search

digitalfondue / lavagna

Lavagna: issue tracker/project management tool
http://lavagna.io
GNU General Public License v3.0
636 stars 110 forks source link

Logout disabled on chrome #46

Closed ejouvin closed 7 years ago

ejouvin commented 7 years ago

Installed from the last commit, when I access to the application with Chrome, the logout button does nothing.

syjer commented 7 years ago

I'll have a look, thanks for the report

syjer commented 7 years ago

@ejouvin , I'm not able to reproduce the issue.

Could you provide some kind of log of the http traffic of the logout sequence? Do you notice some kind of HTTP errors?

As an example, this is what happen on my side:

logout_sequence

ejouvin commented 7 years ago

There is no traffic. Clicking on the link does not do anything and only under Chrome.

syjer commented 7 years ago

which version of chrome/operating system are you using?

ejouvin commented 7 years ago

Windows & Chrome version 55.0.2883.87 (Build officiel)

In fact, when access to the Tomcat directly, this is OK. When accessing behin a proxy, it failed.

And finally, this is linked to #45

traffic error

But Under Firefox and IE, no problem. Try to find why I am having a 403 error

SitoCH commented 7 years ago

I think that you have the same issue as #38, some headers are incorrectly handled by Chrome with your current configuration.

ejouvin commented 7 years ago

Hum, seems to be an SSL related issue. Ok, my SSL configuration is not the best one, because I always have a security alert when accessing the instance.

But when I put the configuration under a not SSL site, it is OK.

It really seems to be an SSL error when self signed http://stackoverflow.com/questions/23404160/why-does-my-wss-websockets-over-ssl-tls-connection-immediately-disconnect-w

But the solution does not solve my error.

Moreover I found that I have error when accessing websocket A 403 when behind SSL A 400 when not behind SSL.

So there is also an error in my Apache configuration. Does someone have an example

SitoCH commented 7 years ago

Did you check the issue #38? It's based on NGINX but I think the problem is the same, make sure you send the right headers through the proxy.

ejouvin commented 7 years ago

I am still stuck. But I think we can close this case because all is a matter of Apache configuration.

Will try again, hope someone will find the solution ;)

ejouvin commented 7 years ago

"Finally" I got it work, not fully as I expected, but for a first step...

So for those who will have difficulties, here is what I put in my Apache configuration, thanks to reading on http://stackoverflow.com/questions/27526281/websockets-and-apache-proxy-how-to-configure-mod-proxy-wstunnel

        RewriteEngine On
        RewriteCond %{HTTP:Upgrade} =websocket [NC]
        RewriteRule /(.*)           ws://localhost:8080/$1 [P,L]
        #RewriteCond %{HTTP:Upgrade} !=websocket [NC]
        #RewriteRule /(.*)           http://localhost:8080/$1 [P,L]

        ProxyPass /lavagna http://localhost:8080/lavagna
        ProxyPassReverse /lavagna http://localhost:8080/lavagna
        <Proxy http://localhost:8080/lavagna>
                Order allow,deny
                Allow from all
        </Proxy>

I did comment the second RewriteRule, because this configuration is shared why other application deployed and not necessary in the same Tomcat.

But, this will only work when Lavagna on Tomcat and enabled behind an Apache in http, not in https.

I will have to study in order to deploy it under SSL, may be need to activate the SSL ono tomcat also.

I close the issue.

syjer commented 7 years ago

@ejouvin thanks for the comment, we will add your configuration in the documentation :)

SitoCH commented 7 years ago

Did you try wss://localhost:8080/$1 instead of ws://localhost:8080/$1? When using SSL you have to make sure that you are using it on HTTPS but also on WSS.

ejouvin commented 7 years ago

@SitoCH Yes I did try, but no chance. But I does not mean it does not work :laughing: because I did may tries and sometimes I missed some details.

I will give it a try later. Later is almost 5 minutes in fact and no it does not work currently. But I am pretty sure it is because I have to setup something on Tomcat

ejouvin commented 7 years ago

@syjer Thanks. But it was done "quickly" and I did not try to optimize the configuration. Three days to get it works (I understand nothing on Apache, this is out of my scope) and when it finally works, I stop.

ejouvin commented 6 years ago

1 year since I try to find a solution. Today, I did try to work on it, because I have now "correct" certificate.

I found a try to make it works on HTTPS for Apache server, but deployed on HTTP in Tomcat.

