FIEF (latest 0.28.5) SSL/TLS with real domain problem to get the admin page running

[ClaudioBsh]

Setup for test

Just use FIEF-Server and Worker together with REDIS and PostgreSQL within a docker-compose.yml as shown in the FIEF-Docs!
Use a real domain, like in my example "mydomain.com" (replace it with yours)!
For https (SSL/TLS) i use Letsencrypt instead of self sign keys. You can use letsencrypt staging server for test, the behaviour is the same as you will use self signed certificates.
My DNS provider i use is Cloudflare, if you use another one, you have to setup similiar there.

.env
ROOT_DOMAIN=mydomain.com:
FIEF_DOMAIN=fiefdemo.mydomain.com
FIEF_SERVER_URL=http://mydomain.com
All Cookie Variables are False!
FORWARD_ALLOWED_IPS=*
FIEF_API_KEY="ABCD"
FIEF_MAIN_ADMIN_API_KEY="ABCD"

Cloudflare-DNS: noproxied
Cloudflare-SSL/TLS: "Full" only
Letsencrypt: Use of the Staging-Server

docker-compose.yml:
...
fief-server:
image: ghcr.io/fief-dev/fief:0.28.5
depends_on:
- redis
- postgres
- certbot
container_name: fiefserver
command: fief run-server
ports:
- ${PORT}:${PORT}
env_file:
- .env
volumes:
- "./data/letsencrypt/live/mydomain.com/fullchain.pem:/etc/ssl/certs/server.crt:ro"
- "./data/letsencrypt/live/mydomain.com/privkey.pem:/etc/ssl/private/server.key:ro"
...

Doing all following URL-Calls in a Private-Browser-Window!

Call# Status URL-Calls:
01 ok? https://fiefdemo.mydomain.com/ FIEFSERVER-Log: no message
02 ok? http://fiefdemo.mydomain.com/ FIEFSERVER-Log: no message

03 ok? https://fiefdemo.mydomain.com/login FIEFSERVER-Log: no message
04 ok? http://fiefdemo.mydomain.com/login FIEFSERVER-Log: no message

05 ok? https://fiefdemo.mydomain.com/admin FIEFSERVER-Log: no message
06 ok? http://fiefdemo.mydomain.com/admin FIEFSERVER-Log: no message

07 ok? https://fiefdemo.mydomain.com:8000 FIEFSERVER-Log: 2x: Invalid HTTP request received.

08 OK! http://fiefdemo.mydomain.com:8000/ Auto redirect to: http://fiefdemo.mydomain.com:8000/login
FIEFSERVER-Log:
INFO | uvicorn.protocols.http.httptools_impl:send:489 - 77.200.35.45:56787 - "GET / HTTP/1.1" 307 - {}
INFO | uvicorn.protocols.http.httptools_impl:send:489 - 77.200.35.45:56787 - "GET /login HTTP/1.1" 200 - {}
INFO | uvicorn.protocols.http.httptools_impl:send:489 - 77.200.35.45:56787 - "GET /static/auth.css HTTP/1.1" 200 - {}
INFO | uvicorn.protocols.http.httptools_impl:send:489 - 77.200.35.45:56787 - "GET /static/favicon.svg HTTP/1.1" 200 - {}
Typing in my login credentials (admin):
- Login successfull, auto redirect to: http://fiefdemo.mydomain.com:8000/
- See and could manage Email and Passwort!
INFO | uvicorn.protocols.http.httptools_impl:send:489 - 77.200.35.45:56795 - "POST /login HTTP/1.1" 302 - {}
INFO | uvicorn.protocols.http.httptools_impl:send:489 - 77.200.35.45:56795 - "GET /verify-request HTTP/1.1" 302 - {}
INFO | uvicorn.protocols.http.httptools_impl:send:489 - 77.200.35.45:56795 - "GET / HTTP/1.1" 200 - {}

