docs: improve reverse proxy HTTPS detection and Swarm troubleshooting

- Add detailed HTTPS detection troubleshooting to REVERSE_PROXY.md
- Explain X-Forwarded-Proto header requirement for nginx/Caddy/Apache
- Add Docker Swarm troubleshooting section to UNIFIED_AGENT.md
- Document how to force Docker runtime if auto-detection fails

Based on customer feedback.
This commit is contained in:
rcourtman
2026-01-07 18:23:48 +00:00
parent e4c17777d0
commit 8c4bef27f0
2 changed files with 63 additions and 1 deletions

View File

@@ -51,8 +51,37 @@ ProxyPassReverse / http://localhost:7655/
## ⚠️ Common Issues
### "HTTPS: HTTP only" in Security Posture
If your reverse proxy terminates SSL but Pulse shows "HTTPS: HTTP only" in Settings → Security:
**Cause**: Pulse detects HTTPS in two ways:
1. Direct TLS connection (`req.TLS != nil`)
2. The `X-Forwarded-Proto: https` header
If your proxy terminates SSL but doesn't forward this header, Pulse sees plain HTTP.
**Fix**: Add the `X-Forwarded-Proto` header in your proxy config:
```nginx
# Nginx
proxy_set_header X-Forwarded-Proto $scheme;
```
```caddy
# Caddy (automatic, but explicit override if needed)
header_up X-Forwarded-Proto {scheme}
```
```apache
# Apache
RequestHeader set X-Forwarded-Proto "https"
```
### Other Issues
- **"Connection Lost"**: WebSocket upgrade failed. Check `Upgrade` and `Connection` headers.
- **502 Bad Gateway**: Pulse is not running on port 7655.
- **CORS Errors**: Do not add CORS headers in the proxy; Pulse handles them. Set **Settings → System → Network → Allowed Origins** or use `ALLOWED_ORIGINS` if needed.
- **OIDC redirects or HTTPS detection issues**: Ensure `X-Forwarded-Proto` is set to `https`.
- **OIDC redirects fail**: Ensure `X-Forwarded-Proto` is set (see above).
- **Wrong client IPs**: Set `PULSE_TRUSTED_PROXY_CIDRS` to your proxy IP/CIDR so `X-Forwarded-For` is trusted.

View File

@@ -287,3 +287,36 @@ systemctl status pulse-agent
# macOS
launchctl list | grep pulse
```
### Docker Swarm Not Detected
If your Docker Swarm cluster isn't being detected:
1. **Check runtime detection**: Pulse disables Swarm for Podman. Look for "Podman runtime detected" in logs:
```bash
journalctl -u pulse-agent | grep -i podman
```
2. **Force Docker runtime**: If auto-detection is incorrect:
```bash
--docker-runtime docker
# Or set environment variable
PULSE_DOCKER_RUNTIME=docker
```
3. **Check Docker info**: Verify Swarm is active on the host:
```bash
docker info | grep -i swarm
# Should show "Swarm: active"
```
4. **Check socket permissions**: The agent needs access to the Docker socket:
```bash
ls -la /var/run/docker.sock
```
5. **Enable debug logging**: For more detail:
```bash
LOG_LEVEL=debug journalctl -u pulse-agent -f
```