mirror of
https://github.com/actualbudget/actual.git
synced 2026-07-12 05:00:59 -05:00
[GH-ISSUE #2793] [Bug]: Service Worker preventing correct execution of bootstrap when using NGINX reverse proxy #70855
Closed
opened 2026-05-16 09:17:53 -05:00 by GiteaMirror
·
21 comments
No Branch/Tag Specified
master
claude/react-compiler-monorepo-jbhsb1
claude/chatgpt-desktop-agent-hooks-ib8wn5
claude/vrt-skill-actual-82z29h
tabedzki/feat/replacing-month-picker-with-day-picker
enforce-append-only-migrations-ci
delay-initial-sync-until-loaded
jfdoming/mobile-app-build
claude/error-codes-worker-boundary-26i5uu
jfdoming/api-tokens-part-1
jfdoming/api-tokens-part-2
jfdoming/api-tokens-part-3
jfdoming/mobile-app-updates
ai/simplify-categories-get-api
api-browser-custom-data-dir
claude/budget-version-migration-compat-151jlr
claude/worker-error-serialization-9iqtl7
claude/react-table-library-research-afx83z
claude/issue-8401-regression-test-9nw9l3
jfdoming/mobile-app-foundation-part-1
jfdoming/mobile-app-scaffold
release
ai-fix-cleanup-def-8290
claude/relaxed-shannon-jusywa
claude/fervent-keller-s6f2fq
claude/determined-feynman-st1y9z
claude/wizardly-einstein-vi2wce
claude/sweet-albattani-7nseio
feat/bank-sync-per-budget-file
claude/affectionate-cannon-y0kc82
claude/dependabot-findings-m9pgmb
claude/mac-app-ios-publish-zjs1lz
claude/vigilant-tesla-aiiyos
depot-migrate-secrets-1781296330308
claude/quirky-cerf-v5qck7
claude/animation-removal-alternative-2etfh1
claude/netlify-preview-comments-consolidate-9XPYa
osc/7391-error-boundaries-reports
claude/pensive-dijkstra-7DYui
claude/server-app-version-mismatch-HTCGv
claude/pr-8027-review-feedback-mELuO
claude/zealous-wozniak-e5pO0
claude/intelligent-heisenberg-BSHJq
claude/translation-download-refactor-jFRsO
claude/mobile-performance-ideas-G9PAO
claude/github-issue-7988-5A5ly
blacksmith-migration-ff70d2d
claude/great-mayer-KRvOk
claude/react-native-ios-compilation-fcJh5
claude/serene-goldberg-58xv0
claude/kind-euler-LVG3K
release-automation/edge-nightly
7710-bundle-migrations
claude/fix-docker-build-error-WMfed
claude/llm-compatible-release-notes-t20Nr
7710-tests-tdd
cursor/transaction-table-rewrite-f077
claude/plan-ci-secure-context-OtEe1
claude/fix-issue-7667-DPXi3
cursor/resolve-pr-7449-ee11
claude/fix-typescript-build-error-JPtZ5
copilot/add-repository-configs-to-packages
worktree-compressed-drifting-ritchie
claude/api-consumer-verification-kfz1K
pr-7454
claude/fix-issue-7410-LLLQ4
revert-7281-generate-icons
react-query-useSchedules
copilot/sub-pr-6140
package-upgrades
v26.7.0
v26.6.0
v26.5.2
v26.5.1
v26.5.0
v26.4.0
v26.3.0
v26.2.1
v26.2.0
v26.1.0
v25.12.0
v25.11.0
v25.10.0
v25.9.0
v25.8.0
v25.7.1
v25.7.0
v25.6.1
v25.6.0
v25.5.0
v25.4.0
v25.3.1
v25.3.0
v25.2.1
v25.2.0
v25.1.0
v24.12.0
v24.11.0
v24.10.1
v24.10.0
v24.9.0
v24.8.0
v24.7.0
v24.6.0
v24.5.0
v24.4.0
v24.3.0
v24.2.0
v24.1.0
v23.12.0
v23.11.0
v23.10.0
v23.9.0
v23.8.1
v23.8.0
v23.7.2
v23.7.1
v23.7.0
v23.6.0
v23.5.0
v23.4.2
v23.4.1
v23.4.0
v23.3.2
v23.3.0
v23.2.9
v23.2.5
v23.1.12
v22.12.9
Labels
Clear labels
AI generated
API
bank sync
budgeting
bug
can’t replicate
dependencies
docker
documentation
electron
experimental feature
feature
feedback
goal templates
good first issue
help wanted
importers
maintenance
needs info
needs testing
needs triage
needs votes
openid
payees
pull-request
regression
reports
responsive
rules
schedules
server
✨ merged
split transactions
tech debt
tech-support
theme
transaction import
transaction reconciliation
transactions
translations
upstream
user interface
✅ approved
wontfix
Mirrored from GitHub Pull Request
No Label
bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/actual#70855
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @andreygal on GitHub (May 23, 2024).
Original GitHub issue: https://github.com/actualbudget/actual/issues/2793
Verified issue does not already exist?
What happened?
Thank you for developing this fantastic project! However, I've encountered a problem with the service worker when passing the connection through an nginx reverse proxy. When the server is accessed directly, everything functions without issues. However, when the connection is proxied, the resources load, but the loading script fails to start. If the sw.js is unregistered, the page then loads correctly.


Where are you hosting Actual?
Docker
What browsers are you seeing the problem on?
