2020-12-30 05:39

Custom server CLEARTEXT issue

Issue details

Setting up a custom wallabag server does not work.



Actual behaviour

  • when setting up the app, I specify the domain of my custom wallabag server with https
  • the error message is "Connection test failed - Unknown error: CLEARTEXT communication to ${domain} not permitted by network security policy"

Expected behaviour

  • setting up a custom server should work

Steps to reproduce the issue

  1. have android 9 pie
  2. try to set up a custom wallabag server
  3. instant error

Environment details

  • wallabag app version: 108
  • wallabag app installation source (e.g. Gplay, F-Droid, manual): gplay
  • Android OS version: v9 patch level dec 5
  • Android ROM (e.g. stock, LineageOS, SlimRom,…): stock
  • Android hardware: xiaomi mi a2
  • wallabag server version: 2.3.5
  • Do you have Two-Factor-Authentication enabled?: no

Originally the wallabag server did not have ssl configured. I edited the domain name in parameters.yml to include https as a scheme. The certificate is self-signed, the self-signed CA is installed on the phone and visiting the web page in chrome works fine without any certificate issues.


wallabag server

no connection is established

Web server

no connection is established


  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答


  • weixin_39811166 weixin_39811166 4月前

    I'm experiencing the same behaviour

    点赞 评论 复制链接分享
  • weixin_39811166 weixin_39811166 4月前

    FYI https://github.com/wallabag/wallabag/issues/2273#issuecomment-456159516

    点赞 评论 复制链接分享
  • weixin_39929683 weixin_39929683 4月前

    indeed, thank you

    点赞 评论 复制链接分享
  • weixin_39708708 weixin_39708708 4月前

    that isn't a very good solution. I can't write a docker compose file that does this fix. why is the wallabag server downgrading to http when redirecting from / to /login? Android 9 does not like that, apparently

    点赞 评论 复制链接分享
  • weixin_39708708 weixin_39708708 4月前

    FYI the fix referenced in https://github.com/wallabag/wallabag/issues/2273#issuecomment-456159516 is deprecated by https://github.com/wallabag/wallabag/commit/80336f77fd6ef72dafe20b35b74d74d06592c06f

    点赞 评论 复制链接分享
  • weixin_39603469 weixin_39603469 4月前

    I wouldn't say that this is issue is solved - I also have xiaomi a2 and dockerized wallabag 2.3.5 behind traefik, and I have same issues as OP. In my case api calls works good from browser(f.e. /api/version.xt works) and certificates/redirect/rewrites aren't bad(full HTTPS, FF doesn't comply because of mixed content). Webapp also works well. What might be wrong?

    点赞 评论 复制链接分享
  • weixin_39544333 weixin_39544333 4月前

    There is an open PR in #762 which addresses the issue. Maybe that also fixes your issue? Can you test that?

    点赞 评论 复制链接分享
  • weixin_39708708 weixin_39708708 4月前

    I managed to work around it in traefik. Try the following rules on your wallabag frontend:

    as Docker Container labels

          - "traefik.frontend.redirect.regex=^http://wallabag.yourdomain.com/(.*)"
          - "traefik.frontend.redirect.replacement=https://wallabag.yourdomain.com/$$1"
          - traefik.frontend.whiteList.useXForwardedFor=true
          - traefik.frontend.headers.SSLProxyHeaders=X-Forwarded-Proto:https
          - traefik.frontend.redirect.permanent="true" #edited to fix accidental ommision

    as toml rules:

      entryPoints = ["http", "https"]
      backend = "wallabag-backend"
        rule = "Host:wallabag.yourdomain.com"
        permanent=true  #edited to fix accidental ommision
        X-Forwarded-Proto = "https"

    This worked for me without having to change anything about Wallabag or the app at all.

    edit: fixed mistake in replacement regex in the toml version

    点赞 评论 复制链接分享
  • weixin_39603469 weixin_39603469 4月前

    thanks for your idea(sorry for so long time - I have no idea why I missed your post) - I tested it on my environment, however it doesn't work - still having cleartext issue while using production version. I got a full redirect to https somewhere deep in traefik, so it isn't that thing.

    点赞 评论 复制链接分享
  • weixin_39708708 weixin_39708708 4月前

    I just compared my config to what I previously posted and realized I forgot something critical. The redirect has to be permanent. See my edits above and try that

    点赞 评论 复制链接分享
  • weixin_39708708 weixin_39708708 4月前

    cuz I keep getting my threads mixed up, here's another place I'm discussing this issue where I posted my wallabag service's section in my docker-compose file: https://github.com/wallabag/docker/issues/77#issuecomment-467981907

    点赞 评论 复制链接分享
  • weixin_39811166 weixin_39811166 4月前

    Thank you for linking the issue!

    点赞 评论 复制链接分享