09 ok? https://fiefdemo.mydomain.com:8000/login 4x: Invalid HTTP request received.
10 OK! http://fiefdemo.mydomain.com:8000/login Login-Seite wird angezeigt:
INFO | uvicorn.protocols.http.httptools_impl:send:489 - 77.200.35.45:56806 - "GET /login HTTP/1.1" 200 - {}
Typing in my login credentials (admin):
- Login successfull, auto redirect to: http://fiefdemo.mydomain.com:8000/
- See and could manage Email and Passwort!
INFO | uvicorn.protocols.http.httptools_impl:send:489 - 77.200.35.45:56812 - "POST /login HTTP/1.1" 302 - {}
INFO | uvicorn.protocols.http.httptools_impl:send:489 - 77.200.35.45:56812 - "GET /verify-request HTTP/1.1" 302 - {}
INFO | uvicorn.protocols.http.httptools_impl:send:489 - 77.200.35.45:56812 - "GET / HTTP/1.1" 200 - {}

11 ok? https://fiefdemo.mydomain.com:8000/admin 4x: Invalid HTTP request received.
12 NOK!! http://fiefdemo.mydomain.com:8000/admin Auto redirect (Browser tells page is not reachable) to:
http://fiefdemo.mydomain.com/authorize?response_type=code&client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx&redirect_uri=http%3A%2F%2Ffiefdemo.mydomain.com%3A8000%2Fadmin%2Fauth%2Fcallback&scope=openid&screen=login
INFO | uvicorn.protocols.http.httptools_impl:send:489 - 77.200.35.45:56825 - "GET /admin HTTP/1.1" 308 - {}
INFO | uvicorn.protocols.http.httptools_impl:send:489 - 77.200.35.45:56825 - "GET /admin/ HTTP/1.1" 307 - {}
INFO | uvicorn.protocols.http.httptools_impl:send:489 - 127.0.0.1:47458 - "GET /.well-known/openid-configuration HTTP/1.1" 200 - {}
INFO | httpx._client:_send_single_request:1758 - HTTP Request: GET http://localhost:8000/.well-known/openid-configuration "HTTP/1.1 200 OK" - {}
INFO | uvicorn.protocols.http.httptools_impl:send:489 - 77.200.35.45:56825 - "GET /admin/auth/login HTTP/1.1" 302 - {}

Conclusion:
Calls 01 til 07, 09 and 11 i am not sure if this is the expected behaviour?
Calls 08 and 10 are fine:-)
Call 12 Not OK, i am wondering why, what is/could the problem here?

[frankie567]

Hi Claudio!

That's lot of stuff 😅 If I understand you correctly, you're not able to reach your instance through HTTPS/SSL, right?

Here are the things that looks weird to me and you should investigate:

1. Make sure the PORT env variable is 443. From what I see, it seems that you're still on 8000 (that's why it works on https://fiefdemo.mydomain.com:8000/admin but not https://fiefdemo.mydomain.com/admin)
2. I see that you are mounting Let's Encrypt certificates on the Fief container. That's good but you may need to set Uvicorn's environment variables so that it picks them up. https://www.uvicorn.org/settings/#https It should be something like:

UVICORN_SSL_KEYFILE=/etc/ssl/private/server.key
UVICORN_SSL_CERTFILE=/etc/ssl/certs/server.crt

(maybe it's not needed, and maybe it's able to pick them automatically since it's in the default OS location, but worth to check)

That said, I would recommend to setup a reverse proxy like Traefik to take care of SSL. I'll try to make the documentation more helpful around this.

3. You should always see a log message when accessing a route. If there is no log, then the server is not reached.

[ClaudioBsh]

The problem is, that with PORT 443 it is not working:-(

Instead Port 8000, i can also use e.g. Port 80 (http), this will also work, but https with Port 443 is not working, and i am wondering why:-(

I know that best practice is to use a proxy like Traefik, but i like to find out the use of FIEF with and without having proxy:-)

So this scenario here is without using a proxy.

