DNS errors and Could not check for JavaScript support in docker instance

Apfelwurm · April 18, 2024, 11:11am

Hey together!
I recently took over the administration of an old NC 18 installation, which i migrated to a new server and into a docker setup. After that i upgraded every major to the current stable. At first glance everything works as expected, but i have two strange things happening:

1: The admin overview states

Could not check for JavaScript support. Please check manually if your webserver serves `.mjs` files using the JavaScript MIME type.

i have read a lot of proposed fixes to this problem, but a lot do not apply here (since i don’t use nginx).

when i try to curl the esm-test from my app container, the following happens:

curl -I https://cloud.mydomain.de/apps/settings/js/esm-test.mjs
curl: (28) Failed to connect to cloud.mydomain.de port 443 after 129894 ms: Couldn't connect to server

Which i don’t really understand. curling any other online resource seems to work fine from here.

opening it from my Browser results in

/**
 * This is a dummy file for testing webserver support of JavaScript modules.
 */

export default 'Hello'

If i install dnsutils into the app container and call

nslookup cloud.mydomain.de

it resolves the public ipv4 and ipv6 without any problems.

2: I get sporadic DNS errors in the protocoll, seems like this happens when specific cron tasks are ran.

one example:

{"reqId":"GjoN5HOEfJOzkwpTtxh3","level":3,"time":"2024-04-18T10:35:03+00:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"dns_get_record(): A temporary server error occurred. at /var/www/html/lib/private/Http/Client/DnsPinMiddleware.php#111","userAgent":"--","version":"28.0.4.1","data":{"app":"PHP"},"id":"6620faba80aa6"}

Also looked around what that could be, but did not really found any solution worth trying.

Maybe these two problems are linked together?

My setup looks like this:

docker-compose of my traefik reverse proxy:

services:
    socket-proxy-traefik:
      image: lscr.io/linuxserver/socket-proxy:latest
      container_name: socket-proxy-traefik
      environment:
      - ALLOW_START=0 
      - ALLOW_STOP=0 
      - ALLOW_RESTARTS=0 
      - AUTH=0 
      - BUILD=0 
      - COMMIT=0 
      - CONFIGS=0 
      - CONTAINERS=1 
      - DISABLE_IPV6=0 
      - DISTRIBUTION=0 
      - EVENTS=1 
      - EXEC=0 
      - IMAGES=0 
      - INFO=0 
      - NETWORKS=0 
      - NODES=0 
      - PING=0 
      - POST=0 
      - PLUGINS=0 
      - SECRETS=0 
      - SERVICES=0 
      - SESSION=0 
      - SWARM=0 
      - SYSTEM=0 
      - TASKS=0 
      - VERSION=1 
      - VOLUMES=0 
      volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      restart: unless-stopped
      read_only: true
      tmpfs:
      - /run
      networks:
      - sp-traefik

    traefik:
        image: traefik:latest
        restart: unless-stopped
        user: 4200:4200
        volumes:
        - /mnt/data/container_data/baseservices/traefik/acme:/acme:z
        ports:
        - 80:80/tcp
        - 443:443/tcp
        command:
        - --providers.docker=true
        - --providers.docker.endpoint=tcp://socket-proxy-traefik:2375
        - --entryPoints.web.address=:80
        - --entryPoints.web.http.redirections.entryPoint.to=websecure
        - --entryPoints.web.http.redirections.entryPoint.scheme=https
        - --entryPoints.websecure.address=:443
        - --providers.docker.exposedByDefault=false
        - --certificatesresolvers.le.acme.email=ssladmin@mydomain.de
        - --certificatesresolvers.le.acme.storage=/acme/acme.json
        - --certificatesresolvers.le.acme.tlschallenge=true
        container_name: traefik
        networks:
        - gateway
        - sp-traefik


networks:
  gateway:
    name: gateway
    external: true
  sp-traefik:
    name: sp-traefik
    external: true

the docker-compose of the cloud instance looks like this:


services:
  db:
    image: mariadb:latest
    restart: always
    volumes:
      - /mnt/data/container_data/cloud/database:/var/lib/mysql
    env_file:
      - .env
    networks:
     - cloud

  app:
    image: nextcloud:stable
    restart: always
    expose:
      - "80"
    volumes:
      - /mnt/data/container_data/cloud/www:/var/www/html
      - /mnt/data/container_data/cloud/data:/Data/Cloud
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - .env
    depends_on:
      - db
      - redis
    labels:
     - "traefik.enable=true"
     - "traefik.docker.network=gateway"
     - "traefik.http.routers.cl01.rule=Host(`cloud.mydomain.de`)"
     - "traefik.http.routers.cl01.entrypoints=websecure"
     - "traefik.http.routers.cl01.tls.certresolver=le"
     - "traefik.http.services.cl01.loadbalancer.server.port=80"
     - "traefik.http.routers.cl01.middlewares=nextcloud_redirectregex,nextcloud_headers"
     - "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.permanent=true"
     - "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.regex=https://(.*)/.well-known/(?:card|cal)dav"
     - "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.replacement=https://$${1}/remote.php/dav"
     - "traefik.http.middlewares.nextcloud_headers.headers.customFrameOptionsValue=SAMEORIGIN"
     - "traefik.http.middlewares.nextcloud_headers.headers.framedeny=true"
     - "traefik.http.middlewares.nextcloud_headers.headers.sslredirect=true"
     - "traefik.http.middlewares.nextcloud_headers.headers.STSIncludeSubdomains=true"
     - "traefik.http.middlewares.nextcloud_headers.headers.STSPreload=true"
     - "traefik.http.middlewares.nextcloud_headers.headers.STSSeconds=315360000"
     - "traefik.http.middlewares.nextcloud_headers.headers.forceSTSHeader=true"
     - "traefik.http.middlewares.nextcloud_headers.headers.sslProxyHeaders.X-Forwarded-Proto=https"

    networks:
     - gateway
     - cloud

  cron:
    image: nextcloud:stable
    restart: always
    volumes:
      - /mnt/data/container_data/cloud/www:/var/www/html
      - /mnt/data/container_data/cloud/data:/Data/Cloud
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - .env
    depends_on:
      - db
      - redis
    entrypoint: /cron.sh
    networks:
     - cloud

  redis:
    image: redis:alpine
    restart: always
    env_file:
      - .env
    depends_on:
      - db
    networks:
     - cloud

networks:
  gateway:
    name: gateway
    external: true
  cloud:
    internal: true

the .env file for the instance looks like:

