the happy eyeballs implementation in node is buggy. ipv4 and ipv6 connections
are made in parallel and whichever responds first is chosen. when there is no
ipv6 (immediately errors with ENETUNREACH/EHOSTUNREACH) and when ipv4 is > 250ms,
the code erroneously times out.
see also https://github.com/nodejs/node/issues/54359
reproduction for those servers:
const options = {
hostname: 'www.cloudron.io', port: 80, path: '/', method: 'HEAD',
// family: 4, // uncomment to make it work
};
const req = require('http').request(options, (res) => {
console.log('statusCode:', res.statusCode);
res.on('data', () => {}); // drain
});
req.on('socket', (socket) => console.log('Socket assigned to request', socket););
req.on('error', (e) => console.error(e));
req.end();
this is required for mastodon atleast. if the oidc avatar url, returns
an svg, it crashes!
the profile pic png was created using inkspace:
inkscape -w 96 -h 96 avatar-default-symbolic.svg -o avatar-default-symbolic.png
the exception is when sudo calls backupupload.js which already has timestamped
output because it uses node
an alternative idea is to maybe not use this flag at all and always parse the output.
this is a bit complicated since we have to look for a timestamp in a stream.
it seems unbound-anchor is not a dep of unbound in ubuntu 24. some
installations are thus missing this package.
in any case, ignore unbound-anchor exit status
Issue 1: DO droplet when given the name my.blah.com , will put an entry
in /etc/hosts with `127.0.1.1 my.blah.com` . When app containers use
system DNS, they get this IP address which does not work inside a container.
An idea is to remove this entry when running cloudron-setup, but maybe this
causes trouble later.
Issue 2: Some networks seem to lack loopback networking. With OIDC changes,
we want the apps to access my.blah.com even if hairpin nat is not working.
Solution: make my.blah.com to resolve to the docker bridge IP (172.18.0.1)
where nginx also listens to. This means that such requests never go outside the server
Caveats:
* This breaks AdGuard which now starts resolving it to 172.18.0.1 for
the entire network! So, we skip ExtraHosts configuration for adguard
* Maybe ExtraHosts should be scoped to OIDC apps only. But the thought here is
that it will help apps like say n8n which are querying dasahboard.
