public url of in mod_wsgi returned wrong

WhiteHatTux commented 9 years ago

Hi there.

I just setup sync server 1.5 from this repository following the Tutorial: https://docs.services.mozilla.com/howtos/run-sync-1.5.html#howto-run-sync15 apache2 2.2.22-13+deb7u3 libapache2-mod-wsgi 3.3-4+deb7u1

This will almost certainly cause authentication failures! public_url setting is: https://domain.de:5000 application url is: https://domain.de

But sporadically i get errors about mismatching urls and on that device synching won't work. I imagine, that the non-matching urls cause the request to fail with firefox accounts server. The public_url is the one i also use to access the server: services.sync.tokenServerURI https://domain.de:5000/token/1.0/sync/1.5 public_url: https://domain.de:5000 but the application url is shown as: application url: https://domain.de the port is stripped for some reason.

Changing th public_url i get: This will almost certainly cause authentication failures! public_url setting is: https://domain.de application url is: https://domain.de:5000

Is this a configuration problem or a bug? Which is equally wrong and not working just the other way around.

rfk commented 9 years ago

I'm not sure I follow what's going on here, let me try to summarize:

When your public_url setting is "https://domain.de:5000", the server reports an error with application url of "https://domain.de"
When your public_url setting is "https://domain.de", the server reports an error with application url of "https://domain.de:5000"

Is that right? What did you set the tokenServerURI setting to in each case? Is this running inside apache and mod_wsgi on port 80, or are you actually using port 5000?

WhiteHatTux commented 9 years ago

Yes. that is right. The tokenServerURI was https://domain.de:5000/token/1.0/sync/1.5 in both cases. I am actually using Port 5000. This is my apache site config:

Listen 5000

  ServerName domain.de

  SSLEngine on
  SSLCertificateFile    /etc/apache2/ssl/domainde.crt
  SSLCertificateKeyFile /etc/apache2/ssl/domainde-unsafe.key
  DocumentRoot /opt/syncserver
  WSGIProcessGroup sync
  WSGIDaemonProcess sync user=www-data group=www-data processes=2 threads=25 python-path=/opt/syncserver/local/lib/python2.7/site-packages/
  WSGIPassAuthorization On
  WSGIScriptAlias / /opt/syncserver/syncserver.wsgi
  
    Order deny,allow
    Allow from all
  
  CustomLog /var/log/apache2/domain-firefox-access.log combined
  ErrorLog  /var/log/apache2/domain-firefox-error.log

WhiteHatTux commented 9 years ago

Sorry for the messed up issue. I edited it and clearly didn't proof-read it in it's entirety.

rfk commented 9 years ago

OK, so the first config then is definitely the correct one - your public_url should include :5000 and so should the tokenServerURI. If the app complains about a URL mismatch in this configuration, it's a bug - most likely in the syncserver app, but maybe in how mod_wsgi hands off port information to the app.

Please try putting things back in this configuration, post the full error output from the server, and we'll try to debug further from there.

MartinHL commented 9 years ago

I have the same issue. Interesting is that it does not happen when syncing from my Ubuntu machines. But it does when trying to sync from my Android phone. After trying to sync from my mobile I have the following message in the server log (syncserver running over Apache WSGI): ERROR:syncserver:The public_url setting does not match the application url. This will almost certainly cause authentication failures! public_url setting is: https://my.domain.org:1234 application url is: https://my.domain.org

Please advise what to do or which information you need to have to analyze that issue.

rfk commented 9 years ago

Hi @MartinHL, sorry for the delay, I've been on leave. Can you please confirm the following:

You're also running under apache and mod_wsgi
Was the server also listening on the standard port port 80/443 in addition to the non-standard port?

If the issue is specific to the android client, we'll probably need a sync log from the android device in order to debug futher. Some instructions on getting such logs are at http://160.twinql.com/how-to-file-a-good-android-sync-bug/

MartinHL commented 9 years ago

Hi @rfk

Yes, Syncserver is running under apache mod_wsgi. And apache has some other virtual hosts listening also on other ports (including port 80). Though, I also tried to connect to the syncserver without apache, that is, directly add a port forwarding to the syncserver in my internet router. The result was the same. Btw: API-Server and Content-Server are also running on the apache server via reverse proxy. All three services (API, Content and Sync) have an own port (virtual server). The server uses an SSL secured connection on each port with self-signed certificates.

I've captured a log on my cellphone (Firefox for Android 35.0 running on Android 4.4.2). If you need me to capture additional logs, just tell me.

01-27 20:56:04.845: I/FxAccounts(24085): firefox :: FxAccountSyncAdapter :: Syncing FxAccount account named like XXXXXXXXXXXXXXX@XXXXXX.XX for authority org.mozilla.firefox.db.browser with instance org.mozilla.gecko.fxa.sync.FxAccountSyncAdapter@41d70428.
01-27 20:56:04.846: I/FxAccounts(24085): firefox :: FirefoxAccounts :: Sync hints; scheduling now: false; ignoring local rate limit: true; ignoring remote server backoff: true.
01-27 20:56:06.469: I/FxAccounts(24085): firefox :: FxAccountSyncAdapter :: handleTransition: LogMessage('sign succeeded') to Married
01-27 20:56:06.470: I/FxAccounts(24085): firefox :: FxAccountSyncAdapter :: handleFinal: in Married
01-27 20:56:06.473: I/FxAccounts(24085): firefox :: AndroidFxAccount :: Moving account named like XXXXXXXXXXXXXXX@XXXXXX.XX to state Married
01-27 20:56:06.507: I/FxAccounts(24085): firefox :: FxAccountNotificationManager :: State Married needs no action; cancelling any existing notification.
01-27 20:56:07.880: W/FxAccounts(24085): firefox :: TokenServerClient :: The public_url setting does not match the application url.
01-27 20:56:07.880: W/FxAccounts(24085): This will almost certainly cause authentication failures!
01-27 20:56:07.880: W/FxAccounts(24085):     public_url setting is: https://my.domain.org:1234
01-27 20:56:07.880: W/FxAccounts(24085):     application url is:    https://my.domain.org
01-27 20:56:07.881: E/FxAccounts(24085): firefox :: FxAccountSyncAdapter :: Failed to get token.
01-27 20:56:07.881: E/FxAccounts(24085): org.mozilla.gecko.tokenserver.TokenServerException
01-27 20:56:07.881: E/FxAccounts(24085):    at org.mozilla.gecko.tokenserver.TokenServerClient.processResponse(TokenServerClient.java:219)
01-27 20:56:07.881: E/FxAccounts(24085):    at org.mozilla.gecko.tokenserver.TokenServerClient$TokenFetchResourceDelegate.handleHttpResponse(TokenServerClient.java:280)
01-27 20:56:07.881: E/FxAccounts(24085):    at org.mozilla.gecko.sync.net.BaseResource.execute(BaseResource.java:280)
01-27 20:56:07.881: E/FxAccounts(24085):    at org.mozilla.gecko.sync.net.BaseResource.go(BaseResource.java:315)
01-27 20:56:07.881: E/FxAccounts(24085):    at org.mozilla.gecko.sync.net.BaseResource.get(BaseResource.java:321)
01-27 20:56:07.881: E/FxAccounts(24085):    at org.mozilla.gecko.fxa.sync.FxAccountSyncAdapter.syncWithAssertion$7f7fa7c7(FxAccountSyncAdapter.java:422)
01-27 20:56:07.881: E/FxAccounts(24085):    at org.mozilla.gecko.fxa.sync.FxAccountSyncAdapter$3.handleFinal(FxAccountSyncAdapter.java:603)
01-27 20:56:07.881: E/FxAccounts(24085):    at org.mozilla.gecko.fxa.login.FxAccountLoginStateMachine$ExecuteDelegate.handleTransition(FxAccountLoginStateMachine.java:64)
01-27 20:56:07.881: E/FxAccounts(24085):    at org.mozilla.gecko.fxa.login.Cohabiting$1.handleSuccess(Cohabiting.java:24)
01-27 20:56:07.881: E/FxAccounts(24085):    at org.mozilla.gecko.background.fxa.FxAccountClient10$10.handleSuccess$2637ceed(FxAccountClient10.java:726)
01-27 20:56:07.881: E/FxAccounts(24085):    at org.mozilla.gecko.background.fxa.FxAccountClient10$ResourceDelegate$2.run(FxAccountClient10.java:247)
01-27 20:56:07.881: E/FxAccounts(24085):    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
01-27 20:56:07.881: E/FxAccounts(24085):    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
01-27 20:56:07.881: E/FxAccounts(24085):    at java.lang.Thread.run(Thread.java:841)
01-27 20:56:07.881: W/FxAccounts(24085): firefox :: FxAccountSyncAdapter :: Global session failed.
01-27 20:56:07.883: E/FxAccounts(24085): firefox :: FxAccountSyncAdapter :: Got exception syncing.
01-27 20:56:07.883: E/FxAccounts(24085): org.mozilla.gecko.tokenserver.TokenServerException
01-27 20:56:07.883: E/FxAccounts(24085):    at org.mozilla.gecko.tokenserver.TokenServerClient.processResponse(TokenServerClient.java:219)
01-27 20:56:07.883: E/FxAccounts(24085):    at org.mozilla.gecko.tokenserver.TokenServerClient$TokenFetchResourceDelegate.handleHttpResponse(TokenServerClient.java:280)
01-27 20:56:07.883: E/FxAccounts(24085):    at org.mozilla.gecko.sync.net.BaseResource.execute(BaseResource.java:280)
01-27 20:56:07.883: E/FxAccounts(24085):    at org.mozilla.gecko.sync.net.BaseResource.go(BaseResource.java:315)
01-27 20:56:07.883: E/FxAccounts(24085):    at org.mozilla.gecko.sync.net.BaseResource.get(BaseResource.java:321)
01-27 20:56:07.883: E/FxAccounts(24085):    at org.mozilla.gecko.fxa.sync.FxAccountSyncAdapter.syncWithAssertion$7f7fa7c7(FxAccountSyncAdapter.java:422)
01-27 20:56:07.883: E/FxAccounts(24085):    at org.mozilla.gecko.fxa.sync.FxAccountSyncAdapter$3.handleFinal(FxAccountSyncAdapter.java:603)
01-27 20:56:07.883: E/FxAccounts(24085):    at org.mozilla.gecko.fxa.login.FxAccountLoginStateMachine$ExecuteDelegate.handleTransition(FxAccountLoginStateMachine.java:64)
01-27 20:56:07.883: E/FxAccounts(24085):    at org.mozilla.gecko.fxa.login.Cohabiting$1.handleSuccess(Cohabiting.java:24)
01-27 20:56:07.883: E/FxAccounts(24085):    at org.mozilla.gecko.background.fxa.FxAccountClient10$10.handleSuccess$2637ceed(FxAccountClient10.java:726)
01-27 20:56:07.883: E/FxAccounts(24085):    at org.mozilla.gecko.background.fxa.FxAccountClient10$ResourceDelegate$2.run(FxAccountClient10.java:247)
01-27 20:56:07.883: E/FxAccounts(24085):    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
01-27 20:56:07.883: E/FxAccounts(24085):    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
01-27 20:56:07.883: E/FxAccounts(24085):    at java.lang.Thread.run(Thread.java:841)
01-27 20:56:07.889: I/FxAccounts(24085): firefox :: AndroidFxAccount :: Moving account named like XXXXXXXXXXXXXXX@XXXXXX.XX to state Cohabiting
01-27 20:56:07.917: I/FxAccounts(24085): firefox :: FxAccountSyncAdapter :: Syncing done.
01-27 20:57:00.888: I/FxAccounts(24085): firefox :: FxAccountSyncAdapter :: Syncing FxAccount account named like XXXXXXXXXXXXXXX@XXXXXX.XX for authority org.mozilla.firefox.db.browser with instance org.mozilla.gecko.fxa.sync.FxAccountSyncAdapter@41d70428.
01-27 20:57:00.888: I/FxAccounts(24085): firefox :: FirefoxAccounts :: Sync hints; scheduling now: false; ignoring local rate limit: true; ignoring remote server backoff: true.
01-27 20:57:00.904: I/FxAccounts(24085): firefox :: FxAccountSyncAdapter :: Not syncing (background): must wait another 3543963ms.

