Can't login with GH auth, serving over HTTPS does not load some JS/CSS files without workaround

[andothomas]

Was able to set up, run self-hosted, and view the login with GitHub page it over HTTP, but when attempting to set up HTTPS to allow GitHub authentication to work, I ran into two issues. I'm presented with a blank page and either a JS or CSS file (or both) appears to have not loaded, though loading a file by navigating to it in a web browser directly works fine. On Chrome I get a console error of ERR_HTTP2_FRAME_SIZE_ERROR and Firefox a NS_ERROR_NET_PARTIAL_TRANSFER. Implementing a workaround reveals the second issue of going back to the login page after the authentication flow completes (also observed before setting up HTTPS). Here is the current setup:

docker-compose.yml:

version: "3"

services:
  gateway:
    image: codecov/self-hosted-gateway:latest-stable #note: this is for setup purposes only, be sure to pin to the latest release from our changelog: https://docs.codecov.io/changelog
    volumes:
      - ./config:/config:z
      - ./file.pem:/config/file.pem:z
      - ${CODECOV_SSL_CERT-./cert/codecov.crt}:/etc/codecov/ssl/certs/cert.crt:ro,z # uncomment if using ssl
    ports:
      - "${CODECOV_PORT-8080}:8080"
      - "${CODECOV_SSL_PORT-8443}:8443" # uncomment if using ssl
    environment:
      - CODECOV_GATEWAY_MINIO_ENABLED=true
      - CODECOV_GATEWAY_SSL_ENABLED=true # uncomment if using ssl
    networks:
      - codecov
    depends_on:
      - api
      - frontend

  frontend:
    image: codecov/self-hosted-frontend:latest-stable #note: this is for setup purposes only, be sure to pin to the latest release from our changelog: https://docs.codecov.io/changelog
    environment:
      - CODECOV_BASE_HOST=my-domain.com:8443
      - CODECOV_API_HOST=my-domain.com:8443
      - CODECOV_IA_HOST=my-domain.com:8443
      - CODECOV_SCHEME=https
    volumes:
      - ./config:/config:z
      - ./file.pem:/config/file.pem:z
    ports:
      - "8080"
    networks:
      - codecov

  api:
    image: codecov/self-hosted-api:latest-stable #note: this is for setup purposes only, be sure to pin to the latest release from our changelog: https://docs.codecov.io/changelog
    volumes:
      - ./config:/config:z
    networks:
      - codecov
    depends_on:
      - minio
      - timescale
      - postgres
      - redis

  worker:
    image: codecov/self-hosted-worker:latest-stable #note: this is for setup purposes only, be sure to pin to the latest release from our changelog: https://docs.codecov.io/changelog
    environment:
      - RUN_ENV=ENTERPRISE
    volumes:
      - ./config:/config:z
      - ./file.pem:/config/file.pem:z
      - archive-volume:/archive
    networks:
      - codecov
    depends_on:
      - minio
      - redis
      - postgres
      - timescale

  redis:
    image: redis:6-alpine
    volumes:
      - redis-volume:/data
    networks:
      - codecov

  postgres:
    image: postgres:14-alpine
    environment:
      - POSTGRES_PASSWORD=testpassword
      - POSTGRES_USER=postgres
      - POSTGRES_DB=postgres
    volumes:
      - postgres-volume:/var/lib/postgresql/data
    ports:
      - "9432:5432"
    networks:
      - codecov

  timescale:
    image: timescale/timescaledb-ha:pg14-latest
    environment:
      - POSTGRES_PASSWORD=testpassword
      - POSTGRES_USER=postgres
      - POSTGRES_DB=postgres
    volumes:
      - timescale-volume:/var/lib/postgresql/data
    ports:
      - "8432:5432"
    networks:
      - codecov

  minio:
    image: minio/minio:RELEASE.2020-04-15T00-39-01Z
    command: server /export
    ports:
      - "${CODECOV_MINIO_PORT-9000}:9000"
    environment:
      - MINIO_ACCESS_KEY=codecov-default-key
      - MINIO_SECRET_KEY=codecov-default-secret
    volumes:
      - archive-volume:/export
    networks:
      - codecov

volumes:
  postgres-volume:
  timescale-volume:
  redis-volume:
  archive-volume:

networks:
  codecov:
    driver: bridge

Also tried 8443 under ports for the frontend.

codecov.yml:

setup:
  # Replace with the http location of your Codecov
  # https://docs.codecov.io/docs/configuration#section-codecov-url
  codecov_url: https://my-domain.com:8443
  #codecov_api_url: <codecov-url> # this defaults to <codecov-url> and is designed to work out of the box like this
  #api_allowed_hosts: [] # this defaults to <codecov-url> and is designed to work out of the box like this
  # Replace with your Codecov Enterprise License key. This is required for the containers to function.
  # https://docs.codecov.io/docs/configuration#section-enterprise-license
  enterprise_license: "<license-key>"
  # https://docs.codecov.com/docs/configuration#instance-wide-admins
  admins:
    - service: github
      username: "<your-user>"
  # Replace with a random string
  # https://docs.codecov.io/docs/configuration#section-cookie-secret
  http:
    cookie_secret: "1234abcxyz"
  timeseries:
    enabled: true
github:
  integration:
    id: <id>
    pem: /config/file.pem
  client_id: "<client-id>"
  client_secret: "<client-secret>"
  global_upload_token: "<upload-token>"
services:
  redis_url: "redis://redis:6379"
  database_url: "postgres://postgres:testpassword@postgres:5432/postgres"
  timeseries_database_url: "postgres://postgres:testpassword@timescale:5432/postgres"
  minio:
    host: minio
    port: 9000
# If using external storage. Comment above and uncomment below
#    host: s3.amazonaws.com or storage.googleapis.com if using GCS
#    bucket: <bucket-name>
#    region: <bucket-region>
#    verify_ssl: true
#    port: 443
#    access_key_id: <aws-iam-access-key> # or <gcs-hmac-key> if using GCS
#    secret_access_key: <aws-iam-secret> # or <gcs-hmac-secret> if using GCS
#    iam_auth: <boolean, default false> # set to true in AWS to attempt to authenticate via Instance role

Came across this answer on Stack Overflow that seems to describe a similar issue. Disabling gzip in the nginx config of the frontend container while it is running seems to fix this issue, but I have to do this manually every time I run the self-hosted docker compose file:

• podman exec -it -u 0 <frontend-container> sh
• Edit /etc/nginx/nginx.conf
• Change gzip on to gzip off
• nginx -s reload

Though even after this workaround, I'm still having issues with GitHub authentication bringing me back to the Login via GitHub page after the authentication flow should be complete. Requests on this page to /internal/user return a 401 saying "Authentication credentials were not provided", and the GraphQL GitHub user object request to /graphql/gh returns {"data": {"me": null}}. Not sure if I have something configured improperly, but when I observed this same behavior over HTTP I thought the issue was the combination of no SSL and using a custom domain...now I'm not so sure. Any insight would be greatly appreciated!

[andothomas]

Was able to fix the authentication issues, didn't realize I had the GitHub pem file double mounted...removing mentions of ./file.pem:/config/file.pem:z seemed to do the trick. Along with removing empty pem files that popped up (perhaps related to double mounting).

It would likely benefit future users if these instructions were altered to say something like "the default configuration mounts the config directory (code here), so if the pem file is placed in the config directory, it does not need to be explicitly mounted".

However, I am still having to disable gzip. It appears that it's only an issue when using podman since I didn't have any such issues with docker compose.