search

globaleaks / globaleaks-whistleblowing-software

GlobaLeaks is a free and open-source whistleblowing software enabling anyone to easily set up and maintain a secure reporting platform.
https://www.globaleaks.org
Other
1.25k stars 275 forks source link

Problem with HTTPS redirect loop in a HTTP only installation #3731

Open robertlogos opened 1 year ago

robertlogos commented 1 year ago

What version of GlobaLeaks are you using?

4.13.15

What browser(s) are you seeing the problem on?

All

What operating system(s) are you seeing the problem on?

Linux

Describe the issue

After upgrading from 4.11.5 to 4.13.15 a GL installation that runs behind a gateway (the gw handles certs and SSL traffic termination; traffic from gw to GL is only HTTP) gets into infinite https redirection loop which causes browser error.

Found the root cause in backend/globaleaks/rest/api.py where the https_enabled flag is no longer checked for the should_redirect_https() function. Patching it avoids the loop problem but still can't log into the admin area.

4.13.15

      def should_redirect_https(self, request):
        if request.isSecure() or \
                request.hostname.endswith(b'.onion') or \
                b'acme-challenge' in request.path:
            return False

        return True

4.11.5

    def should_redirect_https(self, request):
        if (State.tenants[1].cache.https_enabled or
            State.tenants[request.tid].cache.https_enabled) and \
           not request.isSecure() and \
           request.client_ip not in State.settings.local_hosts and \
           b'acme-challenge' not in request.path:
            return True

        return False

Proposed solution

Allow HTTP only installations attending the https_enabled flag for testing purposes or architectures where certs and SSL traffic is handled by other components of the architecture.

evilaliv3 commented 1 year ago

@robertlogos : The current version of globaleaks always implement HTTPS.

Please ensure that your proxy is connecting to port 443 or 8443 of the server running globaleaks

robertlogos commented 1 year ago

Thanks for your feedback Giovanni, I understand it as a design principle (It's a pity because it prevents the use of GL in certain use case scenarios) but since there are still references to https_enabled as decision criterion in the code, it would be very usefull to have them removed for a full HTTPS-only understanding.

evilaliv3 commented 1 year ago

Thank you @robertlogos

Which are the scenarios that you consider are no longer possible?

Regarding the refereces to https_enabled you are right there are some parts to be updated. Will proceed right away. Thank you for pointing this out

robertlogos commented 1 year ago

The original scenario which caused the problem: GL running behind a gateway which handles certs and cyphered traffic (SSL termination) with the traffic between gateway and GL in plain HTTP.

User ------ [HTPS] ----- Gateway ----- [HTTP] ----- GlobaLeaks

This worked before the version upgrade thanks to the https_enabled flag logic. It would be very usefull to have HTTP as an option, even for testing and development purposes.

evilaliv3 commented 1 month ago

@robertlogos : Are you still encountering issued?

do you think this ticket could be closed or would you like to advice some software improvements on this matter?