Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Self-host docker #265

Open
bokachodalawdsa opened this issue Sep 24, 2024 · 12 comments
Open

Self-host docker #265

bokachodalawdsa opened this issue Sep 24, 2024 · 12 comments
Assignees

Comments

@bokachodalawdsa
Copy link

Getting errors after errors. Why is there no docker support?

@fomalhautb
Copy link
Contributor

The self-host doc is quite new and it reflects our own self-host process. We do understand that a docker compose file is easier for most people, we are going to create one soon

@jshimko
Copy link

jshimko commented Sep 24, 2024

I currently have a fork with working Docker builds and a single-command docker-compose based build/startup process. I've been using it for several weeks at this point to iron out issues and simplify the setup. I also built a Helm chart for Kubernetes deployments that I'm already using with our deployed services.

I'll be opening a PR here for the Docker stuff tomorrow and will write up docs for the Helm/Kubernetes deploys as soon as I'm done putting a few production quality example configs together (to make it easier for those that are less familiar with Kubernetes). Assuming my Docker PR gets merged, the Docker Compose build/deployment process will be as simple as...

docker compose build
docker compose up -d

Kubernetes will definitely be a bit more involved than that, but I think everyone probably already knows that about Kubernetes. ;)

@fomalhautb
Copy link
Contributor

I currently have a fork with working Docker builds and a single-command docker-compose based build/startup process. I've been using it for several weeks at this point to iron out issues and simplify the setup. I also built a Helm chart for Kubernetes deployments that I'm already using with our deployed services.

I'll be opening a PR here for the Docker stuff tomorrow and will write up docs for the Helm/Kubernetes deploys as soon as I'm done putting a few production quality example configs together (to make it easier for those that are less familiar with Kubernetes). Assuming my Docker PR gets merged, the Docker Compose build/deployment process will be as simple as...

docker compose build
docker compose up -d

Kubernetes will definitely be a bit more involved than that, but I think everyone probably already knows that about Kubernetes. ;)

That is awesome! I just got started with it but since you already have something working, I will just wait for your PR then!

@fomalhautb fomalhautb changed the title Not able to self host Self-host docker Sep 25, 2024
@csyedbilal
Copy link

root@stack-auth:~/stack/apps/dashboard# pnpm run dev

@stackframe/stack-dashboard@2.6.0 dev /root/stack/apps/dashboard
next dev --port 8101

▲ Next.js 14.2.3

✓ Starting...
automatically enabled Fast Refresh for 1 custom loader
✓ Ready in 1398ms
○ Compiling /src/middleware ...
✓ Compiled /src/middleware in 665ms (331 modules)
○ Compiling / ...
✓ Compiled / in 7.7s (4063 modules)
GET / 200 in 8174ms
✓ Compiled /projects in 461ms (2294 modules)
✓ Compiled in 798ms (1788 modules)
GET /favicon.ico 200 in 1736ms
GET /projects 200 in 965ms
⚠ Fast Refresh had to perform a full reload. Read more: https://nextjs.org/docs/messages/fast-refresh-reload
Error: aborted
at abortIncoming (node:_http_server:797:17)
at socketOnClose (node:_http_server:791:3)
at Socket.emit (node:events:531:35)
at Socket.emit (node:domain:488:12)
at TCP. (node:net:339:12)
at TCP.callbackTrampoline (node:internal/async_hooks:130:17) {
code: 'ECONNRESET'
}
⨯ uncaughtException: Error: aborted
at abortIncoming (node:_http_server:797:17)
at socketOnClose (node:_http_server:791:3)
at Socket.emit (node:events:531:35)
at Socket.emit (node:domain:488:12)
at TCP. (node:net:339:12)
at TCP.callbackTrampoline (node:internal/async_hooks:130:17) {
code: 'ECONNRESET'
}
⨯ uncaughtException: Error: aborted
at abortIncoming (node:_http_server:797:17)
at socketOnClose (node:_http_server:791:3)
at Socket.emit (node:events:531:35)
at Socket.emit (node:domain:488:12)
at TCP. (node:net:339:12)
at TCP.callbackTrampoline (node:internal/async_hooks:130:17) {
code: 'ECONNRESET'
}
✓ Compiled /handler/[...stack] in 466ms (4103 modules)
GET /handler/sign-in?after_auth_return_to=%2Fprojects 200 in 1125ms
⚠ Fast Refresh had to perform a full reload. Read more: https://nextjs.org/docs/messages/fast-refresh-reload

api:
[dev] [API REQ] [f7qa1wbn6zrngdnd] GET http://localhost:8102/api/v1/users/me
[dev] [ ERR] [f7qa1wbn6zrngdnd] GET http://localhost:8102/api/v1/users/me: You have specified 'me' as a userId, but did not provide authentication for a user.
[dev] GET /api/v1/users/me 200 in 15ms
Screenshot_143