If you want to reproduce it, see below the whole configuration - with Port = 80 http://fiefdemo.mydomain.com/admin all is working fine, with Port 443 not - error message: "Invalid HTTP request received." and admin page is not reachable.

---

All following files must be in the same folder!"
Create the following subfolders from here:
data/letsencrypt
data/lib/letsencrypt
data/log/letsencrypt

And sure, search and replace mydomain.com with your real domain, search for email and change it to your email adress and search and change all xxx with your secret id's etc.

Special: Check redis image - i use rasperry (arm64), if you use amd64, you have to change it before running (image: redis:alpine)!

---

.env:

SECRET=xxx
FIEF_CLIENT_ID=xxx
FIEF_CLIENT_SECRET=xxx
ENCRYPTION_KEY=xxx
PORT=80
ROOT_DOMAIN=mydomain.com
FIEF_DOMAIN=fiefdemo.mydomain.com
FIEF_MAIN_USER_EMAIL=[email protected]
FIEF_MAIN_USER_PASSWORD=xxx

DATABASE_TYPE=POSTGRESQL
DATABASE_HOST=postgres
DATABASE_PORT=5432
DATABASE_USERNAME=fief
DATABASE_PASSWORD=xxx
DATABASE_NAME=fief

REDIS_URL=redis://redis:6379

CSRF_COOKIE_SECURE=False
SESSION_DATA_COOKIE_SECURE=False
USER_LOCALE_COOKIE_SECURE=False
LOGIN_SESSION_COOKIE_SECURE=False
SESSION_COOKIE_SECURE=False
LOGIN_HINT_COOKIE_SECURE=False
REGISTRATION_SESSION_COOKIE_SECURE=False
FIEF_ADMIN_SESSION_COOKIE_SECURE=False

FIEF_SERVER_URL=http://mydomain.com
TELEMETRY_ENABLED=False
FORWARD_ALLOWED_IPS=*

UVICORN_SSL_KEYFILE=/etc/ssl/private/server.key
UVICORN_SSL_CERTFILE=/etc/ssl/certs/server.crt

---

Dockerfile:
FROM certbot/certbot

RUN pip install certbot-dns-cloudflare

ENTRYPOINT ["certbot"]
CMD ["renew", "--dns-cloudflare", "--dns-cloudflare-credentials", "/etc/letsencrypt/cloudflare.ini"]

---

cloudflare.ini (set on Cloudflare SSL/TLS to "Full" not "Full (strict)" when using letsencrypt staging and in this demo staging is used):
dns_cloudflare_api_token=xxx

---

docker-compose.yml:

version: "3"

services:
fief-server:
image: ghcr.io/fief-dev/fief:0.28.5
depends_on:
- redis
- postgres
- certbot
container_name: fiefserver
command: fief run-server
ports:
- 80:80
env_file:
- .env
volumes:
- "./data/letsencrypt/live/mydomain.com/fullchain.pem:/etc/ssl/certs/server.crt:ro"
- "./data/letsencrypt/live/mydomain.com/privkey.pem:/etc/ssl/private/server.key:ro"
networks:
- fiefnetworkdc

fief-worker:
image: ghcr.io/fief-dev/fief:0.28.5
depends_on:
- fief-server
container_name: fiefworker
command: fief run-worker -p 1 -t 1
env_file:
- .env
volumes:
- "./data/letsencrypt/live/mydomain.com/fullchain.pem:/etc/ssl/certs/server.crt:ro"
- "./data/letsencrypt/live/mydomain.com/privkey.pem:/etc/ssl/private/server.key:ro"
networks:
- fiefnetworkdc

postgres:
image: postgres:alpine
container_name: fiefpostgres
environment:
- PGUSER=${DATABASE_USERNAME}
- POSTGRES_PASSWORD=${DATABASE_PASSWORD}
- POSTGRES_USER=${DATABASE_USERNAME}
- POSTGRES_DB=${DATABASE_NAME}
volumes:
- postgres-data:/var/lib/postgresql/data
networks:
- fiefnetworkdc

