search

pumukit / PuMuKIT

PuMuKIT is an Open Source Video Platform that provides unparalleled organization, flexibility, accessibility, and scalability. Well-designed and well-engineered PuMuKIT is the ideal solution for any organization with large collections of video or audio.
https://pumukit.org
GNU Affero General Public License v3.0
56 stars 17 forks source link

Basic Authentication popup in production #432

Open insad opened 3 years ago

insad commented 3 years ago

The user forums seem not to exist anymore, so I'm asking this here.

Running in production mode (until now never happened in dev mode), some menu items show a basic authentication popup. Strange enough it happens only with some back office menu items, and not with other.

I'm running the site with Apache 2.4.41 on Ubuntu 20.04 and PHP 7.4 (using PHP-FPM). but exactly the same happens running under PHP-CGI, with and without .htaccess (generated by symfony/apache-pack).

Correctly set for PHP-FPM:

        SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1

and also when using PHP-CGI:

        # Sets the HTTP_AUTHORIZATION header removed by Apache
        RewriteEngine On
        RewriteCond %{HTTP:Authorization} .+
        RewriteRule ^ - [E=HTTP_AUTHORIZATION:%0]

Somebody has an idea, what can be going wrong?

Relevant Apache2 site configuration:

<VirtualHost *:80>
    ServerName videos.domain-redacted.com
    Redirect / https://videos.domain-redacted.com/
</VirtualHost>
<VirtualHost *:443>
    ServerName videos.domain-redacted.com

    DocumentRoot /srv/pumukit/public
    DirectoryIndex /index.php

    <Directory /srv/pumukit/public>
        # Sets the HTTP_AUTHORIZATION header removed by Apache
        RewriteEngine On
        RewriteCond %{HTTP:Authorization} .+
        RewriteRule ^ - [E=HTTP_AUTHORIZATION:%0]

        # Allows .htaccess override
        #AllowOverride All
        #Require all granted

        FallbackResource /index.php
    </Directory>

    <Directory /srv/pumumkit/public/bundles>
        DirectoryIndex disabled
        FallbackResource disabled
    </Directory>

    ErrorLog /var/log/apache2/pumukit_error.log
    CustomLog /var/log/apache2/pumukit_access.log combined

    # Use PHP-FPM
    <FilesMatch \.php$>
        SetHandler "proxy:unix:/var/run/php/php7.4-fpm.sock|fcgi://localhost"
    </FilesMatch>

    SSLEngine on
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/domain-redacted.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain-redacted.com/privkey.pem
</VirtualHost>

pumukit

Yurujai commented 3 years ago

Hi @insad,

What values ​​do you have in the .env file in these parameters: PUMUKIT_HOST, PUMUKIT_SCHEME ?

Default value of PUMUKIT_HOST is wrong in your case, you should set your production environment host as value.

Best regards!

insad commented 3 years ago

Hi Pablo,

Thanks for your reply, but still something must be wrong. Here the relevant parts of my .env.local file:

###> symfony/framework-bundle ###
APP_ENV=prod
APP_SECRET=--redacted--
TRUSTED_PROXIES=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
#https://github.com/symfony/symfony/issues/29609
TRUSTED_HOSTS=localhost|api|videos4.domain-redacted.com
###< symfony/framework-bundle ###

###> pumukit ###
PUMUKIT_USER=admin
PUMUKIT_PASS=--redacted--
....
PUMUKIT_LOCALE=es
PUMUKIT_SECRET=--redacted--
....
PUMUKIT_LOCALES=es
PUMUKIT_HOST=videos4.domain-redacted.com
PUMUKIT_SCHEME=https
....

###> nelmio/cors-bundle ###
#CORS_ALLOW_ORIGIN="^https?://(localhost|127\.0\.0\.1)(:[0-9]+)?$"
CORS_ALLOW_ORIGIN="*"
###< nelmio/cors-bundle ###

I added my domain in the "TRUSTED_HOSTS" list, set it as "PUMUKIT_HOST" parameter, and finally set "CORS_ALLOW_ORIGIN" to "*" After that I cleaned the cache, but even so not much luck...

I'm running a fresh (yesterday) copy of the github master (4.0.x-dev) with the paella player installed.

Will myself also search for a solution, I do a lot of PHP programming, but besides some libraries I use from Symfony, have no experience with the platform.

Muchas gracias nuevamente,

Albert

pumukit-auth

insad commented 3 years ago

I have found where the problem originates. E.g. in /admin/series, there is javascript code calling url's /api/keywords/mmobj and /api/keywords/series (window.mmobjkeywords.initialize() resp. window.serieskeywords.initialize()). These API calls cause the popup authentication window, if I click "Cancel" in this window, I get back a 401 error. Not sure how to solve this problem, maybe also your jquery is very very old (1.10.2) ??