API & Websocket Error. Origin header not allowed from 'https://erp.my-domain.com:8443

I am trying to get Metasfresh running with SSL on a dedicated Debian 10 server with the help of docker-compose. I have tried several settings, first behind a traefik 2.4 reverse proxy as well as without it.
I can’t seem to get the WebUI connect to the API or WebSocket. For the API I get a 403 Error code and the console says:

WARN 20 — [nio-8080-exec-9] o.s.w.s.s.t.h.DefaultSockJsService : Origin header value ‘https://erp.my-domain.com:8443’ not allowed.

I generated the key and cert file with LetsEncrypt and put them in the webui/source/certs folder.
I am using the v2 compose file provided with SSL port mapping to 8443.

db:
  build: db
  restart: always
  volumes:
    - ./volumes/db/data:/var/lib/postgresql/data
    - ./volumes/db/log:/var/log/postgresql
    - /etc/localtime:/etc/localtime:ro
    - /etc/timezone:/etc/timezone:ro
  environment:
    - METASFRESH_USERNAME=metasfresh
    - METASFRESH_PASSWORD=metasfresh
    - METASFRESH_DBNAME=metasfresh
    - DB_SYSPASS=System
    - POSTGRES_PASSWORD=ip2LmNzXX8p8iXg9lZTWEJ9524kQDbXFudB7LR03T-xK9fLweX3TLMkA2AYcEiaS
app:
  build: app
  hostname: app
  links:
    - db:db
    - rabbitmq:rabbitmq
    - search:search
  expose:
    - "8282"
    - "61616"
    - "8788"
  restart: always
  volumes:
    - ./volumes/app/log:/opt/metasfresh/log:rw
    - ./volumes/app/heapdump:/opt/metasfresh/heapdump:rw
    - /etc/localtime:/etc/localtime:ro
  - /etc/timezone:/etc/timezone:ro
environment:
  - METASFRESH_HOME=/opt/metasfresh
webapi:
  build: webapi
  links:
    - app:app
    - db:db
    - rabbitmq:rabbitmq
    - search:search
  expose:
    - "8789"
  restart: always
  volumes:
    - ./volumes/webapi/log:/opt/metasfresh-webui-api/log:rw
    - ./volumes/webapi/heapdump:/opt/metasfresh-webui-api/heapdump:rw
    - /etc/localtime:/etc/localtime:ro
    - /etc/timezone:/etc/timezone:ro
webui:
  build: webui
  links:
    - webapi:webapi
  ports:
    - "8443:443"
  restart: always
  volumes:
    - /etc/localtime:/etc/localtime:ro
    - /etc/timezone:/etc/timezone:ro
  environment:
    - WEBAPI_URL=https://erp.iem-experten.de:8443
rabbitmq:
  build: rabbitmq
  expose:
    - "5672"
  restart: always
  volumes:
    - ./volumes/rabbitmq/log:/var/log/rabbitmq/log
    - /etc/localtime:/etc/localtime:ro
    - /etc/timezone:/etc/timezone:ro
  environment:
    RABBITMQ_DEFAULT_USER: "metasfresh"
    RABBITMQ_DEFAULT_PASS: "metasfresh"
    RABBITMQ_DEFAULT_VHOST: "/"
search:
  build: search
  ulimits:
    memlock:
      soft: -1
      hard: -1
    nofile:
      soft: 65536
      hard: 65536
  cap_add:
    - IPC_LOCK
  volumes:
    - ./volumes/search/data:/usr/share/elasticsearch/data
    - /etc/localtime:/etc/localtime:ro
    - /etc/timezone:/etc/timezone:ro
  environment:
    - "ES_JAVA_OPTS=-Xms128M -Xmx256m"
  restart: always

And adjusted config.js as follows:

const config = {
    API_URL: 'https://erp.iem-experten.de:8443/rest/api',
    WS_URL: 'https://erp.iem-experten.de:8443/stomp'
}

Interestingly when asigning networks and putting labels for traefik v2.4 I can only route to 443 or 80. While routing to port 80 still lets me login, but is still not able to connect to the api and websocket, port 443 gives me a 400 Error code, for connecting to a SSL enabled server with plain http.

 webui:
   build: webui
   links:
     - webapi:webapi
   ports:
     - "8443:443"
   restart: always
   volumes:
     - /etc/localtime:/etc/localtime:ro
     - /etc/timezone:/etc/timezone:ro
   environment:
     - WEBAPI_URL=https://erp.${DOMAIN}/
   labels:
     - "traefik.enable=true"
     - "traefik.http.routers.erp.entrypoints=websecure"
     - "traefik.http.routers.erp.rule=Host(`erp.${DOMAIN}`)"
     - "traefik.http.routers.erp.tls=true"
     - "traefik.docker.network=web"
     - "traefik.http.routers.erp.service=erp"
     - "traefik.http.services.erp.loadbalancer.server.port=8443"
   networks:
     erp-network:
     web:

Bad Gateway Error

webui:
   build: webui
   links:
     - webapi:webapi
   restart: always
   volumes:
     - /etc/localtime:/etc/localtime:ro
     - /etc/timezone:/etc/timezone:ro
   environment:
     - WEBAPI_URL=https://erp.${DOMAIN}/
   labels:
     - "traefik.enable=true"
     - "traefik.http.routers.erp.entrypoints=websecure"
     - "traefik.http.routers.erp.rule=Host(`erp.${DOMAIN}`)"
     - "traefik.http.routers.erp.tls=true"
     - "traefik.docker.network=web"
     - "traefik.http.routers.erp.service=erp"
     - "traefik.http.services.erp.loadbalancer.server.port=443"
   networks:
     erp-network:
     web:

400 Error, Talking plain http to SSL enabled server.

webui:
   build: webui
   links:
     - webapi:webapi
   restart: always
   volumes:
     - /etc/localtime:/etc/localtime:ro
     - /etc/timezone:/etc/timezone:ro
   environment:
     - WEBAPI_URL=https://erp.${DOMAIN}/
   labels:
     - "traefik.enable=true"
     - "traefik.http.routers.erp.entrypoints=websecure"
     - "traefik.http.routers.erp.rule=Host(`erp.${DOMAIN}`)"
     - "traefik.http.routers.erp.tls=true"
     - "traefik.docker.network=web"
     - "traefik.http.routers.erp.service=erp"
     - "traefik.http.services.erp.loadbalancer.server.port=80"
   networks:
     erp-network:
     web:

→ Can’t connect to websocket or API.

WARN 20 — [nio-8080-exec-9] o.s.w.s.s.t.h.DefaultSockJsService : Origin header value ‘https://erp.my-domain.com’ not allowed.

Hints, tips, tricks and solutions are highly appreciated :slight_smile:

The issue was solved by setting needed CORS headers. Now it is all running smoothly with SSL behind Traefik 2.4.
It is actually a database-setting.

You can set it using:

docker exec -u postgres metasfresh_docker_db_1 psql -d metasfresh -c "UPDATE AD_SysConfig SET Value='http://my_metasfreshinstance.com' WHERE Name='webui.frontend.url';" 

( please replace the docker-compose project-name and the URL accordingly )