Repeatedly logged out, unable to set database location

[ktkovachev]

Describe the bug/problem

I am writing this because I experienced a fairly difficult bug to fix concerning the early setup / login system, namely, when I set up access to my hosted calibre-web via an nginx reverse proxy and with Certbot HTTPS, the login system broke in the following way: although I was able to momentarily log in, when it prompted me to give the database file, clicking on the "Save" button did nothing but apparently reach out to the simulatedbchange endpoint, but failed to update the location. Further, clicking on absolutely any link on the page resulted in my being immediately logged out and asked to log in again. It was impossible to set the database path in this interface, and therefore to progress to using the site properly.

However, I was able to fix the issue by accessing the site through its IP and port number (i.e. without going through the SSL-enabled proxy), which somehow produced very different effects. I'm not sure why this is, so it could be a problem on my end, but I figure this may be a common use case, so I am documenting this here in case it can be traced to any particular bug.

To Reproduce

Steps to reproduce the behavior:

1. mkdir /opt/calibre-web
2. cd /opt/calibre-web
3. python3 -m venv calibre-web-env
4. . calibre-web-env/bin/activate
5. pip install calibreweb
6. cps &
7. vim /etc/nginx/sites-available/calibre-web
8. I entered the following:

server {
    server_name library.kovachev.xyz ;
    client_max_body_size 640M;

    location / {
        proxy_pass http://127.0.0.1:8083;
    }

}

9. certbot --nginx
10. Select library site to be SSL enabled
11. Corresponding changes reflected in the nginx config file
12. Access calibre-web via the above URL
13. Log in using default credentials
14. Attempt to change database path to /opt/calibre-library; fail.
    Logfile

[2024-11-28 03:43:58,664]  WARN {cps.config_sql:364} Log path /root/.calibre-web/calibre-web.log not valid, falling back to default
[2024-11-28 03:43:58,687]  WARN {cps.config_sql:364} Log path  not valid, falling back to default
[2024-11-28 03:43:58,696]  WARN {cps.config_sql:400} invalidating configuration
[2024-11-28 03:43:58,696]  WARN {cps.config_sql:364} Log path  not valid, falling back to default
[2024-11-28 03:43:58,719]  INFO {cps:169} *** "greenlet" version does not meet the requirements. Should: <3.1.0, Found: 3.1.1, please consider installing required version ***
[2024-11-28 03:43:58,719]  INFO {cps:178} Starting Calibre Web...
[2024-11-28 03:43:58,738]  WARN {py.warnings:110} /opt/calibre-web/calibre-web-env/lib/python3.12/site-packages/flask_limiter/extension.py:333: UserWarning: Using the in-memory storage for tracking rate limits as no storage was explicitly specified. This is not recommended for production use. See: https://flask-limiter.readthedocs.io#configuring-a-storage-backend for documentation about configuring the storage backend.
  warnings.warn(

[2024-11-28 03:43:59,118]  INFO {apscheduler.scheduler:181} Scheduler started
[2024-11-28 03:43:59,120]  INFO {apscheduler.scheduler:895} Added job "delete temp" to job store "default"
[2024-11-28 03:43:59,120]  INFO {apscheduler.scheduler:895} Added job "end scheduled task" to job store "default"
[2024-11-28 03:43:59,121]  INFO {apscheduler.scheduler:895} Added job "immediately delete temp" to job store "default"
[2024-11-28 03:43:59,123]  INFO {apscheduler.executors.default:123} Running job "immediately delete temp (trigger: date[2024-11-28 03:43:59 UTC], next run at: 2024-11-28 03:43:59 UTC)" (scheduled at 2024-11-28 03:43:59.121192+00:00)
[2024-11-28 03:43:59,128]  INFO {apscheduler.executors.default:144} Job "immediately delete temp (trigger: date[2024-11-28 03:43:59 UTC], next run at: 2024-11-28 03:43:59 UTC)" executed successfully
[2024-11-28 03:43:59,129]  INFO {apscheduler.scheduler:641} Removed job 897e2ad0e689474084f087929d7e54ff
[2024-11-28 03:44:00,785]  INFO {cps.server:268} Starting Tornado server on :8083
[2024-11-28 03:44:31,707]  INFO {cps.server:319} webserver stop (restart=False)
[2024-11-28 03:44:31,710]  INFO {apscheduler.scheduler:212} Scheduler has been shut down
[2024-11-28 03:44:31,712]  INFO {cps.server:298} Performing shutdown of Calibre-Web
[2024-11-28 03:44:39,713]  WARN {cps.config_sql:364} Log path  not valid, falling back to default
[2024-11-28 03:44:39,715]  WARN {cps.config_sql:400} invalidating configuration
[2024-11-28 03:44:39,715]  WARN {cps.config_sql:364} Log path  not valid, falling back to default
[2024-11-28 03:44:39,747]  INFO {cps:169} *** "greenlet" version does not meet the requirements. Should: <3.1.0, Found: 3.1.1, please consider installing required version ***
[2024-11-28 03:44:39,748]  INFO {cps:178} Starting Calibre Web...
[2024-11-28 03:44:39,763]  WARN {py.warnings:110} /opt/calibre-web/calibre-web-env/lib/python3.12/site-packages/flask_limiter/extension.py:333: UserWarning: Using the in-memory storage for tracking rate limits as no storage was explicitly specified. This is not recommended for production use. See: https://flask-limiter.readthedocs.io#configuring-a-storage-backend for documentation about configuring the storage backend.
  warnings.warn(

