glpi 10.3 doesn't load properly via vpn, version 9.55 works normally

[PatrickLacerda]

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

Is there an existing issue for this?

• [X] I have searched the existing issues

Version

tested on versions 1.0.0.2 , 10.0.0.3

Bug description

GLPI does not carry properly via VPN Forticlient,

the menu does not load correctly, page load failure, call opening, inventory

link format via vpn

https://sslvpn.proxy.com.br:10443/proxy/xxxxxx/http/10.7.8.150/glpi/front/central.php#

In version 9.5.5 GLPI works normally by VPN

Relevant log output

no errors found in the log

Page URL

https://sslvpn.my domain.com.br:10443/proxy/6783aaee/http/10.7.8.150/glpi/front/central.php

Steps To reproduce

network login

access glpi

the screen is frozen, where it is circled are menus or links that do not open

at the link front/helpdesk.public.php?create_ticket=1

does not load category and location options.

without using the vpn glpi works normally

Your GLPI setup information

Operating system: Linux ejavmappglpi002 5.4.0-126-generic #142-Ubuntu SMP Fri Aug 26 12:12:57 UTC 2022 x86_64 PHP 7.4.3 apache2handler (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, apc, apcu, bz2, calendar, ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, imap, intl, json, ldap, libxml, mbstring, mysqli, mysqlnd, openssl, pcre, pdo_mysql, posix, readline, session, shmop, sockets, sodium, standard, sysvmsg, sysvsem, sysvshm, tokenizer, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib) Setup: max_execution_time="600" memory_limit="512M" post_max_size="8M" safe_mode="" session.save_handler="files" upload_max_filesize="2M" Software: Apache/2.4.41 (Ubuntu) (Apache/2.4.41 (Ubuntu) Server at 10.7.8.154 Port 80 ) Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Server Software: Ubuntu 20.04 Server Version: 10.3.34-MariaDB-0ubuntu0.20.04.1 Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION Parameters: glpi@localhost/glpi Host info: Localhost via UNIX socket

PHP version (7.4.3) is supported.PHP version (7.4.3) is supported. Sessions configuration is OK.Sessions configuration is OK. Allocated memory is sufficient.Allocated memory is sufficient. mysqli extension is installed.mysqli extension is installed. Following extensions are installed: dom, fileinfo, json, simplexml.Following extensions are installed: dom, fileinfo, json, simplexml. curl extension is installed.curl extension is installed. gd extension is installed.gd extension is installed. intl extension is installed.intl extension is installed. libxml extension is installed.libxml extension is installed. zlib extension is installed.zlib extension is installed. The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present. Database engine version (10.3.34) is supported.Database engine version (10.3.34) is supported. The log file has been created successfully.The log file has been created successfully. Write access to /var/www/html/glpi/files/_cache has been validated. Write access to /var/www/html/glpi/config has been validated. Write access to /var/www/html/glpi/files/_cron has been validated. Write access to /var/www/html/glpi/files has been validated. Write access to /var/www/html/glpi/files/_dumps has been validated. Write access to /var/www/html/glpi/files/_graphs has been validated. Write access to /var/www/html/glpi/files/_lock has been validated. Write access to /var/www/html/glpi/files/_pictures has been validated. Write access to /var/www/html/glpi/files/_plugins has been validated. Write access to /var/www/html/glpi/files/_rss has been validated. Write access to /var/www/html/glpi/files/_sessions has been validated. Write access to /var/www/html/glpi/files/_tmp has been validated. Write access to /var/www/html/glpi/files/_uploads has been validated.Write access to /var/www/html/glpi/files/_cache has been validated. Write access to /var/www/html/glpi/config has been validated. Write access to /var/www/html/glpi/files/_cron has been validated. Write access to /var/www/html/glpi/files has been validated. Write access to /var/www/html/glpi/files/_dumps has been validated. Write access to /var/www/html/glpi/files/_graphs has been validated. Write access to /var/www/html/glpi/files/_lock has been validated. Write access to /var/www/html/glpi/files/_pictures has been validated. Write access to /var/www/html/glpi/files/_plugins has been validated. Write access to /var/www/html/glpi/files/_rss has been validated. Write access to /var/www/html/glpi/files/_sessions has been validated. Write access to /var/www/html/glpi/files/_tmp has been validated. Write access to /var/www/html/glpi/files/_uploads has been validated. Web access to files directory is protectedWeb access to files directory is protected exif extension is installed.exif extension is installed. ldap extension is installed.ldap extension is installed. openssl extension is installed.openssl extension is installed. zip extension is installed.zip extension is installed. bz2 extension is installed.bz2 extension is installed. Zend OPcache extension is installed.Zend OPcache extension is installed. Following extensions are installed: ctype, iconv, mbstring, sodium.Following extensions are installed: ctype, iconv, mbstring, sodium. Write access to /var/www/html/glpi/marketplace has been validated.Write access to /var/www/html/glpi/marketplace has been validated.

Anything else?

no

[cedric-anne]

Hi,

Can you check in the network panel of your browser developper tools (usually opened with F12 key) to see what kind of error prevents resources to be loaded ?

[PatrickLacerda]

Is attached

sslvpn.-1663780323222.log

[cedric-anne]

base.min.js:198 Uncaught SyntaxError: Unexpected token '.'