@jshimko
Copy link

jshimko commented Sep 30, 2024

@csyedbilal You need to run that command from the root of the repo, not the dashboard directory. Follow the docs closely. Every command is always from the root directory.

@csyedbilal
Copy link

@jshimko please check dash: http://5.9.178.126:8101/
Api : http://5.9.178.126:8102/

it is just loading up again again.
i did manually i tried same issue

and follow this but same
#280

@jshimko
Copy link

jshimko commented Oct 1, 2024

@jshimko please check dash: http://5.9.178.126:8101/

Api : http://5.9.178.126:8102/

@csyedbilal Your URL'S need to start with https when using production builds. You can't use unencrypted connections to send auth cookies. You will need to use actual domain names instead of IP's and then set up SSL certs for them.

I do think the dashboard should probably have better error handling for that situation though. It's definitely not obvious what the issue is when you have an infinite loop of refreshes that keeps clearing the browser console before you can read anything.

@jshimko
Copy link

jshimko commented Oct 1, 2024

@csyedbilal a temporary workaround for the https thing when using the Docker builds from my PR is you can set NEXT_PUBLIC_INSECURE_COOKIE=true on the dashboard container. That should allow you to use the dashboard without SSL certs. That is VERY unsafe for production though, so definitely do not use that for anything other than testing.

@csyedbilal
Copy link

@jshimko
I’ve been following the PR for Docker builds, and I’m experiencing issues with cookies when running the setup.

git clone --single-branch -b docker-builds https://github.com/jshimko/stack.git stack-docker
cd stack-docker
pnpm docker:up

I’ve set up an NGINX proxy with SSL on the following domains:

https://api.huctech.me/
https://apps.huctech.me/projects
same issue infinite loop of redirects in the browser.

image

Steps Taken
I tried setting NEXT_PUBLIC_INSECURE_COOKIE=true in the environment variables to bypass the issue temporarily. However, this did not resolve the problem.

I followed the instructions regarding rebuilds, i.e., if code is changed, I explicitly ran:
pnpm docker:build
pnpm docker:up

Request
Could you please advise on any further steps or potential fixes? I’m not sure if I’m missing something, but the cookie issue is preventing progress despite the NEXT_PUBLIC_INSECURE_COOKIE variable being set.

Thanks in advance for your help!

@jshimko
Copy link

jshimko commented Oct 1, 2024

@csyedbilal I assume it's a configuration issue because I have those same Docker builds deployed with no issues. Make sure you have set all of your environment variables for URL's, API keys, etc. Just leaving everything like it is on my branch is NOT adequate or secure. You need to configure things for your own deployments. You also don't do that by setting new values in the Dockerfile and building again (which it appears you did above). You set them at runtime using whatever tool is running your containers. If that's Docker Compose, you either set values in the compose config file or the .env.docker file it currently loads.

I feel like I should also mention that if you're not comfortable with configuring and debugging Docker builds in production, you may want to consider Stack's hosted service. Especially because this is user authentication and security is very important in this context. Just something to consider.

For example, since I can see that you have just used the default docker-compose config that is intended for local development and testing Docker builds, I now have enough information to access your database (and I just did). I can also be reasonably sure you used default secret values as well, so that also means I have full access to your Stack API (also just confirmed by listing API keys in your database).

image

So yeah, I would definitely make sure you know what you're doing before self hosting something like a user auth service. Step 1 - don't expose the Postgres container port publicly EVER. Step 2 - don't use usernames, passwords, secrets, etc. from a public open source repo. Always configure everything yourself or else anyone with access to the repo will know your secrets.