[2024-11-28 03:44:40,135]  INFO {apscheduler.scheduler:181} Scheduler started
[2024-11-28 03:44:40,136]  INFO {apscheduler.scheduler:895} Added job "delete temp" to job store "default"
[2024-11-28 03:44:40,137]  INFO {apscheduler.scheduler:895} Added job "end scheduled task" to job store "default"
[2024-11-28 03:44:40,138]  INFO {apscheduler.scheduler:895} Added job "immediately delete temp" to job store "default"
[2024-11-28 03:44:40,139]  INFO {apscheduler.executors.default:123} Running job "immediately delete temp (trigger: date[2024-11-28 03:44:40 UTC], next run at: 2024-11-28 03:44:40 UTC)" (scheduled at 2024-11-28 03:44:40.137815+00:00)
[2024-11-28 03:44:40,142]  INFO {apscheduler.scheduler:641} Removed job e25ed8de052b4850acb3d1e4fc65b573
[2024-11-28 03:44:40,144]  INFO {apscheduler.executors.default:144} Job "immediately delete temp (trigger: date[2024-11-28 03:44:40 UTC], next run at: 2024-11-28 03:44:40 UTC)" executed successfully
[2024-11-28 03:44:41,779]  INFO {cps.server:268} Starting Tornado server on :8083
[2024-11-28 03:54:01,431]  INFO {cps.server:319} webserver stop (restart=False)
[2024-11-28 03:54:01,434]  INFO {apscheduler.scheduler:212} Scheduler has been shut down
[2024-11-28 03:54:01,436]  INFO {cps.server:298} Performing shutdown of Calibre-Web
[2024-11-28 03:54:05,880]  WARN {cps.config_sql:364} Log path  not valid, falling back to default
[2024-11-28 03:54:05,882]  WARN {cps.config_sql:400} invalidating configuration
[2024-11-28 03:54:05,882]  WARN {cps.config_sql:364} Log path  not valid, falling back to default
[2024-11-28 03:54:05,919]  INFO {cps:169} *** "greenlet" version does not meet the requirements. Should: <3.1.0, Found: 3.1.1, please consider installing required version ***
[2024-11-28 03:54:05,919]  INFO {cps:178} Starting Calibre Web...
[2024-11-28 03:54:05,931]  WARN {py.warnings:110} /opt/calibre-web/calibre-web-env/lib/python3.12/site-packages/flask_limiter/extension.py:333: UserWarning: Using the in-memory storage for tracking rate limits as no storage was explicitly specified. This is not recommended for production use. See: https://flask-limiter.readthedocs.io#configuring-a-storage-backend for documentation about configuring the storage backend.
  warnings.warn(

[2024-11-28 03:54:06,196]  INFO {apscheduler.scheduler:181} Scheduler started
[2024-11-28 03:54:06,198]  INFO {apscheduler.scheduler:895} Added job "delete temp" to job store "default"
[2024-11-28 03:54:06,198]  INFO {apscheduler.scheduler:895} Added job "end scheduled task" to job store "default"
[2024-11-28 03:54:06,199]  INFO {apscheduler.scheduler:895} Added job "immediately delete temp" to job store "default"
[2024-11-28 03:54:06,200]  INFO {apscheduler.executors.default:123} Running job "immediately delete temp (trigger: date[2024-11-28 03:54:06 UTC], next run at: 2024-11-28 03:54:06 UTC)" (scheduled at 2024-11-28 03:54:06.199103+00:00)
[2024-11-28 03:54:06,200]  INFO {apscheduler.scheduler:641} Removed job 6f00090c8d7e492d8338491dd579699c
[2024-11-28 03:54:06,205]  INFO {apscheduler.executors.default:144} Job "immediately delete temp (trigger: date[2024-11-28 03:54:06 UTC], next run at: 2024-11-28 03:54:06 UTC)" executed successfully
[2024-11-28 03:54:06,796]  INFO {cps.server:268} Starting Tornado server on :8083
[2024-11-28 03:59:22,850]  INFO {cps.server:319} webserver stop (restart=False)
[2024-11-28 03:59:22,853]  INFO {apscheduler.scheduler:212} Scheduler has been shut down
[2024-11-28 03:59:22,856]  INFO {cps.server:298} Performing shutdown of Calibre-Web
[2024-11-28 03:59:33,593]  WARN {cps.config_sql:364} Log path  not valid, falling back to default
[2024-11-28 03:59:33,595]  WARN {cps.config_sql:400} invalidating configuration
[2024-11-28 03:59:33,595]  WARN {cps.config_sql:364} Log path  not valid, falling back to default
[2024-11-28 03:59:33,629]  INFO {cps:169} *** "greenlet" version does not meet the requirements. Should: <3.1.0, Found: 3.1.1, please consider installing required version ***
[2024-11-28 03:59:33,629]  INFO {cps:178} Starting Calibre Web...
[2024-11-28 03:59:33,643]  WARN {py.warnings:110} /opt/calibre-web/calibre-web-env/lib/python3.12/site-packages/flask_limiter/extension.py:333: UserWarning: Using the in-memory storage for tracking rate limits as no storage was explicitly specified. This is not recommended for production use. See: https://flask-limiter.readthedocs.io#configuring-a-storage-backend for documentation about configuring the storage backend.
  warnings.warn(