redis:
image: arm64v8/redis:latest
container_name: fiefredis
command: redis-server --save 60 1 --loglevel warning
volumes:
- redis-data:/data
networks:
- fiefnetworkdc

dozzle:
image: amir20/dozzle:latest
container_name: fiefdozzle
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
ports:
- 8080:8080

certbot:
build:
context: ./
dockerfile: Dockerfile
image: certbot
container_name: fiefcertbot
volumes:
- "./cloudflare.ini:/etc/letsencrypt/cloudflare.ini:ro"
- "./data/letsencrypt:/etc/letsencrypt"
- "./data/lib/letsencrypt:/var/lib/letsencrypt"
- "./data/log/letsencrypt:/var/log/letsencrypt"
environment:
- DOMAINS=mydomain.com,fiefdemo.mydomain.com
- EMAIL=[email protected]
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot certonly --staging --email $${EMAIL} --agree-tos --non-interactive --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini --dns-cloudflare-propagation-seconds 60 -d $${DOMAINS}; sleep 12h & wait $${!}; done;'"

volumes:
redis-data:
postgres-data:

networks:
fiefnetworkdc:
name: fiefnetwork

---

run.sh:

docker-compose -p "myfief" --env-file "./.env" up --build -d certbot
sleep 80
docker-compose -p "myfief" --env-file "./.env" up --build -d postgres
sleep 8
docker-compose -p "myfief" --env-file "./.env" up --build -d redis
docker-compose -p "myfief" --env-file "./.env" up --build -d fief-server
sleep 25
docker-compose -p "myfief" --env-file "./.env" up --build -d fief-worker
docker-compose -p "myfief" --env-file "./.env" up --build -d dozzle

---

stop_and_clean.sh:

docker-compose -p "myfief" stop
docker rm fiefserver
docker rm fiefworker
docker rm fiefpostgres
docker rm fiefredis
docker rm fiefdozzle
docker rm fiefcertbot
docker network rm fiefnetwork
docker volume rm myfief_postgres-data
docker volume rm myfief_redis-data
docker volume rm fief_postgres-data
docker volume rm fief_redis-data
find ./data -type f ! -name '.gitkeep' -exec sudo rm {} +
sudo rm -rf ./data/letsencrypt/archive ./data/letsencrypt/accounts ./data/letsencrypt/live ./data/letsencrypt/renewal*
docker rmi $(docker images -f "dangling=true" -q)

---

Hint: on Port 8080 you can use "dozzle for watching all logs from all containers running.

---

[ClaudioBsh]

Test the following scenarios using projectfiles as described before but change ".env" and "docker-compose.yml" as follows:

---

Scenario:
PORT=80
(docker-compose.yml / ports: 80:80)
COOKIE=False

Call in Browser:
http://fiefdemo.mydomain.com/admin

Result - OK - is as expected:
Fief-Admin-Page is shown after redirect to Login page

---

Scenario:
PORT=443
(docker-compose.yml / ports: 443:443)

The following tried with True and False, in both cases it makes no difference in the result:
COOKIE

The following tried with True and False, in both cases it makes no difference in the result:
CLIENT_REDIRECT_URI_SSL_REQUIRED

Call in Browser:
https://fiefdemo.mydomain.com/admin

Expected:
Fief-Admin-Page is shown after redirect to Login page

Result - NOK:
Fief-Admin-Page not shown 
Log: Invalid HTTP request received.

[ClaudioBsh]

[frankie567]

Ok, so I digged this up and it looks like I was wrong: we actually can't configure SSL certificates through environment variables like I suggested in my previous comment.

This is because Fief's CLI wraps Uvicorn programmatically and don't explicitly support those options. I'll see how this can be improved on our side.

