Tiny Tiny RSS on Synology NAS Login Issue

I’m using docker compose setup, with modifications (modified .yml files, third party plugins/themes, etc.) - if so, describe your modifications in your post.

I’m trying to get a Docker install working on a Synology NAS and while I think the issue is not with the docker/latest, though I was hoping someone had a tip as to what I can look for. I’ve tried 3-4 times, with two slightly different approaches (same issue with both).

I’ve tried a NAS GUI Docker install of PGSQL12-Alpine, then cthulhoo/ttrss-fpm-pgsql-static and cthulhoo/ttrss-web-nginx and at glance it seemed to work with minor tweaks to ENV (basically setting db/user/pass/port, paths, keeping default GUI/UID as there was some back and forth in that regard in forum thread about what is correct or required).

I’ve also tried a docker-compose with the YML below that is based on finding and notes from another thread on this forum (see below code). I am now trying to get an original install guide docker install to work, but having an issue with permissions that crashes the install.

While I can logon to TT if I set my SELF_URL_PATH to my local network NAS IP HTTP. I cannot login if I set it to my external DDNS with HTTP. I get the TT login page up, but attempting to login as admin just results in the TT login page refreshing without any errors.

I’ve yet to get HTTPS to work at all, still learning about docker and NGINX as to figure out what I need to do in my case to get that working, though I don’t see the link to my issue. Beyond the docker install, I’ve done a port forward of 8200 to the NAS IP:8200 on my router.

The closest to an error I have manage to nail down is this from the WEB Container (almost missed it, but the 302 seems suspect here, just not sure about the cause yet and why it all work if I use HTTP with my local NAS IP):
"POST /tt-rss/public.php?return=http%3A%2F%2Fxxx.synology.me%3A8200%2Ftt-rss%2F HTTP/1.1" 302 5 "http://xxx.synology.me:8200/tt-rss/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"

UPDATE: While I thought the above 302 is normal, well at least when using local IP the message looks just the same, so my bad thinking that was related I guess

I guess this is most likely unrelated to the docker as it clearly work for everyone generally, so maybe it’s something else wrong with my NAS install generally. Maybe I need to take this over to the Synology forum or just retry/learn until I find the cause.

YML for docker-compose:

version: '3'
services:
  db:
    image: postgres:12-alpine
    container_name: ttrss_db
    restart: unless-stopped
    environment:
      - POSTGRES_USER=ttrss
      - POSTGRES_PASSWORD=ttrss
      - POSTGRES_DB=ttrss
    ports:
      - 5434:5432
    volumes:
      - /volume1/docker/ttrss/db:/var/lib/postgresql/data
    labels:
      - wud.watch=false      
  app:
    image: cthulhoo/ttrss-fpm-pgsql-static:latest
    container_name: ttrss_app
    restart: unless-stopped
    environment:
      - OWNER_UID=1024
      - OWNER_GID=101
      - TTRSS_DB_PASS=ttrss
      - TTRSS_DB_USER=ttrss
      - TTRSS_DB_NAME=ttrss
      - TTRSS_SELF_URL_PATH=http://xxx.synology.me:8200/tt-rss
      - TTRSS_FEED_FETCH_NO_CACHE_TIMEOUT=120
      - ADMIN_USER_PASS=password    
    volumes:
      - /volume1/docker/ttrss/app:/var/www/html
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
    depends_on:
      - db
  updater:
    image: cthulhoo/ttrss-fpm-pgsql-static:latest
    container_name: ttrss_updater
    restart: unless-stopped
    environment:
      - OWNER_UID=1024
      - OWNR_GID=101
      - TTRSS_DB_PASS=ttrss
      - TTRSS_DB_USER=ttrss
      - TTRSS_DB_NAME=ttrss
      - TTRSS_SELF_URL_PATH=http://xxx.synology.me:8200/tt-rss
      - TTRSS_FEED_FETCH_NO_CACHE_TIMEOUT=120
    volumes:
      - /volume1/docker/ttrss/app:/var/www/html
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
    depends_on:
      - app
    command: /opt/tt-rss/updater.sh
  web-nginx:
    image: cthulhoo/ttrss-web-nginx:latest
    container_name: ttrss_web
    restart: on-failure
    ports:
      - 8200:80
    volumes:
      - /volume1/docker/ttrss/app:/var/www/html:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
    depends_on:
      - app
volumes:
  db:
  app:
  certs:
  backups:

Just in case it helps anyone spot my issue:

APP Log:

db:5432 - accepting connections
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
updating all local plugins...
NOTICE:  extension "pg_trgm" already exists, skipping
[16:42:58/44] Lock: update.lock
[16:42:58/44] Database schema is already at latest version.
[16:42:58/46] Lock: update.lock
[16:42:58/46] Changing password of user admin...
[16:42:59/46] Success.
[16-Aug-2022 16:42:59] NOTICE: fpm is running, pid 1
[16-Aug-2022 16:42:59] NOTICE: ready to handle connections

