Page MenuHomePhorge
Create Task
Maniphest T2426

File viewers do not work behind a reverse proxy
Closed, ResolvedPublic
Actions

Description

https://kolab.org/hub/topic/256/kolab-behind-a-reverse-proxy

Mixed Content: The page at 'https://webmail.xxx.eu/r9V5Cj8YOuTjxU6M/?_task=files&_action=open&_file=Files%2Ftest.txt&_viewer=6&_extwin=1' was loaded over HTTPS, but requested an insecure resource 'http://webmail.xxx.eu/chwala//api/?method=file_get&file=Files%2Ftest.txt&token=irmgba67f3vj522lhlrgdfq3b3&viewer=text'. This request has been blocked; the content must be served over HTTPS.

The Kolab server is located behind a ssl terminating reverse proxy, so the Kolab server seems to think that the request came over HTTP instead of HTTPS.

There's a fix proposed in the issue. However, the real fix will be more generic replacing file_utils::script_uri() use with something that uses configured file_api_uri and rcube_utils::resolve_url() (which internally uses rcube_utils::https_check()).

Details

Ticket Type
Task

Related Objects

Event Timeline

machniak created this task.May 29 2017, 8:35 AM
machniak mentioned this in rC6bad01bd25fe: Fix file viewers behind reverse proxy (T2426).May 31 2017, 10:31 AM
machniak closed this task as Resolved.May 31 2017, 10:33 AM
machniak claimed this task.

Fixed. You now would need to set use_https to true or file_api_uri to full chwala api path.

ravenpride subscribed.Jun 5 2017, 5:07 PM

Setting use_https to true does has not the desired effect. The created URL now contains the scheme "https", but it still uses port 80. Other parts of the application now complain about errors like this one:

GET https://webmail.xxx.eu:80/chwala//skins/default/images/mimetypes/style.css net::ERR_SSL_PROTOCOL_ERROR

https is fine, but not at port 80.

machniak reopened this task as Open.Jun 5 2017, 5:33 PM
machniak mentioned this in rCd886aeac2aec: Fix port number in generated API URL when behind a reverse proxy (T2426).Jun 6 2017, 9:04 AM
machniak closed this task as Resolved.Jun 6 2017, 9:04 AM

Hope rCd886aeac2aec fixes that.

ravenpride added a comment.EditedJun 6 2017, 9:54 AM

Thank you for the fix, but it doesn't seem to work :-/

I've patched the few lines into my code, but the problem persists. The console says:

:80/chwala//skins/default/images/mimetypes/style.css Failed to load resource: net::ERR_SSL_PROTOCOL_ERROR

I've not forgotten to copy scheme and hostname - the part is really missing.

Another error in the console:

files_api.js Failed to load resource: net::ERR_SSL_PROTOCOL_ERROR

The file_api.js points to https://webmail.xxx.eu:80/chwala//js/files_api.js

Btw. I've cleared the browser cache to ensure that it does not contain any old fs-files.

UPDATE:
After I set the following

$config['kolab_files_url'] = 'https://webmail.xxx.eu/chwala/';

... I could see the file manager overview again, but opening a text file in an external window fails now with...

about:blank:1 Mixed Content: The page at 'https://webmail.xxx.eu/MxOfzbZ3ju9WILls/?_task=files&_action=open&_file=Files%2Ftest.txt&_viewer=6&_extwin=1' was loaded over HTTPS, but requested an insecure resource 'http://webmail.xxx.eu/chwala/api/?method=file_get&file=Files%2Ftest.txt&token=e5mlftc1idmc3oa6c96makerp6&viewer=text'. This request has been blocked; the content must be served over HTTPS.
machniak added a comment.Jun 6 2017, 10:09 AM

What if you replace $_SERVER['SERVER_NAME'] with $_SERVER['HTTP_HOST']?

The other error comes from https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_utils.php#L1121 that also should get the same port fix as in my last commit to chwala.

machniak added a comment.Jun 6 2017, 10:12 AM

Hmm... I'm just thinking. Maybe in your env you don't have $_SERVER['SERVER_PORT'] set either. Then try replacing this with $_SERVER['HTTP_PORT'].

machniak added a comment.Jun 6 2017, 10:34 AM

Forget my last comment. There's no such thing like $_SERVER['HTTP_PORT'].

machniak added a comment.Jun 6 2017, 10:37 AM

Maybe you just applied the patch incorrectly. Note the dot character in this line:

$url .= ':' . $_SERVER['SERVER_PORT'];
ravenpride added a comment.Jun 6 2017, 10:40 AM

I've done just copy & paste. The code of the resulting function is ...