It means that either this file is corrupted, either your are using an unsupported browser.

Which browser are you using ?

Also, could you provide log from the network panel of your browser developper tools ?

[PatrickLacerda]

when I use glpi without vpn, only local network, it works normally, I tested on different servers, and clean versions of glpi.

a test was performed with linux server without firewall, without folder protection, without any security and even so the problem continued

I've thought about the possibility of some script or ajax being incompatible with this address format

http/10.7.8.150/glpi/front/central.php#

in versions 9.x of glpi they work normally by vpn

full link that the vpn generates

https://sslvpn.mycompany:10443/proxy/213b64ff/http/10.7.8.150/glpi/front/central.php#

log

[AveriasConfo]

Same issue, GLPI 1.0.0.3 and Fortigate 7.0.6. Seems related to dynamic content.

[cedric-anne]

base.min.js:198 Uncaught SyntaxError: Unexpected token '.'

Can you upload here the base.min.js file received by the browser for GLPI 10.0.3 ?

[PatrickLacerda]

unable to open base.js file in browser

[gitdevmod]

Hello,

Could you test without security profiles (IPS, antivirus, etc.) in your fortinet glpi access policy ?

[PatrickLacerda]

When the analyst gives me the feedback about the security profiles I reply

[cedric-anne]

unable to open base.js file in browser

According to your previous screenshot, this file was loaded from browser cache, so you should be able to download it from the etwork panel of your browser console.

[PatrickLacerda]

Is attached

base.min.zip

[cedric-anne]

It seems that Forticlient is not compliant with latest JS features. Indeed, it incorrectly rewrites some parts of JS code, and so breaks most of GLPI javascript driven features.

I get your base.min.js file, beautify it using https://beautifier.io/, do the same with the base.min.js file from the official GLPI release archive, put in on my GLPI to find the piece of code that is broken.

Here is the diff related to this piece of code:

@@ -19362,11 +19362,11 @@
             const Ii = '[data-bs-toggle="button"]';
             const Mi = `click${Pi}${Li}`;
             class $i extends wi {
-                static get NAME() {
-                    return Oi
-                }
-                toggle() {
-                    this._element.setAttribute("aria-pressed", this._element.classList.toggle(Fi))
+                static get fgt_sslvpn.set_attr(NAME() {
+                        return Oi
+                    }
+                    toggle() {
+                        this._element, "aria-pressed", this._element.classList.toggle(Fi))
                 }
                 static jQueryInterface(e) {
                     return this.each((function() {

I guess correct transformation should be:

@@ -19362,11 +19362,11 @@
             const Ii = '[data-bs-toggle="button"]';
             const Mi = `click${Pi}${Li}`;
             class $i extends wi {
                static get NAME() {
                    return Oi
                }
                toggle() {
-                    this._element.setAttribute("aria-pressed", this._element.classList.toggle(Fi))
+                    fgt_sslvpn.set_attr(this._element, "aria-pressed", this._element.classList.toggle(Fi))
                 }
                 static jQueryInterface(e) {
                     return this.each((function() {

This piece of code is located in bootstrap library and uses static and extends keywords are supported by all major browsers, except IE that we do not support anymore, since 2016 (see https://caniuse.com/mdn-javascript_classes_static and https://caniuse.com/mdn-javascript_classes_extends). You should open an issue on Fortinet support and give them the content of my comment. Maybe they will be able to fix it.

A solution could be to make GLPI JS files compatible with ES5, using a library like babel, but this is not something I will do personnally, and I am pretty sure that this is not something that developpers would accept in the GLPI codebase.

[cedric-anne]

Also, maybe you could upgrade to latest FortiOS release. In 7.2.1 release note, there is a 806143 | JavaScript error in SSL VPN web mode. entry in fixed issues list. It is not very precise, but maybe it has something to do with current issue.

[PatrickLacerda]

Thanks for the reply, I will contact support.

[trasher]

No feedback from a while, closing.

[hapctic]

Same issue here. Upgrade to FotiOS 7.2.2 not solved.

[PatrickLacerda]

Any alternative for new tests

[ftoledo]

Hi @PatrickLacerda We are with the same problem Have you contacted forti support?

[hapctic]

Hi @PatrickLacerda We are with the same problem Have you contacted forti support?

Fortinet support did a check and said that the new version of GPLI made complex changes and that SSL VPN Web does not support it. They closed the ticket recommending using Client VPN or publishing GLPI on the web.

[cedric-anne]

Fortinet support did a check and said that the new version of GPLI made complex changes and that SSL VPN Web does not support it.

GLPI is just using ES6 features that are supported by all major browsers since 2016. If there is anything complex here, it is probably Forti's engine which seems hard to upgrade to support a spec that is already 8 years old.

or publishing GLPI on the web.

A company whose business is to provide tools that improve security should not offer this kind of solution. Protecting your GLPI from outside access is a good idea, you should rather consider changing the VPN solution rather than opening your GLPI to the outside.

[ftoledo]

Would some workaround be possible?

[cedric-anne]

Would some workaround be possible?

You could to do your own GLPI build that would use babel to transpile GLPI javascript to ES5, but I am not sure it would fix all cases as there are some javascript that is generated on runtime.