Meanwhile, you can make it work by overriding the command of the fief-server container like this:

command: uvicorn fief.app:app --port 443 --host 0.0.0.0 --ssl-keyfile /etc/ssl/private/server.key --ssl-certfile /etc/ssl/certs/server.crt

Just note that migration and admin user won't be automatically created in this configuration. You'll have to manually call fief migrate and fief create_admin.

[frankie567]

Follow in #349

[ClaudioBsh]

Hopefully your new solution will fix issue - when trying the other scenario with using reverse proxy (Traefik) - too.

Because, with Traefik and using a real Domain and letsencrypt dnschallenge (not using certbot anymore) i get csfr error. Disabling csfr check results in no redirect to the Admin page.

If you want i will put the Traefik example code here.

[frankie567]

I've updated the Docker Compose example with Traefik: https://docs.fief.dev/self-hosting/deployment/docker-compose/

[ClaudioBsh]

Just taken the example docker-compose.yml and .env from "https://docs.fief.dev/self-hosting/deployment/docker-compose/" and replaced with my own real domain and own secrets.

Calling:
https://fiefdemo.mydomain.com/admin

Result:
Redirection to: http://fiefdemo.mydomain.com/admin/auth/login
Browser shows "url is not reachable".

Fief-Server log is showing:
...http code 308...
...http code 307...

That's all - so it is still not working with using the example from the docs page.

[ClaudioBsh]

As i told in my message before just taking the code from your documentation including the .env values does not work out of the box, but I found out a workaround to get it running with minimal changes - but i think this is not good for a production setup, or?

My workaround - add the following entries to the docker-compose.yml:

Service traefik:
Not ORG - command:
- "--entrypoints.web.address=:80"
Not ORG - ports:
- 80:80

Service fief-server:
Not ORG - labels:
- "traefik.http.routers.fief-server-nsec.rule=Host(``fiefdemo.mydomain.com``)"
- "traefik.http.routers.fief-server-nsec.entrypoints=web"

With this addionally settings you will redirect successfull to the admin-login page!

But after giving the credentials you will fail into a 'csrf' error!

So you need another workaround to avoid this 'csrf' error:
Not ORG - .env
SRF_COOKIE_SECURE=False
SESSION_DATA_COOKIE_SECURE=False
USER_LOCALE_COOKIE_SECURE=False
LOGIN_SESSION_COOKIE_SECURE=False
SESSION_COOKIE_SECURE=False
LOGIN_HINT_COOKIE_SECURE=False
REGISTRATION_SESSION_COOKIE_SECURE=False
FIEF_ADMIN_SESSION_COOKIE_SECURE=False

And when calling "https://fiefdemo.mydomain.com/admin" it could be, that you have to use a private windows browser page!

[frankie567]

Just taken the example docker-compose.yml and .env from "https://docs.fief.dev/self-hosting/deployment/docker-compose/" and replaced with my own real domain and own secrets.

Calling: https://fiefdemo.mydomain.com/admin

Result: Redirection to: http://fiefdemo.mydomain.com/admin/auth/login Browser shows "url is not reachable".

Fief-Server log is showing: ...http code 308... ...http code 307...

That's all - so it is still not working with using the example from the docs page.

Probably the SSL certificate was not correctly issued by Let's Encrypt. The example shows the TLS challenge, but it requires your server to be reachable on the internet. You should have a look at Traefik logs to see what's going on.

Otherwise, for testing, you can uncomment the following lines:

      # Uncomment the lines below to debug and try with a self-signed certificate
      # - "--log.level=DEBUG"
      # - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"

This will use a test server to issue self-signed certificate from Let's Encrypt. I've tested this setup successfully on my end.

[ClaudioBsh]

I am sorry, i did forget to wrote i did use the staging server already.
My domain is reachable from the internet.
I will add DEBUG and will see if i will find out more, then i come back later today/tommorrow.