/**
 * Returns API URL
 *
 * @return string API URL
 */
public function api_url()
{
    $api_url = $this->config->get('file_api_url', '');

    if (!preg_match('|^https?://|', $url)) {
        $schema = rcube_utils::https_check() ? 'https' : 'http';
        $port   = $schema == 'http' ? 80 : 443;
        $url    = $schema . '://' . $_SERVER['SERVER_NAME'];

        if ($_SERVER['SERVER_PORT'] != $port && $_SERVER['SERVER_PORT'] != 80) {
            $url .= ':' . $_SERVER['SERVER_PORT'];
        }

        if ($api_url) {
            $api_url = $url . '/' . trim($api_url, '/ ');
        }
        else {
            $url .= preg_replace('/\/?\?.*$/', '', $_SERVER['REQUEST_URI']);
            $url = preg_replace('/\/api$/', '', $url);

            $api_url = $url . '/api';
        }
    }

    return rtrim($api_url, '/ ');
}
ravenpride added a comment.Jun 6 2017, 10:52 AM

I've written out $_SERVER['SERVER_PORT'] ... it's port 80. I assume that rcube_utils::https_check() returns true, so $schema is "https", this leads to $port = 443 and to a true, when evaluating the new if-block. So the port is appended to the hostname.

machniak added a comment.Jun 6 2017, 11:10 AM

I don't see how $_SERVER['SERVER_PORT'] == 80 would make it appended to the url. The if statement requires it to be different than $port and than 80. Maybe we should use intval($_SERVER['SERVER_PORT']).

machniak mentioned this in rCd0539d6f029d: Use HTTP_HOST instead of SERVER_NAME (to be in sync with rcube_utils….Jun 6 2017, 11:23 AM
machniak added a comment.Jun 6 2017, 11:23 AM

Ok, try this change: rCd0539d6f029d.

ravenpride added a comment.Jun 6 2017, 11:37 AM

Now the error is away. Thank you!

Only the mixed-content error in the console keeps me from being really happy now.

Mixed Content: The page at 'https://webmail.xxx.eu/fY8DXdCkPLcrDOHf/?_task=files&_action=open&_file=Files%2Ftest.txt&_viewer=6&_extwin=1' was loaded over HTTPS, but requested an insecure resource 'http://webmail.xxx.eu/chwala/api/?method=file_get&file=Files%2Ftest.txt&token=hpf5ceu0mrd3kekfq5j85ljrv3&viewer=text'. This request has been blocked; the content must be served over HTTPS.
machniak mentioned this in rC0349c2d84661: Fix type: $url -> $api_url (T2426).Jun 6 2017, 11:40 AM
machniak added a comment.Jun 6 2017, 11:40 AM

And that is with use_https=true? BTW, there's another fix: rC0349c2d84661.

ravenpride added a comment.Jun 6 2017, 11:46 AM

Yes, I've set use_https to true and applied the mentioned fixes. I'm sorry, but the issue persists :-/

machniak added a comment.Jun 6 2017, 12:01 PM

But it should work if you set file_api_url to a full url with https:// prefix? Do you set options in /etc/roundcubemail/config.inc.php? I'm unable to reproduce.

ravenpride added a comment.EditedJun 6 2017, 12:07 PM

I've set in kolab_files.inc.php

$config['kolab_files_url'] = 'https://webmail.xxx.eu/chwala/';

Now I've additionally set in config.inc.php

$config['file_api_url'] = 'https://webmail.xxx.eu/chwala/';

Still the same issue.

Update:
What options do you mean?

ravenpride added a comment.Jun 6 2017, 1:26 PM

Is there anything I can do to help you to diagnose it?

machniak added a comment.Jun 6 2017, 1:42 PM

In this case it is Roundcube connecting to Chwala directly. It looks like the config has been ignored. I have no idea how's that possible. Maybe there's something in between that caches the request and returns old response? Check with a different file.

ravenpride added a comment.Jun 6 2017, 2:06 PM

I've created a new text file and tried to open it. Same issue :-(

ravenpride added a comment.EditedJun 6 2017, 2:08 PM

I've changed the file_api_url setting to some nonsense for testing purposes... Of course, it does not work, but the changed URL is passed along.

Update:
The error is

Mixed Content: The page at 'https://webmail.xxx.eu/h0BdpINBmfYSahkM/?_task=files&_action=open&_file=Files%2Fmytest.txt&_viewer=6&_extwin=1' was loaded over HTTPS, but requested an insecure resource 'http://webmail.xxx.eu/chwala/?method=file_get&file=Files%2Fmytest.txt&token=da6eb52fkecbp1godmldfm12r6&viewer=text'. This request has been blocked; the content must be served over HTTPS.

Can you tell me where the second URL in the error message gets crafted?

machniak added a comment.Jun 6 2017, 3:15 PM

https://git.kolab.org/diffusion/C/browse/master/lib/viewers/text.php;0349c2d846613e4c828ed6f7af00b87ed6a75f79$120

ravenpride added a comment.Jun 6 2017, 5:30 PM

As far as I can trace the calls back... our old friend api_url() is used to create the base URL and the scheme depends only on rcube_utils::https_check() and nothing else.
If the scheme "http" is used this can only mean, that rcube_utils::https_check() returned false - please correct me, if I'm wrong. Perhaps we should have a look at it next.

ravenpride added a comment.Jun 6 2017, 5:36 PM

I've replaced the https_check() function with

public static function https_check($port=null, $use_https=true)
{
    return true;
}

... the created URL still contains "http". It's getting really strange now ;-)