[2024-11-28 03:59:33,912]  INFO {apscheduler.scheduler:181} Scheduler started
[2024-11-28 03:59:33,914]  INFO {apscheduler.scheduler:895} Added job "delete temp" to job store "default"
[2024-11-28 03:59:33,914]  INFO {apscheduler.scheduler:895} Added job "end scheduled task" to job store "default"
[2024-11-28 03:59:33,915]  INFO {apscheduler.scheduler:895} Added job "immediately delete temp" to job store "default"
[2024-11-28 03:59:33,916]  INFO {apscheduler.executors.default:123} Running job "immediately delete temp (trigger: date[2024-11-28 03:59:33 UTC], next run at: 2024-11-28 03:59:33 UTC)" (scheduled at 2024-11-28 03:59:33.915235+00:00)
[2024-11-28 03:59:33,916]  INFO {apscheduler.scheduler:641} Removed job 0280f80fdef44b938fe1ca93bda05c92
[2024-11-28 03:59:33,925]  INFO {apscheduler.executors.default:144} Job "immediately delete temp (trigger: date[2024-11-28 03:59:33 UTC], next run at: 2024-11-28 03:59:33 UTC)" executed successfully
[2024-11-28 03:59:34,693]  INFO {cps.server:268} Starting Tornado server on :8083
[2024-11-28 04:00:00,003]  INFO {apscheduler.executors.default:123} Running job "delete temp (trigger: cron[hour='4'], next run at: 2024-11-29 04:00:00 UTC)" (scheduled at 2024-11-28 04:00:00+00:00)
[2024-11-28 04:00:00,007]  INFO {apscheduler.executors.default:144} Job "delete temp (trigger: cron[hour='4'], next run at: 2024-11-29 04:00:00 UTC)" executed successfully
[2024-11-28 04:06:19,565]  WARN {cps.config_sql:364} Log path  not valid, falling back to default
[2024-11-28 04:06:19,572]  WARN {cps.config_sql:364} Log path  not valid, falling back to default
[2024-11-28 04:10:00,003]  INFO {apscheduler.executors.default:123} Running job "end scheduled task (trigger: cron[hour='4', minute='10'], next run at: 2024-11-29 04:10:00 UTC)" (scheduled at 2024-11-28 04:10:00+00:00)
[2024-11-28 04:10:00,003]  INFO {apscheduler.executors.default:144} Job "end scheduled task (trigger: cron[hour='4', minute='10'], next run at: 2024-11-29 04:10:00 UTC)" executed successfully

Expected behavior

It should be possible to update the database path through the web GUI even through the SSL proxy. Also, the site should not require me to re-log-in every time a hyperlink is followed.

Screenshots

If applicable, add screenshots to help explain your problem.

Environment (please complete the following information):

• OS: Ubuntu 22.04 LTS
• Python version: 3.12.3
• Calibre-Web version: 0.6.24
• Docker container: None
• Special Hardware: None
• Browser: Mozilla Firefox 132.0.1

Additional context
Nothing beyond what has already been mentioned, but the reverse proxy part is what appears to be the problem.
Full config of the nginx proxy is:

server {
    server_name library.kovachev.xyz ;
    client_max_body_size 640M;

    location / {
        proxy_pass http://127.0.0.1:8083;
    }


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/library.kovachev.xyz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/library.kovachev.xyz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = library.kovachev.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name library.kovachev.xyz ;
    listen 80;
    return 404; # managed by Certbot


}

[OzzieIsaacs]

… but the reverse proxy part is what appears to be the problem.

correct

[OzzieIsaacs]

Have a look here: https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy#nginx

[ktkovachev]

I see, thanks for the explanation. I didn't realize there was a special setup to do with this. When I did it about half a year ago it seemed to work even without this type of configuration, but evidently it's not quite the same now? Or perhaps I misremember and I was connecting directly last time too. Maybe something about this could be put in the README?

[OzzieIsaacs]

Proxy config is unchanged for years

[OzzieIsaacs]

There is a general link to the wiki, I think this is sufficient