[ClaudioBsh]

Sorry for late answer, but i was ill:-(

I did a retest and enabled DEBUG on Traefik - below all relevant info's:

".env":
SECRET=xxxxxxx
FIEF_CLIENT_ID=xxxxxxx
FIEF_CLIENT_SECRET=xxxxxxx
ENCRYPTION_KEY=xxxxxxx
PORT=8000
FIEF_DOMAIN=fiefdemo.mydomain.com
FIEF_MAIN_USER_EMAIL=[email protected]
FIEF_MAIN_USER_PASSWORD=xxxxxxx

DATABASE_TYPE=POSTGRESQL
DATABASE_HOST=postgres
DATABASE_PORT=5432
DATABASE_USERNAME=fief
DATABASE_PASSWORD=xxxxxxx
DATABASE_NAME=fief

REDIS_URL=redis://redis:6379
FORWARD_ALLOWED_IPS=*
TELEMETRY_ENABLED=False

"docker-compose.yml":
services:

traefik:
image: traefik:v2.11
container_name: fieftraefik
command:
- "--api.dashboard=true"
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.letsencrypt.acme.email=[email protected]"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
ports:
- 8080:8080
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/letsencrypt:/letsencrypt

fief-server:
image: ghcr.io/fief-dev/fief:0.28.5
command: fief run-server
container_name: fiefserver
env_file:
- .env
labels:
- "traefik.enable=true"
- "traefik.http.routers.fief-server.rule=Host(fiefdemo.mydomain.com)"
- "traefik.http.routers.fief-server.entrypoints=websecure"
- "traefik.http.routers.fief-server.tls.certresolver=letsencrypt"
....

"./data/letsencrypt/acme.json":
{
"letsencrypt": {
"Account": {
"Email": "[email protected]",
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:[email protected]"
]
},
"uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/1234567890"
},
"PrivateKey": "MIIJJxxxxxxxxx",
"KeyType": "4096"
},
"Certificates": [
{
"domain": {
"main": "fiefdemo.mydomain.com"
},
"certificate": "LS0tLSxxxxxxxxxxxxxxxx",
"key": "LS0tLSxxxxxxxxxxxx",
"Store": "default"
}
]
}
}

TRAEFIK Log:
time="2024-04-01T09:28:24Z" level=debug msg="http: TLS handshake error from 74.215.44.42:63917: remote error: tls: unknown certificate"
time="2024-04-01T09:28:24Z" level=debug msg="http: TLS handshake error from 74.215.44.42:63921: remote error: tls: unknown certificate"
time="2024-04-01T09:28:32Z" level=debug msg="Serving default certificate for request: "74.215.44.42""
time="2024-04-01T09:28:32Z" level=debug msg="http: TLS handshake error from 128.199.182.77:51304: read tcp 172.20.0.2:443->128.199.182.77:51304: read: connection reset by peer"
time="2024-04-01T09:28:33Z" level=debug msg="Serving default certificate for request: "74.215.44.42""
time="2024-04-01T09:28:33Z" level=debug msg="http: TLS handshake error from 128.199.182.77:56788: read tcp 172.20.0.2:443->128.199.182.77:56788: read: connection reset by peer"
time="2024-04-01T09:28:33Z" level=debug msg="Serving default certificate for request: "74.215.44.42""
time="2024-04-01T09:28:33Z" level=debug msg="http: TLS handshake error from 128.199.182.77:56792: tls: no cipher suite supported by both client and server"
time="2024-04-01T09:28:34Z" level=debug msg="http: TLS handshake error from 128.199.182.77:56794: tls: client requested unsupported application protocols ([http/0.9 http/1.0 spdy/1 spdy/2 spdy/3 h2c hq])"
time="2024-04-01T09:28:34Z" level=debug msg="http: TLS handshake error from 128.199.182.77:56808: tls: client requested unsupported application protocols ([hq h2c spdy/3 spdy/2 spdy/1 http/1.0 http/0.9])"
time="2024-04-01T09:28:35Z" level=debug msg="http: TLS handshake error from 128.199.182.77:56816: tls: client offered only unsupported versions: [302 301]"
time="2024-04-01T09:28:35Z" level=debug msg="Serving default certificate for request: "74.215.44.42""
time="2024-04-01T09:28:35Z" level=debug msg="http: TLS handshake error from 128.199.182.77:56822: read tcp 172.20.0.2:443->128.199.182.77:56822: read: connection reset by peer"
time="2024-04-01T09:28:36Z" level=debug msg="Serving default certificate for request: "74.215.44.42""
time="2024-04-01T09:28:36Z" level=debug msg="http: TLS handshake error from 128.199.182.77:56836: read tcp 172.20.0.2:443->128.199.182.77:56836: read: connection reset by peer"
time="2024-04-01T09:28:36Z" level=debug msg="Serving default certificate for request: "74.215.44.42""
time="2024-04-01T09:28:36Z" level=debug msg="http: TLS handshake error from 128.199.182.77:56838: read tcp 172.20.0.2:443->128.199.182.77:56838: read: connection reset by peer"
time="2024-04-01T09:28:37Z" level=debug msg="Serving default certificate for request: "74.215.44.42""
time="2024-04-01T09:28:37Z" level=debug msg="http: TLS handshake error from 128.199.182.77:56848: read tcp 172.20.0.2:443->128.199.182.77:56848: read: connection reset by peer"

