OLOD3o0%3D&state=4d65822107fcfd52", host: "drone.halfakop.ru", referrer: "https://drone.halfakop.ru/"
Feb 07 09:50:20 dev-ams3-01 docker-compose[10809]: nginx          | drone.halfakop.ru 185.62.193.101 - - [07/Feb/2020:09:50:20 +0000] "GET /login?code=iJad8v8hQiBpMenwVGXtUQwdAA1Id7TtGGN6OLOD3o0%3D&state=4d65822107fcfd52 HTTP/2.0" 504 569 "https://drone.halfakop.ru/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"

The docker-compose file:

services:
  drone-server:
    image: drone/drone:latest
    restart: always
    hostname: drone
    domainname: halfakop.ru
    volumes:
      - drone:/data/
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - DRONE_GIT_ALWAYS_AUTH=true
      - DRONE_AGENTS_ENABLED=true
      - DRONE_GITEA_SERVER=https://git.halfakop.ru
      - DRONE_GITEA_CLIENT_ID=<id-here>
      - DRONE_GITEA_CLIENT_SECRET=<secret-here>
      - DRONE_RPC_SECRET=<rpc-here>
      - DRONE_SERVER_HOST=drone.halfakop.ru
      - DRONE_SERVER_PROTO=https
      - DRONE_DEBUG=true
      - DRONE_LOGS_DEBUG=true
      - DRONE_LOGS_TEXT=true
      - DRONE_LOGS_PRETTY=true
      - VIRTUAL_PORT=80
      - VIRTUAL_HOST=drone.halfakop.ru
      - LETSENCRYPT_HOST=drone.halfakop.ru
      - LETSENCRYPT_EMAIL=<email-here>
    networks:
      - devtools
    expose:
      - 80
    logging:
      options:
        max-size: 10m

It seems that Drone uses envvar DRONE_GITEA_SERVER in two places: for redirect url and the internal connection.

Recreating devtools_drone-server_1 ... done
Recreating devtools_drone-runner_1 ... done
Attaching to devtools_drone-server_1, devtools_drone-runner_1
drone-server_1  | {"level":"info","msg":"main: internal scheduler enabled","time":"2020-02-11T07:55:15Z"}
drone-server_1  | {"acme":false,"host":"drone.halfakop.ru","level":"info","msg":"starting the http server","port":":80","proto":"https","time":"2020-02-11T07:55:15Z","url":"https://drone.halfakop.ru"}
drone-server_1  | {"interval":"30m0s","level":"info","msg":"starting the cron scheduler","time":"2020-02-11T07:55:15Z"}
drone-runner_1  | time="2020-02-11T07:55:16Z" level=info msg="starting the server" addr=":3000"
drone-runner_1  | time="2020-02-11T07:55:16Z" level=info msg="successfully pinged the remote server"
drone-runner_1  | time="2020-02-11T07:55:16Z" level=info msg="polling the remote server" arch=amd64 capacity=2 endpoint="http://drone-server" kind=pipeline os=linux type=docker
drone-server_1  | {"level":"error","msg":"oauth: cannot exchange code: DRZK_hETqn-oZPm36rEb_Ald7g0OlBopXc1FqLtpyoA=: Post https://git.halfakop.ru/login/oauth/access_token: dial tcp 64.225.75.235:443: connect: connection timed out","time":"2020-02-11T07:57:43Z"}

But what should I do if I use no SSL inside the containers?
P.S. Why there is no messages in debug mode? I have set the DRONE_DEBUG=true

The following lines enables debug mode for server:

environment:
  - DRONE_LOGS_DEBUG=true
  - DRONE_RPC_DEBUG=true

So logs become:

