0
Under review

https to http redirect issue while behind a reverse proxy. (ver 2.0.2)

Ray Rawls 1 year ago • updated by David Bakker 6 days ago 10

So testing out the new version! looks slick, thanks for all the work on the new version!


So I run my ubooquity site behind a proxy because reasons, only 80 and 443 work for me.  Anyway when I load the page via (https:/mysite.com/) and login From the landing page i can click on Latest comics with no issue the page loads all is great. When I click on my comic root (Comic) it redirects me to a (http://mysite.com/comics/1/) dropping the https:// (i can manually put in https://mysite.com) and all works as expected.  For some reason it just drops the https:// opening that link.

Hi,

I would expert proxy settings more than ubooquity here.

I run 2.0.x since weeks behind apache as proxy (WAN access via https, proxy on LAN via http) and everything runs well.


Which proxy do you use ? Was it working before with v1.x?

I'm using an apache proxy with these settings below, edits for privacy sake. As for 1.0 I wasn't running a proxy, this is a new setup at the moment. I could try the 1.0 though. 


<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin Email@somewhere.com
                ServerName comicsdb.places.com
                DocumentRoot /var/www/html
                #LogLevel info ssl:warn

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                #   SSL Engine Switch:
                #   Enable/Disable SSL for this virtual host.
                SSLEngine on

                #   A self-signed (snakeoil) certificate can be created by installing
                #   the ssl-cert package. See
                #   /usr/share/doc/apache2/README.Debian.gz for more info.
                #   If both key and certificate are stored in the same file, only the
                #   SSLCertificateFile directive is needed.
                SSLCertificateFile      /etc/letsencrypt/live/places.com/cert.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/places.com/privkey.pem

                #   Server Certificate Chain:
                #   Point SSLCertificateChainFile at a file containing the
                #   concatenation of PEM encoded CA certificates which form the
                #   certificate chain for the server certificate. Alternatively
                #   the referenced file can be the same as SSLCertificateFile
                #   when the CA certificates are directly appended to the server
                #   certificate for convinience.
                SSLCertificateChainFile /etc/letsencrypt/live/bastmail.net/chain.pem

                #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

                ProxyPreserveHost On
                ProxyPass / http://127.0.0.1:2202/
                ProxyPassReverse / http://127.0.0.1:2202/

        </VirtualHost>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet


Other than the redirect to http on selecting my root folder everything works as expected. 

Thanks Matthieu

Compared to mine, I miss a "SSLProxyEngine on" in yours. Could you try?

Which would fit with your symptom, isn't-it? :-)


If that does not help, try also to add a reverse proxy prefix:

- in ubooquity admin panel > advanced (mine is "comics")

- in your proxy settings, to reach something like:

ProxyPass /comics http://192.168.0.1:2202/comics

ProxyPassReverse /comics http://192.168.0.1:2202/comics

(I remember some tricky nasty stuff about ending "/" added or missing...)

So I added the "SSLProxyEngine on" with no impact either good or negative.  Then I tried with proxy settings for a prefix and that broke things.


I then unchecked the box for single root folder, which is comics for me.  So I login and I see Comics with the balloon icon.  Then I click comics (my single root folder) again and now the https is staying persistent for me.  So interesting so in my file structure I have a single root folder called comics then I have DC, Marvel etc under that, for some reason when the option for "Bypass single root folder" is enabled it breaks https: from staying persistent when comics is clicked on and redirected to http:  


Hope I explained that well! :) 

Ray, I would take the assumption that you restarted/reloaded apache after changing the proxy settings. But could you please confirm? :-)


If yes, then I would handover to Tom, as it would more look like an ubooquity issue.

However note that on my side I have the "bypass single root folder" setting active in ubooquity and working like a charm.


Now that it works, can you re-active this ubooquity settings, check the results & advise?

+1

Oh I've patched and rebooted since then.  When I inspect the element via dev tools I do see that its trying to go to <a href="/comics/" id="comics">Comics</a>. (Or https://mysite.com/comics).


But when clicking on the link its redirected without a HTTPS to http://mysite.com/comics/1/ after I click on it.  Might not like the fact that my comics root is comics, but that is just a guess...


Thanks for trying to help :)

+1
Under review

The "bypass single root folder" feature works by sending a HTTP 302 (temporary redirection) that sends your browser directly to your single folder.

Hence the translation from /comics/ to /comics/1/.


I don't understand why the protocol changes due to this redirection (when tested on my side, I kept the HTTPS).

For now, I think the problem is linked to your proxy settings somehow. But let me know if you have any additional info/ideas, we'll keep digging.


(NB: naming your root folder "comics" is not a problem, Ubooquity uses ids for folder (in your case: "1")).

Thanks for the info Tom, I'll keep digging on my side as well. I'll let you know if I can find anything in regards to how a 302 is being handled and if I need a configuration change on the conf file.  


I have the same issue, since ubooquity is running unsecure http behind my reverse proxy the redirect to http makes sense for the apps point of view. Is there a way so it does not redirect to http but force https? conf parameter maybe or something? thank you in advance.

+1

Talk about bringing an old post to life! I had the same issue and fixed it with this in nginx:

proxy_redirect http:/my.site.com/ https://my.site.com/;


Once i did that the 302s worked with https links. My config looks like this


location / {
proxy_pass http://127.0.0.1:2202/;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto "https";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http://my.site.com/ https://my.site.com/;

}