Careful, I change one another thing... I remove the sub URI /lavagna, to make it acessible throw root URI, but all mandatory configuration are not put in the following extract.

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*)            wss://localhost:8080/lavagna/$1 [P,L]

    SSLProxyEngine on
    ProxyPreserveHost On
    ProxyPass /.well-known !
    ProxyPassReverse /.well-known !
    ProxyPass /robots.txt !
    ProxyPassReverse /robots.txt !

    ProxyPass / http://localhost:8080/lavagna/
    ProxyPassReverse / http://localhost:8080/lavagna/
    ProxyPassReverseCookiePath  /lavagna /
    AddOutputFilterByType INFLATE;SUBSTITUTE;DEFLATE text/html
    Substitute "s|<base href=\"/lavagna/\">|<base href=\"/\">|n"
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"

The important part was the wss redirection and the request header modification, for proto and port.

SitoCH commented 6 years ago

Perfect, thank you for posting the proxy configuration because at the moment we had only samples for NGINX and it may be really useful for other users.

ejouvin commented 6 years ago

Full proxy configuration for proxy with HTTPS

<VirtualHost *:443>
    ServerAdmin contact-email@dummy.net
    ServerName www.lavagna.dummy.net
    DocumentRoot /var/www/lavagna/
    DirectoryIndex index.html

    Header edit Location login\?reqUrl=%2Flavagna%2F login?reqUrl=%%2F
    Header edit Location ^/lavagna/ /

    LogLevel warn
    ErrorLog ${APACHE_LOG_DIR}/lavagna_ssl_error.log
    CustomLog ${APACHE_LOG_DIR}/lavagna_ssl_access.log combined

    SSLEngine on
    SSLCertificateFile         /etc/cert/cert.pem
    SSLCertificateKeyFile      /etc/cert/privkey.pem
    SSLCertificateChainFile    /etc/cert/chain.pem
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCompression off
    SSLOptions +StrictRequire
    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

    <Directory /var/www/lavagna>
        Options -Indexes +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    AllowEncodedSlashes NoDecode

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*)            ws://localhost:8080/lavagna/$1 [P,L]

    SSLProxyEngine on
    ProxyPreserveHost On
    ProxyPass /robots.txt !
    ProxyPassReverse /robots.txt !

    ProxyPass / http://localhost:8080/lavagna/
    ProxyPassReverse / http://localhost:8080/lavagna/
    ProxyPassReverseCookiePath  /lavagna /
    AddOutputFilterByType INFLATE;SUBSTITUTE;DEFLATE text/html
    Substitute "s|<base href=\"/lavagna/\">|<base href=\"/\">|n"
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"
</VirtualHost>

In this case, Lavagna is deployed on Tomcat, on same server than Apache, and aceessible throw http://localhost:8080/lavagna

The proxy configuration made Lavagna enabled under https://www.lavagna.dummy.net. It would be easier if I wanted to have https://www.dummy.net/lavagna.

A "root" folder is created under /var/www/lavagna, where I put a file robots.txt.

For websocket, the trick is there

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*)            wss://localhost:8080/lavagna/$1 [P,L]

For the robots.txt file, use directive to order to serve the file frmo the root folder.

    ProxyPass /robots.txt !
    ProxyPassReverse /robots.txt !

Proxy redirect for the other.

    ProxyPass / http://localhost:8080/lavagna/
    ProxyPassReverse / http://localhost:8080/lavagna/
    ProxyPassReverseCookiePath  /lavagna /

Because I expose Lavagna under a sub domain, many things to do. First, change headers.

    Header edit Location login\?reqUrl=%2Flavagna%2F login?reqUrl=%%2F
    Header edit Location ^/lavagna/ /

The first one is for the login page. The redirect URL in argument must be (hman readable) reqUrl=/ and not reqUrl=/lavagna/ (because the root location in Tomcat is /lavagna) the second one change Location directive from /lavagna/... to /....

The most tricky part was to modify one directive in the HTML. Bad news is that it required to "unzip", modfiy content and then zip.

    AddOutputFilterByType INFLATE;SUBSTITUTE;DEFLATE text/html
    Substitute "s|<base href=\"/lavagna/\">|<base href=\"/\">|n"

In this case, I replace by . Like this, all CSS, Javascript call will be on the correct location.

And finally I had to change the request header to force the HTTPS. Without this, websocket will fail.

    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"

Hope this will help.