Closed st5000 closed 3 years ago
st5000
commented
4 years ago I specify that haproxy was configured to be compliant to Yii trusted proxies and headers defaults :
The IP is sent by the proxy in the X-Forwarded-For header by default, and the protocol (http or https) is sent in X-Forwarded-Proto.
https://www.yiiframework.com/doc/guide/2.0/en/runtime-requests#trusted-proxies
luke-
commented
4 years ago Can you find anything related to this in the Yii2 forum/issues?
st5000
commented
4 years ago 5 search results with "haproxy" keyword but nothing relevant to this issue. No specific documentation concerning this type of implementation can be found on their website.
I'm pretty sure the root cause is close to the fact that always the same IP address (that of the proxy) is presented to HH/Yii. Something must be wrong/in conflict between X-Forwarded-For and/or X-Forwarded-Host tags and auth/session mechanism in HH.
luke-
commented
4 years ago In HumHub we do not currently use the client IP address anywhere.
Users are mapped according to their session ID (cookie). The only reason I can see is that the proxy somehow cache/mix this cookie.
st5000
commented
4 years ago You already said that and I have evaluated this hypothesis for a long time by playing with/without haproxy cookie interaction (cookie persistence, stick table, only one backend, etc.)
It's been a fact for several months and dozens of configurations flavor later: haproxy never cached/mixed cookies of all other php applications who are behind.
So why would he do cache or mix cookies only with Humhub ? Nonsense, this issue is elsewhere.
I repeat, you should take the time to try it with the community website.
luke-
commented
4 years ago We manage several hundred installations including the community site behind SSL termination/caching/ha proxies.
I am not familiar with HAProxy, but the problem must be with your configuration.
buddh4
commented
3 years ago Can be closed?
profzelonka
commented
1 year ago In HumHub we do not currently use the client IP address anywhere.
Users are mapped according to their session ID (cookie). The only reason I can see is that the proxy somehow cache/mix this cookie.
I'm actively encountering this issue as well. It's a dangerous one, members are logged in as my admin account. :\ And the only way to resolve it is to delete cookies/site data on EACH affected machine! I'm using Nginx Proxy Manager docker - if you are right on the proxy caching assets and creating this issue, and I hope you are, as I just disabled the "Cache Assets" option. Time will tell if any of my members will encounter it again and let me know, of if I find my admin account deleted one day by a troll. :\
If there's anything I can add to the Custom Nginx Configuration that you think might help, I'd appreciate something to try..
ArchBlood
commented
1 year ago In HumHub we do not currently use the client IP address anywhere. Users are mapped according to their session ID (cookie). The only reason I can see is that the proxy somehow cache/mix this cookie.
I'm actively encountering this issue as well. It's a dangerous one, members are logged in as my admin account. :\ And the only way to resolve it is to delete cookies/site data on EACH affected machine! I'm using Nginx Proxy Manager docker - if you are right on the proxy caching assets and creating this issue, and I hope you are, as I just disabled the "Cache Assets" option. Time will tell if any of my members will encounter it again and let me know, of if I find my admin account deleted one day by a troll. :\
If there's anything I can add to the Custom Nginx Configuration that you think might help, I'd appreciate something to try..
Please refer to the following forum post on HAProxy;
https://discourse.haproxy.org/t/mixed-content-warning-when-using-https/981
As already mentioned in #3867, auth/sessions management is problematic when Humhub is behind an SSL termination proxy.
I tried dozens of configurations approaches and workarounds on haproxy, tested with apache and nginx, also with multiple versions of PHP, even with dedicated php-fpm process for Humhub.
All the other applications behind this setup runs always normally with all these configurations while Humhub bug each time when 2 or more different users are logged. Users posts are mixed up and it's unmanageable.
Definitely NOT a setup/config problem but HumHub auth/session mechanism conflict with SSL termination proxy.
You should put community instance behind similar setup to be able to reproduce this issue.
Additional info