WEB Log for when clicking to login:

172.18.0.1 - - [16/Aug/2022:16:59:01 +0000] "GET /tt-rss/index.php HTTP/1.1" 200 958 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
172.18.0.1 - - [16/Aug/2022:16:59:01 +0000] "GET /tt-rss/themes/light.css HTTP/1.1" 200 51587 "http://192.168.1.20:8200/tt-rss/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
172.18.0.1 - - [16/Aug/2022:16:59:01 +0000] "GET /tt-rss/lib/flat-ttrss/flat_combined.css HTTP/1.1" 200 130554 "http://192.168.1.20:8200/tt-rss/themes/light.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
172.18.0.1 - - [16/Aug/2022:16:59:07 +0000] "GET /tt-rss/images/favicon.png HTTP/1.1" 200 2774 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
172.18.0.1 - - [16/Aug/2022:16:59:10 +0000] "GET /tt-rss/ HTTP/1.1" 200 5208 "http://xxx.synology.me:8200/tt-rss/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
172.18.0.1 - - [16/Aug/2022:16:59:10 +0000] "GET /tt-rss/themes/night.css?1660669151017 HTTP/1.1" 200 58859 "http://xxx.synology.me:8200/tt-rss/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
172.18.0.1 - - [16/Aug/2022:16:59:11 +0000] "POST /tt-rss/public.php HTTP/1.1" 200 50 "http://xxx.synology.me:8200/tt-rss/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
172.18.0.1 - - [16/Aug/2022:16:59:13 +0000] "POST /tt-rss/public.php?return=http%3A%2F%2Fxxx.synology.me%3A8200%2Ftt-rss%2F HTTP/1.1" 302 5 "http://xxx.synology.me:8200/tt-rss/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
172.18.0.1 - - [16/Aug/2022:16:59:13 +0000] "GET /tt-rss/ HTTP/1.1" 200 5208 "http://xxx.synology.me:8200/tt-rss/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
172.18.0.1 - - [16/Aug/2022:16:59:13 +0000] "GET /tt-rss/themes/night.css?1660669153770 HTTP/1.1" 200 58859 "http://xxx.synology.me:8200/tt-rss/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"

generally i’m assuming that people have a VDS (with a public IP) running tt-rss (and possibly other containers), with a single frontend nginx that does SSL termination. it’s not a requirement but it’s a common enough baseline setup for small-scale deployments, which is easy to understand and implement, and doesn’t involve many unknowns - there’s no custom ports, shitty consumer routers doing god knows what with transit traffic, DNS split-horizon issues, NAS idiosyncrasies, etc.

your setup falls really far away from what i’ve described above, and i don’t think i’ll be able to help you any. fwiw i’m not seeing anything immediately wrong with your compose file, as to everything else - i just dunno.

Thanks for the answer, yeah, hmm maybe it’s related somehow to SSL and when I get that sorted the login will work (just a bit strange the login works via local IP). Hmmm, the only other real difference I guess is the fact that traffic goes via the router/firewall, so maybe my issue is related to ports and or something like that (outside the scope of TT and docker in this case).

btw have you tried accessing your setup from the outside of your LAN i.e. using your phone on 4g or something?

also you can open F12 browser console while login form is reloading and check if there’s anything there. it could be something CSRF-related.

Good shout, not that I know the solution yet, but external login (properly externally, as in phone) worked… so that’s interesting.

F12 at least the Network and Console don’t pop anything at me I’d react on so far:

[DOM] Found 2 elements with non-unique id #: (More info: https://goo.gl/9p2vKq) <input dojotype=​"dijit.form.CheckBox" name=​"safe_mode" id>​ <input dojotype=​"dijit.form.CheckBox" name=​"remember_me" id>​
xxx.synology.me/:1
[DOM] Input elements should have autocomplete attributes (suggested: "current-password"): (More info: https://goo.gl/9p2vKq) <input type=​"password" name=​"password" required=​"1" dojotype=​"dijit.form.TextBox" class=​"input input-text" value>​
night mode changed to true (utility.js?1660539746:8)

Update! Oh, installed Firefox on my PC and it also works when using that browser to login, so it’s now Chrome causing this out of the blue. WTF Confused.

Update Actually it also works in Chrome Incognito mode, so I thought it maybe could be an extension… but disabled all I have now and “no go”.

Update Okay plugged in an extra laptop to the network and Chrome works to login with. Well well, so something with the one PC, thanks again for the tip as at least I got something to work towards now and debug. What a weird issue.

Something something something cache cookies…

Something something something cache cookies…

Yeah, well I tried clearing cookies, resetting data and disabling my ESET firewall/protection early on to no avail. I also tried a different Chrome profile just in case … but no. That said, just tried Chrome’s Guest mode, which I guess is more normal (just not using my profile), and that works as well, ugh, so could mean it’s something profile wise - though never had such an issue.

Maybe it is because of HSTS.