@jshimko
Copy link

jshimko commented Oct 2, 2024

@csyedbilal I just pushed a commit to remove the exposed database ports so that nobody else misses that if they try to use this docker-compose config in production. But my original comments still stand. This docker-compose config is just meant to be a working reference for spinning everything up in Docker containers. It's not a production config. You should only be using that as a starting point for your own deployment config. You will always need to set your own environment variables and ensure your server doesn't expose anything that it shouldn't. For example, you probably shouldn't have anything other than nginx and port 443 exposed on that server (meaning this shouldn't be possible: http://api.huctech.me:8102).

One more item... the Svix JWT secret in svix-server (SVIX_JWT_SECRET) which is used to generate STACK_SVIX_API_KEY will need to be replaced and a new API key generated or anyone will be able to trigger webhooks on your Svix deployment using the secret from this repo. See the svix-server README for how to generate your own JWT token to be used in STACK_SVIX_API_KEY.

Anyway, I just wanted to make sure to point out a few of the ways that self-hosting can come with a lot of security responsibilities so that you and others interested in self-hosting understand some of the ways your security can be easily compromised if you're not familiar with all of the configuration. Be careful out there! :)

@csyedbilal
Copy link

csyedbilal commented Oct 2, 2024

@jshimko it is worked thanks!

but i did git pull to move production.

stack-backend | All migrations have been successfully applied.
stack-backend | Running seed script...
stack-backend | Seeding database...
stack-backend | PrismaClientValidationError:
stack-backend | Invalid prisma.project.create() invocation:
stack-backend |
stack-backend | {
stack-backend | data: {
stack-backend | id: "internal",
stack-backend | displayName: "Stack Dashboard",
stack-backend | description: "Stack's admin dashboard",
stack-backend | isProductionMode: false,
stack-backend | apiKeySets: {
stack-backend | create: [
stack-backend | {
stack-backend | description: "Internal API key set",
stack-backend | publishableClientKey: "this-publishable-client-key- is-for-local-development-only",
stack-backend | secretServerKey: "this-secret-server-key-is-for-loc al-development-only",
stack-backend | superSecretAdminKey: "this-super-secret-admin-key-i s-for-local-development-only",
stack-backend | expiresAt: new Date("2099-12-31T23:59:59.000Z")
stack-backend | }
stack-backend | ]
stack-backend | },
stack-backend | config: {
stack-backend | create: {
stack-backend | allowLocalhost: true,
stack-backend | signUpEnabled: true,
stack-backend | emailServiceConfig: {
stack-backend | create: {
stack-backend | proxiedEmailServiceConfig: {
stack-backend | create: {}
stack-backend | }
stack-backend | }
stack-backend | },
stack-backend | createTeamOnSignUp: false,
stack-backend | clientTeamCreationEnabled: false,
stack-backend | authMethodConfigs: {
stack-backend | create: [
stack-backend | {
stack-backend | otpConfig: {
stack-backend | create: {
stack-backend | contactChannelType: "EMAIL"
stack-backend | }
stack-backend | }
stack-backend | },
stack-backend | {
stack-backend | passwordConfig: {
stack-backend | create: {
stack-backend | identifierType: "EMAIL"
stack-backend | }
stack-backend | }
stack-backend | }
stack-backend | ]
stack-backend | }
stack-backend | }
stack-backend | }
stack-backend | }
stack-backend | }
stack-backend |
stack-backend | Unknown argument identifierType. Available options are mark ed with ?.
stack-backend | at Dn (/app/apps/backend/seed-self-host.js:4468:13)
stack-backend | at Mn.handleRequestError (/app/apps/backend/seed-self-hos t.js:4991:11)
stack-backend | at Mn.handleAndLogRequestError (/app/apps/backend/seed-se lf-host.js:4982:16)
stack-backend | at Mn.request (/app/apps/backend/seed-self-host.js:4973:1 6)
stack-backend | at async l (/app/apps/backend/seed-self-host.js:5366:21)
stack-backend | at async /app/apps/backend/seed-self-host.js:6053:28
stack-backend | at async Proxy._transactionWithCallback (/app/apps/backen d/seed-self-host.js:5341:17)
stack-backend | at async seed (/app/apps/backend/seed-self-host.js:6052:3 ) {
stack-backend | clientVersion: '5.20.0'
stack-backend | }
stack-backend exited with code 1

thanks again for security recommendations!

@N2D4 N2D4 self-assigned this Oct 21, 2024
@fomalhautb fomalhautb assigned fomalhautb and unassigned N2D4 Nov 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants