search

illinois / queue

A microservice queue for holding open office hours
University of Illinois/NCSA Open Source License
82 stars 37 forks source link

Visiting http url does Shib redirect loop #82

Closed trombonekenny closed 5 years ago

trombonekenny commented 6 years ago

If you visit the insecure http://edu.cs.illinois.edu/queue/ it redirects into Shibboleth but then loops the redirects. The page never loads but you see the URL change as things bounce around.

The https link works so maybe it's just something broken in how it redirects?

Also, I noticed queue/ needs the trailing slash to work.

Fixing those might make the queue more approachable (especially if you're typing it in as a URL instead of following a link) and could be fixed in apache configs. Need help with that?

wadefagen commented 6 years ago

@trombonekenny I think these are both Apache config/rewrite fixes -- do you know someone who knows how this could be fixed as Apache?

nicholascw commented 6 years ago

@wadefagen It seems the http and https request are sent to the same virtual host/webroot on apache since the they behave the same, which a standard implementation on HTTPS redirect won't do. I observed that the http also redirects to shibboleth directly, rather than redirect simply to https://edu.cs.illinois.edu/queue.

I believe that keep the port 80 a separate host and let simply do the only one thing: jump to https would solve the problem. For details, maybe you could follow up some HSTS setup documentation for a safer implementation jumping, but keep in mind do not add the HSTS header unless you want to access all sites on the subdomain(which is edu.cs.illinois.edu) in HTTPS.

Plus, a sample NGINX config I used widely for my websites and stuff:

server {
        listen 80;
        server_name subdomain.example.com;
        rewrite ^(.*) https://$server_name$1 permanent;
}

server
    {
        listen 443 ssl http2;
        #listen [::]:80;
        server_name subdomain.example.com;
...
trombonekenny commented 6 years ago

@nicholascw I think an always https redirect policy for edu.cs.illinois.edu makes sense and it may help with the redirect looping. We have examples of apache httpd.conf stanzas of sites that do this.

Is edu-staging.cs setup with a test queue? If so, I can try the configs there and make sure they work like we expect.

nwalters512 commented 6 years ago

I haven't set up staging since we got the new box.

trombonekenny commented 5 years ago

This should be resolved now. Keeping the issue open for a bit to watch for things, but if nothing pops up we should be good.