MYSQL_PASSWORD=REMOVEDUNSAFEINFORMATION
MYSQL_USER=nextcloud
MYSQL_DATABASE=nextcloud
MYSQL_HOST=db

MARIADB_RANDOM_ROOT_PASSWORD=true

NEXTCLOUD_ADMIN_USER=admin
NEXTCLOUD_ADMIN_PASSWORD=REMOVEDUNSAFEINFORMATION
NEXTCLOUD_TRUSTED_DOMAINS=cloud.mydomain.de


REDIS_HOST=redis

the config.php of the instance looks like:

<?php
$CONFIG = array (
  'instanceid' => 'REMOVEDUNSAFEINFORMATION',
  'passwordsalt' => 'REMOVEDUNSAFEINFORMATION',
  'secret' => 'REMOVEDUNSAFEINFORMATION',
  'trusted_domains' => 
  array (
    0 => 'cloud.mydomain.de',
    1 => 'REMOVEDIPV4PUBLICIP',
    2 => 'REMOVEDIPV6PUBLICIP',
  ),
  'datadirectory' => '/Data/Cloud/',
  'dbtype' => 'mysql',
  'version' => '28.0.4.1',
  'overwriteprotocol' => 'https',
  'overwritehost' => 'cloud.mydomain.de',
  'overwrite.cli.url' => 'https://cloud.mydomain.de',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => 'REMOVEDUNSAFEINFORMATION',
  'installed' => true,
  'maintenance' => false,
  'loglevel' => 2,
  'trusted_proxies' => 
  array (
    0 => '172.0.0.0/8',
  ),
  'mysql.utf8mb4' => true,
  'maintenance_window_start' => 1,
  'filelocking.enabled' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'redis',
    'port' => 6379,
    'timeout' => 0.0,
  ),
  'default_phone_region' => 'DE',
);

Does someone notice anything wrong with my configuration here?
I’m thankful for any hints

Alex

wwe · April 18, 2024, 8:38pm

hi @Apfelwurm welcome back in the forum

Docker doesn’t play well with IPv6 by default… this should not be a problem but more and more client prefer IPv6 and this could result in strange issues. maybe you start with IPv4-only and enable IPv6 once you know the system runs bullet-proof

Look at this topics - there are some hints regarding IPv6

Apache Docker behind reverse proxy

Probably DNS help with NC Docker + Collabora + Wireguard tunnel

Docker IPv6 enabled /etc/docker/daemon.json

(majority of docker installations will run using IPv4-only - which is default - and only require the 172.16.0.0/12 network)
{
    "userland-proxy": false,
    "ipv6": true,
    "fixed-cidr-v6": "fd00:beef:beef::/48",
    "experimental": true,
    "ip6tables": true
}

regarding the mjs issue - I can not remember anybody reporting this issue with traefik. I know it doesn’t really help to say “it works on my machine” but In my installation I don’t see the issue…

WIndows 10 PowerShell “curl”:

I don’t see any issue on your configs at first glance… consider providing more configs and logs

jtr · April 18, 2024, 9:42pm

Apfelwurm:

Could not check for JavaScript support. Please check manually if your webserver serves .mjs files using the JavaScript MIME type.

i have read a lot of proposed fixes to this problem, but a lot do not apply here (since i don’t use nginx).

[…]
url -I https://cloud.mydomain.de/apps/settings/js/esm-test.mjs
curl: (28) Failed to connect to cloud.mydomain.de port 443 after 129894 ms: Couldn't connect to server
Which i don’t really understand. curling any other online resource seems to work fine from here.

Keep in mind this isn’t the warning that your .mjs handling is broken. It’s the error that the check itself can’t run due to something in your environment. Generally it’s an internal DNS matter or firewalling issue. In this case, I suspect that your cloud.mydomain.de HTTPS (which presumably terminates on your traefik RP container) isn’t accessible from your Nextcloud app container.

Check:

You don’t have different internal and external DNS for “cloud.mydomain.de”.
That you can reach the external IP of your traefik container (the one that cloud.mydomain.de presumably resolves to) from your Nextcloud app container

Apfelwurm · April 19, 2024, 7:24pm

Hey, thank you both for your replys!

At first to clarify: i don’t have IPv6 enabled in the docker daemon, but the port binding of traefik to the outside binds also to IPv6.

I have managed to find and fix the first issue, it was because i did not notice that UFW was enabled on the machine and there were no allow rules for 80 and 443. This does not make any problems when accessing the services from the outside (since docker controls the underlaying iptables stuff by itself), but seemingly with the connection to those ports from the internal docker networks as source.
once the 80 and 443 allow rule was added, i was able to curl the domain (and the js test endpoint) and the error message went away.

Also since i changed that, the frequency of the second error really went back, before that i got the error 10-25 times in one hour, now i had 8 occurences in 5 hours.

I will keep an eye on the dns error, since there are a few reported cases of it, and as long as we not encounter any problem with the instance, everything is okay for now.

Alex