rfk commented 9 years ago

Hmm, I guess we just don't have the necessary hooks in place for mod_wsgi to tell us what port we're running on.

Since this is such an ongoing source of problems for self-hosters, I think I'm going to change it to just assume public_url is properly configured and update the WSGI environ accordingly...

rfk commented 9 years ago

@MartinHL can you please try with latest head, I pushed https://github.com/mozilla-services/syncserver/commit/24dbda8f4106e84a7ad14c21cbf9437cf5052ae9 to just force the host_port if it doesn't match what's in the public_url.

MartinHL commented 9 years ago

@rfk It now works nice. Thanks for your support.

rfk commented 9 years ago

great, thanks for reporting back

murchu27 commented 4 years ago

Hi @rfk, I'm seeing a similar problem to @MartinHL where my Linux and Windows devices are syncing fine, but when I try to sync with my Android device the application_url has the port stripped off, and so causes a mismatch. Could I get some assistance?

Also, the instructions you linked before re capturing sync logs on Android don't seem to exist anymore. If there is somewhere else where I can find these instructions I'd be happy to follow them!

rfk commented 4 years ago

when I try to sync with my Android device the application_url has the port stripped off, and so causes a mismatch. Could I get some assistance?

@murchu27 does what you're seeing on your server, match what's described in the last few comments of this bug?:

https://bugzilla.mozilla.org/show_bug.cgi?id=1046020

If you haven't tried it already, could you please try setting force_wsgi_environ = true in your syncserver.ini file and see if that helps?

murchu27 commented 4 years ago

does what you're seeing on your server, match what's described in the last few comments of this bug?: https://bugzilla.mozilla.org/show_bug.cgi?id=1046020

@rfk yep, it's that output exactly. Setting force_wsgi_environ = true does indeed fix the problem, but I'm a little spooked by the message above that line in the default .ini file suggesting that it could have "security implications". I'm not overly familiar with all this stuff, so I'm not confident that my server is hardened enough to protect against those implications. Is this a server side issue (like you suggest in the bug report) that could be fixed without this setting?

mozilla-services / syncserver

public url of in mod_wsgi returned wrong #48