Joplin-server "Not allowed: GET api/sessions"

Hi,
I'm new to joplin and would like to migrate to Joplin from OneNote.
Thank you for all the good work done.
I've installed joplin-server as a docker container and use the app on MacOS.
When configuring the app, in preferences/synchronisation I get:
request to http://myserver.local:22300/api/sessions failed, reason: connect EBADF 192.168.0.10:22300 (Code EBADF).
Browsing to the URL I get:
error "Not allowed: GET api/sessions"
I have tried with different image versions (stable, latest) with the same result.
Thank you for your help.

I tried from iOS and have the same result.
I tried with the admin account or a user account, but still don't understand why just browsing to:
http://myserver.local:22300/api/sessions even without authentication fails.
Does the server require to run in https ?
In my case it's http://__:22300

Here is my docker-compose file:

version: '3'

services:
    db:
        image: postgres:13.1
        volumes:
            - ./data/postgres:/var/lib/postgresql/data
        ports:
            - "5432:5432"
        restart: unless-stopped
        environment:
            - POSTGRES_PASSWORD=dKRgwCrkmPU
            - POSTGRES_USER=joplin
            - POSTGRES_DB=joplindb
    app:
        image: joplin/server:latest
        depends_on:
            - db
        ports:
            - "22300:22300"
        restart: unless-stopped
        environment:
            - APP_PORT=22300
            - APP_BASE_URL=http://myserver.local:22300
            - DB_CLIENT=pg
            - POSTGRES_PASSWORD=dKRgwCrkmPU
            - POSTGRES_DATABASE=joplindb
            - POSTGRES_USER=joplin
            - POSTGRES_PORT=5432
            - POSTGRES_HOST=db

Because of this error http://myserver.local:22300/api/sessions failed, reason: connect EBADF 192.168.0.10:22300 (Code EBADF) I assume, your server is on the IP 192.168.0.10, right?

So as you type in your browser 192.168.0.10:22300/api/sessions you get error "Not allowed: GET api/sessions"?
And when you type in 192.168.0.10:22300/api/ping, do you get an ok and Joplin Server is running?

If so, the configuration should be alright. I would check the authentication credentials again. I don't know, what else could be the problem, as I tried to reproduce your setup and it worked out for me.

No, the Server does not need to run on https, however it is strongly recommended, if you don't use it in you local network only.

Hi, thank you for testing.
Actually browsing to:
http://myserver.local:22300/api/ping shows correctly:
{"status":"ok","message":"Joplin Server is running"}
while http://myserver.local:22300/api/sessions still shows:
{"error":"Not allowed: GET api/sessions"}

OK I tried with the windows app and the sync check worked.
I guess browsing to /api/sessions can only return ok when authenticating before (which is done within the app).

So Windows app ok.
Back to IOS: double checked credentials/URL:
Error: Please check that URL, username, password, etc. are correct and that the sync target is accessible. The reported error was: network request failed
Have to check on MacOS as well as it didn't work so far either.

Do Apple devices require SSL (any port) or SSL/443 when using joplin-server ?

PS: all this test is done locally on a private lan.

Yes, as you mentioned, http://myserver.local:22300/api/sessions won't give anything else than an error.

But beeing how it is (the server is perfectly accessible through a webbrowser and even Win10), I guess the problem is at IOS and MacOS...as you said...

I can't imagine a ssl-connection is required, however I'm not able to test it, since I don't own such a device.

So someone else has to help, sorry.

Edit: Just to make sure, the IOS/MacOS Devices have access to the server, did you try the webbrowser-thing also on them?

Yes the have access to the joplin server web portal.
I double checked settings on the app side, same as for windows.

Trying to test with a reverse proxy + SSL
I had issues with the apple contact app if the cardav server wasn't running behind a reverse proxy + SSL.
Just tried, no better luck.

Has anyone tried joplin-server with iOS / MacOS apps successfully ?