Recreating devtools_drone-server_1 ... done
Recreating devtools_drone-runner_1 ... done
Attaching to devtools_drone-server_1, devtools_drone-runner_1
drone-server_1  | {"level":"info","msg":"main: internal scheduler enabled","time":"2020-02-11T08:16:45Z"}
drone-server_1  | {"build.limit":0,"expires":"0001-01-01T00:00:00Z","kind":"trial","level":"debug","msg":"main: license loaded","repo.limit":0,"time":"2020-02-11T08:16:45Z","user.limit":0}
drone-server_1  | {"acme":false,"host":"drone.halfakop.ru","level":"info","msg":"starting the http server","port":":80","proto":"https","time":"2020-02-11T08:16:45Z","url":"https://drone.halfakop.ru"}
drone-server_1  | {"interval":"30m0s","level":"info","msg":"starting the cron scheduler","time":"2020-02-11T08:16:45Z"}
drone-runner_1  | time="2020-02-11T08:16:46Z" level=info msg="starting the server" addr=":3000"
drone-runner_1  | time="2020-02-11T08:16:46Z" level=info msg="successfully pinged the remote server"
drone-runner_1  | time="2020-02-11T08:16:46Z" level=info msg="polling the remote server" arch=amd64 capacity=2 endpoint="http://drone-server" kind=pipeline os=linux type=docker
drone-server_1  | {"arch":"amd64","kernel":"","kind":"pipeline","level":"debug","msg":"manager: context canceled","os":"linux","time":"2020-02-11T08:17:16Z","type":"docker","variant":""}
drone-server_1  | {"fields.time":"2020-02-11T08:17:19Z","latency":540166,"level":"debug","method":"GET","msg":"","remote":"172.18.0.8:41672","request":"/","request-id":"1XeaVoXVV7SQTm8sXIMXGVDDdjV","time":"2020-02-11T08:17:19Z"}
drone-server_1  | {"fields.time":"2020-02-11T08:17:19Z","latency":5701956,"level":"debug","method":"GET","msg":"","remote":"172.18.0.8:41674","request":"/css/app.835f40e0.css","request-id":"1XeaVhhQpQWG5cHLZgsuNRDIpL3","time":"2020-02-11T08:17:19Z"}
drone-server_1  | {"fields.time":"2020-02-11T08:17:19Z","latency":44007407,"level":"debug","method":"GET","msg":"","remote":"172.18.0.8:41678","request":"/js/chunk-vendors.f5840117.js","request-id":"1XeaVifukAR30Q2MZtSyshCWFYc","time":"2020-02-11T08:17:19Z"}
drone-server_1  | {"fields.time":"2020-02-11T08:17:19Z","latency":44429973,"level":"debug","method":"GET","msg":"","remote":"172.18.0.8:41676","request":"/js/app.2c99ed98.js","request-id":"1XeaVmGsAbaMYh1FzhDFIMHlKF2","time":"2020-02-11T08:17:19Z"}
drone-server_1  | {"level":"debug","msg":"api: authentication required","request-id":"1XeaVtJiStgl3y8vvC9pG2TGzoJ","time":"2020-02-11T08:17:20Z"}
drone-server_1  | {"level":"debug","msg":"api: guest access","request-id":"1XeaVtJiStgl3y8vvC9pG2TGzoJ","time":"2020-02-11T08:17:20Z"}
drone-server_1  | {"fields.time":"2020-02-11T08:17:20Z","latency":3396885,"level":"debug","method":"GET","msg":"","remote":"172.18.0.8:41680","request":"/api/user","request-id":"1XeaVtJiStgl3y8vvC9pG2TGzoJ","time":"2020-02-11T08:17:20Z"}
drone-server_1  | {"level":"debug","msg":"events: stream opened","request-id":"1XeaVv69NMju2SAU3cz8A8yCRkL","time":"2020-02-11T08:17:20Z"}
drone-server_1  | {"fields.time":"2020-02-11T08:17:20Z","latency":72243,"level":"debug","method":"GET","msg":"","remote":"172.18.0.8:41682","request":"/login","request-id":"1XeaVpdwr3cSjiIKNYWfGzt0McY","time":"2020-02-11T08:17:20Z"}
drone-server_1  | {"arch":"amd64","kernel":"","kind":"pipeline","level":"debug","msg":"manager: request queue item","os":"linux","time":"2020-02-11T08:17:26Z","type":"docker","variant":""}
drone-server_1  | {"level":"debug","msg":"events: stream cancelled","request-id":"1XeaVv69NMju2SAU3cz8A8yCRkL","time":"2020-02-11T08:18:20Z"}
drone-server_1  | {"level":"debug","msg":"events: stream closed","request-id":"1XeaVv69NMju2SAU3cz8A8yCRkL","time":"2020-02-11T08:18:20Z"}
drone-server_1  | {"level":"debug","msg":"api: guest access","request-id":"1XeaVv69NMju2SAU3cz8A8yCRkL","time":"2020-02-11T08:18:20Z"}
drone-server_1  | {"fields.time":"2020-02-11T08:18:20Z","latency":60322177808,"level":"debug","method":"GET","msg":"","remote":"172.18.0.8:41684","request":"/api/stream","request-id":"1XeaVv69NMju2SAU3cz8A8yCRkL","time":"2020-02-11T08:18:20Z"}
drone-server_1  | {"fields.time":"2020-02-11T08:18:20Z","latency":22725,"level":"debug","method":"GET","msg":"","remote":"172.18.0.8:41696","request":"/favicon.ico","request-id":"1XeadTqPkA3VPiuYzQABSupoKnO","time":"2020-02-11T08:18:20Z"}

The solution is in the external network settings!