search

Crivaledaz / Mattermost-LDAP

This module provides an external LDAP authentication in Mattermost for the Team Edition (free).
MIT License
359 stars 71 forks source link

Bare metal, Ubuntu, Nginx, Postgres: Blank page when clicking GitLab button from login page #113

Closed GloriamSemper closed 8 months ago

GloriamSemper commented 8 months ago

I've spent way too many hours on this so either it's a bug, or I am missing something obvious. After clicking on the GitLab button (the button points to "https://mattermost.HIDDEN.com/oauth/gitlab/login") on the login page, it quickly redirects and ends up at "https://mattermost.HIDDEN.com/oauth/access_token" with a completely blank html page. I've checked all relevant logs and can't find any errors or even warnings. Mattermost server seems to be working fine and it can be used like normal.

What's going on? HELLLLP :D OS:

OS: Ubuntu Server 22.04.3
Mattermost Version: 9.4.2
  Database Schema Version: 117
  Build Number: 7586560796
  Database: postgres

Mattermost config.json:

    "GitLabSettings": {
        "Enable": true,
        "Secret": "HIDDEN",
        "Id": "HIDDEN",
        "Scope": "",
        "AuthEndpoint": "https://mattermost.HIDDEN.com/oauth/authorize.php",
        "TokenEndpoint": "https://mattermost.HIDDEN.com/oauth/token.php",
        "UserAPIEndpoint": "https://mattermost.HIDDEN.com/oauth/resource.php",
        "DiscoveryEndpoint": "",
        "ButtonText": "Use HIDDEN Account",
        "ButtonColor": "#4A90E2"

Nginx config:

upstream backend {
   server 10.0.1.143:8065;
   keepalive 32;
}

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;

server {
  listen 80 default_server;
  server_name   mattermost.HIDDEN.com;
  return 301 https://$server_name$request_uri;
}

server {
   listen 443 ssl http2;
   server_name    mattermost.HIDDEN.com;
   root /var/www/html;
   index index.php index.html index.htm;

   http2_push_preload on; # Enable HTTP/2 Server Push

   ssl_certificate /etc/letsencrypt/live/mattermost.HIDDEN.com/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/mattermost.HIDDEN.com/privkey.pem;
   ssl_session_timeout 1d;

   # Enable TLS versions (TLSv1.3 is required upcoming HTTP/3 QUIC).
   ssl_protocols TLSv1.2 TLSv1.3;

   # Enable TLSv1.3's 0-RTT. Use $ssl_early_data when reverse proxying to
   # prevent replay attacks.
   #
   # @see: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
   ssl_early_data on;

   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
   ssl_prefer_server_ciphers on;
   ssl_session_cache shared:SSL:50m;
   # HSTS (ngx_http_headers_module is required) (15768000 seconds = six months)
   add_header Strict-Transport-Security max-age=15768000;
   # OCSP Stapling ---
   # fetch OCSP records from URL in ssl_certificate and cache them
   ssl_stapling on;
   ssl_stapling_verify on;

   add_header X-Early-Data $tls1_3_early_data;

   location ~ /api/v[0-9]+/(users/)?websocket$ {
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       client_max_body_size 50M;
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Frame-Options SAMEORIGIN;
       proxy_buffers 256 16k;
       proxy_buffer_size 16k;
       client_body_timeout 60;
       send_timeout 300;
       lingering_timeout 5;
       proxy_connect_timeout 90;
       proxy_send_timeout 300;
       proxy_read_timeout 90s;
       proxy_http_version 1.1;
       proxy_pass http://backend;
   }

   location / {
       client_max_body_size 50M;
       proxy_set_header Connection "";
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Frame-Options SAMEORIGIN;
       proxy_buffers 256 16k;
       proxy_buffer_size 16k;
       proxy_read_timeout 600s;
       proxy_cache mattermost_cache;
       proxy_cache_revalidate on;
       proxy_cache_min_uses 2;
       proxy_cache_use_stale timeout;
       proxy_cache_lock on;
       proxy_http_version 1.1;
       proxy_pass http://backend;
   }

    location /oauth/gitlab/ {
      client_max_body_size 50M;
      proxy_set_header Connection "";
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Frame-Options SAMEORIGIN;
      proxy_buffers 256 16k;
      proxy_buffer_size 16k;
      proxy_read_timeout 600s;
      proxy_cache mattermost_cache;
      proxy_cache_revalidate on;
      proxy_cache_min_uses 2;
      proxy_cache_use_stale timeout;
      proxy_cache_lock on;
      proxy_pass http://backend;
    }

