HTTPS URL converted to HTTP?

[saric]

I'm using Apache (https) as reverse proxy to Redmine Nginx+Passenger (http). When I try to upload my public ssh key using redmine_git_hosting plugin, or when admin wants to add user's public ssh key, web browser is redirected to non-SSL URL, to HTTP instead of HTTPS.

Correct_URL=http://hostname/redmine/users/123/edit?tab=keys Incorrect_URL=http://hostname/redmine/users/123/edit?tab=keys

[kubitron]

Can you say more about exactly what you do that causes this problem? The two URLs that you state above are identical. Are you hitting the "create" button and it ends up redirecting to the wrong place? Does the key get added anyway?

I suspect that Apache is forwarding things to Nginx (and hence Redmine) as http requests. Thus, any time Redmine redirects, it ends up being for http requests. I'm a little fuzzy about how Ngnix should then turn this into an HTTPS request. Are you sure that you have Nginx configured properly for https?

[saric]

Sorry, Correct_URL should start with https:// Apache has been configured to serve as SSL-enabled frontend to Redmine (accepts HTTPS connections). It serves as reverse proxy to HTTP-based Redmine Nginx+Passenger "internal" server. I've been using following Apache config:

   ServerName reverse.external.tld
    ProxyRequests Off
    ProxyPass /redmine/ http://redmine.internal.local/redmine/
    ProxyPassReverse /redmine/ http://redmine.internal.local/redmine/
    <Location /redmine>
       Header edit Location "^http:(.*)$" "https:$1"
    </Location>
   ...snip ssl stuff...
</VirtualHost>

I've tried to add following directives, but problem is still here:

RequestHeader set X-FORWARDED-SSL "on"

http://serverfault.com/questions/388927/apache-reverseproxypass-redrects-to-http-rather-than-https/388928#388928

I didn't noticed similar issue with Redmine itself or any other Redmine plugin. Looks like routing issue?

[kubitron]

Is this only an issue with adding keys? Do the keys get added, just the web page that you land on is incorrect?

Tell me again what version of Redmine you are using and do a "./script/about" and tell me the results...? Does it look like the redirected page is correct, just missing the proper leading service type (i.e. only the "http" instead of "https" is the problem)?

[kubitron]

So, I think that perhaps the "ProxyPassReverse" specification is not working properly. The functionality you are talking about does a redirect after you save a key. That redirect may be missing the http piece in the Location header (not sure -- would be Rails 2.3.14 problem). At any rate, there is a discussion here:

http://www.apachetutor.org/admin/reverseproxies

Scroll down to the discussion of "ProxyPassReverse". You might try some of the suggestions under "Debugging your Proxy Configuration".

[kubitron]

Hm... This post seems relevant:

http://whatimean.wordpress.com/2008/02/20/ssl-for-apache-and-rails/

I do notice in this latter one that it says to do:

RequestHeader set X_FORWARDED_PROTOCOL 'https'

Notice the "X_" vs the "X-" that you tried...

Incidentally, you could always build a rewrite rule in your apache config to turn http request into https requests, but I think it would be much better to figure out how to fix this problem directly.

My guess is that this problem is not a plugin-specific problem, just that you haven't run into redirects much yet in your experimental configuration (and that there is always a redirect when adding a key because of the way that the key addition view is integrated with the user account view.

[kubitron]

Last comment -- I notice that a lot of ngnix installations talk about setting:

X-Forwarded-Proto

or

X_FORWARDED_PROTO

Perhaps one of these is the right thing to try in a RequestHeader set command?

[saric]

I've tried both variants, X-Forwarded-Proto and X_FORWARDED_PROTO ... Tried X-FORWARDED-SSL "on" also. Still doesn't work.

[kubitron]

Hm... Note that there is nothing weird about the behavior from the plugin. Since you are forwarding to an http instance of Rails/Redmine, there is no way for it to know anything other than http (if you think about it). This this is definitely a configuration problem.

Since I've never tried your configuration, I'm afraid that I can't help you there. Something is not working on the reverse proxying. (Did you see that I gave you a set of references on Apache as well).

I run fcgi directly in apache, so don't run into the proxying problem.

[saric]

I've resolved issue. Correct Apache directive is: RequestHeader set X-Forwarded-Proto "https" and not: RequestHeader set X-Forwarded-Protocol "https" as found in some guides.

[kubitron]

Yeah! Glad to hear that you have fixed it. Perhaps I'll put something into the README about this.

[saric]

It's already mentioned in Redmine FAQ: http://www.redmine.org/projects/redmine/wiki/FAQ#Why-does-Redmine-use-http-links-when-I-want-it-to-use-https-links-in-Apache-SSL