Yes I use Joplin Server daily on Debian + iOS and MacOS clients

Great news :wink:
A few questions about your deployment in order to compare with mine:

  • is your server public ?
  • what port does it use (22300, 80, 443) ?
  • do you use SSL ?
  • do you use a reverse proxy ?

Here are the 2 tries I made on macOs http:22300 and https:443:


And on IOS

And on Windows same settings but it works

I run latest versions of IOS/MacOS

Yes

Public ports : 443 only
Internal port : 22300

Yes

Yes

I suggest you try to replace "server.local" by the IP address (10.11.12.13) both in your docker compose file, and in your Joplin Client Sync settings. I already noticed that Joplin Server is very sensitive to this info (it should be exactly the same in both places), and I wonder if it's may be your problem.

Good luck,

Bruno

Hi Bruno,
Thank you for your advice.
So trying with the IP in the joplin app and in the APP_BASE_URL variable made it work on IOS devices as well as windows.
Here is the docker-compose file:

version: '3'

services:
    db:
        image: postgres:13.1
        volumes:
            - /DockerData/volumes/joplin/data/postgres:/var/lib/postgresql/data
        ports:
            - "5432:5432"
        restart: unless-stopped
        environment:
            - POSTGRES_PASSWORD=dKRgwCrkmPU
            - POSTGRES_USER=joplin
            - POSTGRES_DB=joplindb
    app:
        image: joplin/server:latest
        depends_on:
            - db
        ports:
            - "22300:22300"
        restart: unless-stopped
        environment:
            - APP_PORT=22300
            - APP_BASE_URL=http://192.168.0.10:22300
            - DB_CLIENT=pg
            - POSTGRES_PASSWORD=dKRgwCrkmPU
            - POSTGRES_DATABASE=joplindb
            - POSTGRES_USER=joplin
            - POSTGRES_PORT=5432
            - POSTGRES_HOST=db

Usually I never experience issues with windows clients (eg. cardav).
But still not working on macOS.

I tried behind a reverse proxy without luck.

Do you use a docker to run joplin-server ?
Just wondering how you can make it work as you use a public instance.
You probably use a certificate and then use the FQDN.
So you cannot use the IP in the docker-compose niether on the joplin-app, right ?

Here is my docker-compose with FQDN/SSL/selfsigned cert

version: '3'

services:
    reverse-proxy:
        image: nginx
        container_name: joplin-reverse-proxy
        restart: always
        volumes:
        - ./reverse-proxy/nginxSSL.conf:/etc/nginx/nginx.conf
        - ./reverse-proxy/selfsigned.crt:/etc/nginx/selfsigned.crt
        - ./reverse-proxy/selfsigned.key:/etc/nginx/selfsigned.key
        ports:
        - "443:443"
    db:
        image: postgres:13.1
        volumes:
            - ./data/postgres:/var/lib/postgresql/data
        ports:
            - "5432:5432"
        restart: unless-stopped
        environment:
            - POSTGRES_PASSWORD=dKRgwCrkmPU
            - POSTGRES_USER=joplin
            - POSTGRES_DB=joplindb
    app:
        image: joplin/server:latest
        depends_on:
            - db
        expose:
            - "22300"
        restart: unless-stopped
        environment:
            - APP_PORT=22300
            - APP_BASE_URL=https://myserver.local:443
            - DB_CLIENT=pg
            - POSTGRES_PASSWORD=dKRgwCrkmPU
            - POSTGRES_DATABASE=joplindb
            - POSTGRES_USER=joplin
            - POSTGRES_PORT=5432
            - POSTGRES_HOST=db


and the nginx conf file

events {

}

http {

  server {
    listen 443;
    ssl on;
    server_name myserver.local;
    ssl_certificate     /etc/nginx/selfsigned.crt;
    ssl_certificate_key /etc/nginx/selfsigned.key;

    add_header Strict-Transport-Security max-age=500; 

    location / {
      proxy_pass http://app:22300;
      proxy_redirect     off;
      proxy_set_header   Host $host;
      proxy_set_header   X-Real-IP $remote_addr;
      proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header   X-Forwarded-Host $server_name;
      proxy_set_header   X-Forwarded-Proto https;   
    }
  }
}

Can you see anything wrong ? how is it compared to your configuration ?

what is this error (Code EBADF) , which occurs only with the macos version ?
-> bad file descriptor usually found when using node
...?