Chrome, Microsoft Edge, Desktop App (Electron), Other
Operating System
Windows 10
@VoltaicGRiD commented on GitHub (May 24, 2024):
I was just having a similar issue setting up my reverse proxy for a VPN tunnel for my own setup, can you share a redacted copy of your NGINX configuration file for this site (and the regular
nginx.conffile that you have if you have modified it from the default). I'm curious enough to work on finding a solution for this as a new contributor (if at all possible).@andreygal commented on GitHub (May 25, 2024):
nginx.conf***
user nginxuser;
worker_processes 1;
error_log /var/log/nginx/error.log;
error_log /var/log/nginx/error.log notice;
error_log /var/log/nginx/error.log info;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
default_type application/octet-stream;
server_tokens off;
add_header X-Frame-Options "SAMEORIGIN";
}
ssl_settings.conf*******
server {
listen [::]:443 ssl;
listen 443 ssl;
http2 on;
server_name actual.myserver.com;
}
Mutual TLS redirect for Actual
server {
listen [::]:port ssl;
listen port ssl;
http2 on;
server_name mtls.myserver.com;
}
@safehome-jdev commented on GitHub (Jun 9, 2024):
Is there a particular requirement for predetermining the default
Content-Typeheader? It could be this is inferring a differentContent-Typeand causing your headaches@safehome-jdev commented on GitHub (Jun 9, 2024):
Here's more specifically about the
default_typemodule.@andreygal commented on GitHub (Jun 9, 2024):
Thank you so much for taking a look. Will try to implement and see if it helps.
On June 8, 2024 9:15:30 PM EDT, safehome-jdev @.***> wrote:
@Towerism commented on GitHub (Jun 23, 2024):
I have a similar problem. My problem is that I am reverse proxying and using authentik as SSO. When authentik login session expires, actual breaks, I suppose because the service worker bypasses the reverse proxy.
I got around this, by updating my reverse proxy with a directive that responds to the path /registerSW.js with a 404. This prevents the service worker from ever starting.
Obviously this is not ideal, as now actual will not work without an internet connection. But at least without the service worker, the application will redirect me to my SSO instead of breaking.
@safehome-jdev commented on GitHub (Jun 23, 2024):
@Towerism Are you able to post your NGINX config for this? As well as any browser errors/failure responses from your browser's console and network tools for when a login expires?
A quick search shows that workers do not retry upon failure, which checks out so far.
@Towerism commented on GitHub (Jun 23, 2024):
Sure I’d be happy to. ’m using caddy which has a lot going on in it due to
other stuff that I’m hosting. I’ll take some time to put together a more
minimal docker compose and caddy file and share it here.
On Sun, Jun 23, 2024 at 01:32 safehome-jdev @.***>
wrote:
@Towerism commented on GitHub (Jun 23, 2024):
@safehome-jdev, when my auth endpoint is queried via fetch, it is giving cors errors. So it seems that the error is something I should be able to work out on the authentik configuration side.
@safehome-jdev commented on GitHub (Jun 23, 2024):
Ah, you'll need to add something like the following to allow auth requests from your domain name to Authentik's auth servers:
Change the asterisk in
Access-Control-Allow-Originto yourreferrerheader from your request headers in your browser's network tools. That should get you what you need 👍🏼@Towerism commented on GitHub (Jun 23, 2024):
@safehome-jdev I could try that, but I believe what's going on is that the fetch to /authorize results in a redirect, so the preflight request has ERR_INVALID_REDIRECT. So authentik is expecting the application to navigate to the authorize url rather than make an XHR request. I think?
@Towerism commented on GitHub (Jun 23, 2024):
@safehome-jdev i was able to get caddy to handle cors properly. However, this didn't fix the issue that with authentik configured in caddy using forward_auth, actual tries to use an XHR request instead of navigating.
Error from service worker in the console:
@Towerism commented on GitHub (Jun 23, 2024):
@safehome-jdev I just realized what's happening. i have caddy configured to redirect to authentik. the service worker is serving the page, completely bypassing caddy. in this case, the service worker tries to authenticate with actual-server but is redirected to authentik instead since the cookie expired. I think I just have to disable the service worker in my case in order to have authentik work correctly.
@mdelpire commented on GitHub (Jul 12, 2024):
@Towerism were you able to solve the issue you have with authentik? I have the same issue. Using actual budget with Nginx Proxy Mnager and Authentik. If yes, could you explain how?
Thanks a lot
@Towerism commented on GitHub (Jul 12, 2024):
@mdelpire i did not solve this directly. I’m using a workaround currently where I intercept the request to load the service worker and return a 404 not found.
@mdbell commented on GitHub (Aug 13, 2024):
While not directly related to this issue, I was also able to get the "Sign Out" button to actually sign me out of Authentik by replacing
registerSW.jswith:And then using it with the following location directive in nginx:
I imagine there's a better way to do this by building actual myself, but this is a quick fix for me.
@TimQuelch commented on GitHub (Aug 18, 2024):
I've opened https://github.com/actualbudget/actual/pull/3286 with a workaround for this.
@alexyao2015 commented on GitHub (Oct 12, 2024):
@TimQuelch
Just updated to 24.10.1 which includes #3286 and still seem to experiencing the same issue. Did some quick digging and it seems like this kcab.worker.js script is attempting to pull from /sync but it isn't reloading. Manually calling the reload code from that PR from the console does work, meaning that there are probably some other places that need to be hooked with the force reload code.
@TimQuelch commented on GitHub (Oct 27, 2024):
I can't seem to reproduce this. Mine is now refreshing correctly when sync is redirected. Are you sure your client has updated and is using the new version? Try clearing caches and refreshing.
@alexyao2015 commented on GitHub (Oct 28, 2024):
Pretty sure it was. I've since disabled the sw again using nginx rules, but I had checked the mangled sources in Firefox and could see it was the updated version.
@matt-fidd commented on GitHub (Jun 5, 2025):
I believe this should now be fixed, please reopen if you're still having trouble