search

shaarli / Shaarli

The personal, minimalist, super-fast, database free, bookmarking service - community repo
https://shaarli.readthedocs.io/
Other
3.41k stars 287 forks source link

Wrong login/password using shaarli behind proxy #897

Closed webac closed 6 years ago

webac commented 7 years ago

Hi,

I'm trying to configure Shaarli behind proxy (nginx), Everything works without proxy.

But when I use proxy I get this message when I try to connect.

Wrong login/password.

I checked the index.php and I noticed that this condition is never passed with proxy:

if (isset($_POST['password'])
        && tokenOk($_POST['token'])
        && (check_auth($_POST['login'], $_POST['password'], $conf))
    )

$_SESSION['tokens'] return NULL inside the function tokenOk() when the login form is submitted.

I already checked old issues and added the 3 vars in this section, but can't find a solution: https://github.com/shaarli/Shaarli/wiki/Server-configuration#proxies

Can you please help?

Thanks a lot

webac commented 7 years ago

resolved, The problem comes from the php global variable $_SERVER['SERVER_NAME'], it returns the original ip address,

So I just added a value for this var on the top of index.php $_SERVER['SERVER_NAME'] = "my.domain.fr"; I don't know if this solution is viable? but it works fine!

I tried to this in the nginx proxy xonfig proxy_set_header Host "my.domain.fr"; But it doesn't works,

below my nginx config:

upstream shaarli {
    server 192.168.0.10:8082;
}
server {
        listen 443;
        server_name my.domain.fr;
        charset utf-8;
        ssl on;
        ssl_certificate /etc/nginx/ssl/my.domain.fr/fullchain.pem;
        ssl_certificate_key /etc/nginx/ssl/my.domain.fr/privkey.pem;
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout 5m;
        client_max_body_size 2G;
        fastcgi_buffers 64 4K;

        location / {
                proxy_pass         http://shaarli;
                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header   X-Forwarded-Host $server_name;
                proxy_set_header   X-FORWARDED-PROTO https;
        }
}
ArthurHoaro commented 7 years ago

I run a pretty similar config without any issue. What about your target webserver configuration?

webac commented 7 years ago

Hi @ArthurHoaro,

On the target webserver here is my configuration:

default.conf

server {
        listen 8082;
        server_name 192.168.0.10;
        root /var/www/html/shaarli;
        index index.html index.htm index.php;
        charset utf-8;

        location /phpinfo/ {
                # add a PHP info page for convenience
                fastcgi_pass   unix:/var/run/php5-fpm.sock;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /var/www/html/index.php;
                include fastcgi_params;
        }

        location ~ /\. {
                # deny access to dotfiles
                access_log off;
                log_not_found off;
                deny all;
        }

        location ~ ~$ {
                # deny access to temp editor files, e.g. "script.php~"
                access_log off;
                log_not_found off;
                deny all;
        }

        location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
                # cache static assets
                expires    max;
                add_header Pragma public;
                add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        }

        location = /favicon.ico {
                # serve the Shaarli favicon from its custom location
                alias /var/www/html/shaarli/images/favicon.ico;
        }

        location / {
                # Slim - rewrite URLs
                try_files $uri /index.php$is_args$args;
        }

        location ~ (index)\.php$ {
                # Slim - split URL path into (script_filename, path_info)
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;

                # filter and proxy PHP requests to PHP-FPM
                fastcgi_pass   unix:/var/run/php5-fpm.sock;
                fastcgi_index  index.php;
                include        fastcgi.conf;
        }

        location ~ \.php$ {
                # deny access to all other PHP scripts
                deny all;
        }
}

nginx.conf

events {
        worker_connections 768;
}
http {
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
        gzip on;
        gzip_disable "msie6";
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}
ArthurHoaro commented 6 years ago

Hi, sorry for the slight delay in my answer.

So, the $_SERVER['SERVER_NAME'] variable seems to contain the server_name directive of the target web server. In other words, you should use this in your target nginx conf.

server {
        listen 8082;
        server_name my.domain.fr;
        [...]
}

But maybe we should also check HTTP_X_FORWARDED_HOST instead of just the server name?

Related to #888

ArthurHoaro commented 6 years ago

Actually, this has been fixed by #899.