FIEF Log:
2024-04-01 09:28:32.038 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:37906 - "GET / HTTP/1.1" 307 - {}
2024-04-01 09:28:37.973 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:50242 - "GET / HTTP/1.1" 307 - {}
2024-04-01 09:28:38.763 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:50242 - "GET /server HTTP/1.1" 307 - {}
2024-04-01 09:28:39.536 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:50242 - "GET /.vscode/sftp.json HTTP/1.1" 404 - {}
2024-04-01 09:28:40.293 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:50242 - "GET /about HTTP/1.1" 307 - {}
2024-04-01 09:28:41.052 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:50242 - "GET /debug/default/view?panel=config HTTP/1.1" 404 - {}
2024-04-01 09:28:41.806 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:50242 - "GET /v2/_catalog HTTP/1.1" 404 - {}
2024-04-01 09:28:42.557 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:50242 - "GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1" 404 - {}
2024-04-01 09:28:43.296 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:50242 - "GET /server-status HTTP/1.1" 307 - {}
2024-04-01 09:28:44.060 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:50242 - "GET /login.action HTTP/1.1" 307 - {}
2024-04-01 09:28:44.811 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:50242 - "GET /all_dbs HTTP/1.1" 307 - {}
2024-04-01 09:28:45.558 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:50242 - "GET /.DS_Store HTTP/1.1" 307 - {}
2024-04-01 09:28:46.301 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:50242 - "GET /.env HTTP/1.1" 307 - {}
2024-04-01 09:28:47.045 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:50242 - "GET /.git/config HTTP/1.1" 404 - {}
2024-04-01 09:28:47.820 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:50242 - "GET /s/7343e23343e2530323e29373//%3B/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1" 404 - {}
2024-04-01 09:28:48.580 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:50242 - "HEAD / HTTP/1.1" 405 - {}
2024-04-01 09:28:48.605 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:50242 - "GET /config.json HTTP/1.1" 307 - {}
2024-04-01 09:28:49.393 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:50242 - "GET /telescope/requests HTTP/1.1" 404 - {}
2024-04-01 09:28:50.179 | INFO | uvicorn.protocols.http.httptools_impl:send:489 - 172.20.0.2:50242 - "GET /?rest_route=/wp/v2/users/ HTTP/1.1" 307 - {}

My Domain / IP is a real domain and is reachable from anywhere, ports 80, 8080, 443 are open.
Sure for security reasons i did change the IP and instead my real domain name i used mydomain.com as example:-)
So i wonder, why it is working for you but not for me:-(