Hi,
Yes I use docker + SSL (lets encrypt and certbot) + FQDN.
Regarding your settings, I'm not an expert but 2 things seem strange to my eyes :
1/ I think you could remove ":443" here :

APP_BASE_URL=https://myserver.local:443

2/ I wonder if NGINX knows how to translate "app" and I wonder if you shouldn't put the container IP here instead of "app" :

proxy_pass http://app:22300;

I never met the error code you encounter.


You will find here below my config : (I don't use docker compose but it seems consistent) :

  • 1/ env file
APP_BASE_URL=https://www.myserver.org
APP_PORT=22300
DB_CLIENT=pg
POSTGRES_PASSWORD=xxXXXxxxXXX
POSTGRES_DATABASE=joplin
POSTGRES_USER=joplin
POSTGRES_PORT=5432
POSTGRES_HOST=pg
  • 2/ docker commands
sudo docker run -d --restart=always --name pg --env-file .env -p 5432:5432 -v /xxx/joplin.pgdb:/var/lib/postgresql/data postgres:latest
sudo docker run -d --restart=always --name joplinserver --env-file .env --link pg:pg -p 22300:22300 joplin/server:latest
  • 3/ nginx conf
server {
    if ($host = www.myserver.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


 listen 80;
 listen [::]:80;
 server_name www.myserver.org;
 # enforce https
 return 301 https://$server_name:443$request_uri;


}

server {
 listen 443 ssl http2;
 listen [::]:443 ssl http2;
 server_name www.myserver.org;

 proxy_read_timeout 720s;
 proxy_connect_timeout 720s;
 proxy_send_timeout 720s; 

 ssl_session_cache shared:SSL:1m;
 ssl_session_timeout 1440m;
 ssl_buffer_size 8k;
 ssl_protocols  TLSv1.2 TLSv1.3;
 ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kE$
 ssl_prefer_server_ciphers on;
 ssl_stapling on;
 ssl_stapling_verify on;

location / {
    proxy_redirect off;
    proxy_pass http://127.0.0.1:22300;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        client_max_body_size 500M;
}


    ssl_certificate /etc/letsencrypt/live/www.myserver.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.myserver.org/privkey.pem; # managed by Certbot
}

Bruno
PS : I sometimes use a variant for NGINX with "NGINX PROXY MANAGER" docker image by JLESAGE, it's a great image : it works easily with joplin and it deals with letsencrypt public cert. You just have to add a proxy with location "http://JOPLIN.CONTAINER.IP.ADDRESS:22300".

Hi Bruno,
thank you very much for assisting with all these details.
1/ I remove the unnecessary :443
2/ didn't work with 127.0.0.1, may need the true ip

so far just tried with nginx with self signed based on your settings. no luck so far.
I keep trying and let you know about any progress.

instead of "app" you could use the container IP :

sudo docker container inspect -f '{{ .NetworkSettings.IPAddress }}' app

Hi, sorry for the late answer. I've been too busy last week.
I finally updated my macos to the latest version 12.3.1(73), I was probably on the previous.
I reused the first docker-compose (no nginx) and used the ip in APP_BASE_URL and connected the app to the ip.
This works fine with nginx without ssl as well.
SSL won't work with self signed nor with private CA.

Using the FQDN works on windows clients, cannot understand why it doesn't on macos clients.
May create an issue for this.

1 Like

Actually that worked because I made a mistake and used the iOS app on macOS m1.
The iOS app works fine though the macOS (m1) still sends :

Error. Please check that URL, username, password, etc. are correct and that the sync target is accessible. The reported error was:

request to http://XXX.XXX.XXX.XXX:22300/api/sessions failed, reason: connect EBADF 10.5.23.85:22300 (Code EBADF)

Found the issue was caused by the Lulu firewall..
Closed

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.