Fetch failed, but I do not know where

[wsw70]

Fresh installation of ciso-assistant, on a docker reverse proxied by Caddy (the Caddy in the compose file is removed). I get an error 500 when going to the root of the site, the frontend logs show a fetch error.

I do not understand which call (actually - towards which endpoint) fails. The log is

TypeError: fetch failed
    at node:internal/deps/undici/undici:13484:13
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async ensureCsrfToken (file:///app/build/server/chunks/hooks.server-DcGiXu3q.js:29:22)
    at async Object.handle (file:///app/build/server/chunks/hooks.server-DcGiXu3q.js:71:3)
    at async respond (file:///app/build/server/index.js:3489:22)
    at async Array.ssr (file:///app/build/handler.js:1284:3) {
  [cause]: AggregateError [ECONNREFUSED]: 
      at internalConnectMultiple (node:net:1139:18)
      at afterConnectMultiple (node:net:1712:7) {
    code: 'ECONNREFUSED',
    [errors]: [ [Error], [Error] ]
  }
}

The docker compose file is

volumes:
  grc-db:

networks:
  default:
    external: true
    name: caddy

services:
  grc-backend:
    container_name: grc-backend
    image: ghcr.io/intuitem/ciso-assistant-community/backend:latest
    restart: always
    environment:
      - ALLOWED_HOSTS=grc-frontend,grc-backend,grc.security.example.com,caddy
      - CISO_ASSISTANT_URL=https://grc.security.example.com
      - DJANGO_DEBUG=True
      - AUTH_TOKEN_TTL=7200
    volumes:
      - grc-db:/code/db

  grc-frontend:
    container_name: grc-frontend
    environment:
      - PUBLIC_backend_API_URL=http://grc-backend:8000/api
      - PUBLIC_backend_API_EXPOSED_URL=https://grc.security.example.com/api
      - PROTOCOL_HEADER=x-forwarded-proto
      - HOST_HEADER=x-forwarded-host
    image: ghcr.io/intuitem/ciso-assistant-community/frontend:latest
    depends_on:
      - grc-backend
    labels:
      caddy: grc.security.example.com
      caddy.tls: /config/certs/security.example.com.crt /config/certs/security.example.com.key
      caddy.@grc_frontend_root.path: /*
      caddy.@grc_backend_api.path: /api/*
      caddy.0_reverse_proxy: "@grc_backend_api grc-backend:8000"
      caddy.1_reverse_proxy: "@grc_frontend_root grc-frontend:3000"

My wild guess is that the problem is somewhere in ALLOWED_HOSTS. I checked the connectivity on the backend to itself:

f22fc25ab64:/code# wget http://grc-backend:8000/api -O -
Connecting to grc-backend:8000 (169.254.1.15:8000)
wget: server returned error: HTTP/1.1 401 Unauthorized

9f22fc25ab64:/code# wget http://grc.security.example.com:8000/api -O -
Connecting to grc.security.example.com:8000 (10.28.67.20:8000)
wget: can't connect to remote host (10.28.67.20): Connection refused

The second connection is refused, which looks like the error in the log ECONNREFUSED. The traffic this way goes backend → reverse proxy → backend. I whitelisted grc-frontend,grc-backend,grc.security.example.com,caddy (EDIT and more, see below) in ALLOWED_HOSTS but it may not be enough.

Is there a way to retrieve the reason of the rejection, on the backend? It could give a clue of why it was rejected (hostname, impossibility to get the PTR of the incoming IP, ...)

EDIT I am out of options. I added to ALLOWED_HOSTS the frontend, backend, proxy, their internal names, their PTR names and their IPs, I do not know what to look for next

---

Merci pour ce soft qui semble vraiment super! 🇫🇷

[brunodebastiani]

I'm exactly in the same case as you !
Did you find a fix ?