    location /oauth/access_token {
      try_files $uri  /oauth/index.php;
    }

    location /oauth/authorize {
      try_files $uri /oauth/authorize.php$is_args$args;
    }

    location ~ /oauth/.*\.php$ {
      try_files $uri =404;
      fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      #include snippets/fastcgi-php.conf;
      include fastcgi_params;
    }

    location /oauth/ {
      try_files $uri $uri/ =404;
    }
}

# This block is useful for debugging TLS v1.3. Please feel free to remove this
# and use the `$ssl_early_data` variable exposed by NGINX directly should you
# wish to do so.
map $ssl_early_data $tls1_3_early_data {
  "~." $ssl_early_data;
  default "";
}

PHP Server Info:

System | Linux mattermost 5.15.0-94-generic #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 x86_64
-- | --
Build Date | Aug 18 2023 11:41:11
Build System | Linux
Server API | FPM/FastCGI
Virtual Directory Support | disabled
Configuration File (php.ini) Path | /etc/php/8.1/fpm
Loaded Configuration File | /etc/php/8.1/fpm/php.ini
Scan this dir for additional .ini files | /etc/php/8.1/fpm/conf.d
Additional .ini files parsed | /etc/php/8.1/fpm/conf.d/10-opcache.ini, /etc/php/8.1/fpm/conf.d/10-pdo.ini, /etc/php/8.1/fpm/conf.d/20-calendar.ini, /etc/php/8.1/fpm/conf.d/20-ctype.ini, /etc/php/8.1/fpm/conf.d/20-exif.ini, /etc/php/8.1/fpm/conf.d/20-ffi.ini, /etc/php/8.1/fpm/conf.d/20-fileinfo.ini, /etc/php/8.1/fpm/conf.d/20-ftp.ini, /etc/php/8.1/fpm/conf.d/20-gettext.ini, /etc/php/8.1/fpm/conf.d/20-iconv.ini, /etc/php/8.1/fpm/conf.d/20-ldap.ini, /etc/php/8.1/fpm/conf.d/20-pdo_pgsql.ini, /etc/php/8.1/fpm/conf.d/20-pgsql.ini, /etc/php/8.1/fpm/conf.d/20-phar.ini, /etc/php/8.1/fpm/conf.d/20-posix.ini, /etc/php/8.1/fpm/conf.d/20-readline.ini, /etc/php/8.1/fpm/conf.d/20-shmop.ini, /etc/php/8.1/fpm/conf.d/20-sockets.ini, /etc/php/8.1/fpm/conf.d/20-sysvmsg.ini, /etc/php/8.1/fpm/conf.d/20-sysvsem.ini, /etc/php/8.1/fpm/conf.d/20-sysvshm.ini, /etc/php/8.1/fpm/conf.d/20-tokenizer.ini
PHP API | 20210902
PHP Extension | 20210902
Zend Extension | 420210902
Zend Extension Build | API420210902,NTS
PHP Extension Build | API20210902,NTS
Debug Build | no
Thread Safety | disabled
Zend Signal Handling | enabled
Zend Memory Manager | enabled
Zend Multibyte Support | disabled
IPv6 Support | enabled
DTrace Support | available, disabled
Registered PHP Streams | https, ftps, compress.zlib, php, file, glob, data, http, ftp, phar
Registered Stream Socket Transports | tcp, udp, unix, udg, ssl, tls, tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3
Registered Stream Filters | zlib.*, string.rot13, string.toupper, string.tolower, convert.*, consumed, dechunk, convert.iconv.*
GloriamSemper commented 8 months ago

Fixed it. It was an issue with the PHP settings in nginx. Changed Nginx config to this:

    location ~ /oauth/.*\.php$ {
        # 404
        try_files $fastcgi_script_name =404;

        # default fastcgi_params
        include fastcgi_params;

        # fastcgi settings
        fastcgi_pass            unix:/run/php/php-fpm.sock;
        fastcgi_index           index.php;
        fastcgi_buffers         8 16k;
        fastcgi_buffer_size     32k;
        fastcgi_hide_header             X-Powered-By;
        fastcgi_hide_header             X-CF-Powered-By;
    }

Reloaded Nginx and it works great. Hope this helps others. Thanks for your work on this project. LDAP was the ONLY thing we wanted from enterprise and did NOT want to pay that price for LDAP auth.