Noob question/issue - Login with https/ssl error

Question

Noob question/issue - Login with https/ssl error

BryanHeijmans opened this issue 7 years ago · 10 comments

Hi,

First of all thanks for publishing this CMS, it looks great so far!
But I have a little problem now my website is running on https/ssl.

ERROR

When I enter https://domain.com/admin it redirects me to /admin/login?redirect=https%3A%2F%2Fdomain.com%3A80%2Fadmin.

Here is where I get the error, as soon as I try to login the url changes to
https://domain.com:80/admin and the following error is showed within the browser.

This site cannot connect securely deliver domain.com has an invalid response. Run the Windows network monitor. ERR_SSL_PROTOCOL_ERROR

NO ERROR
2. If I login trough the url domain.com/admin/login , there is no redirect and the login is succesfull.
3. if I adjust the url https://domain.com:443/admin or delete the port number in the url https://domain.com/admin it continues.

Do you know if this is an issue with my webhost or some redirect within the cms?

if you have any questions, please let me know.

Answer 1 · 2017-09-21T18:31:36.000Z

Hi @BryanHeijmans
sorry for the late reply.
Which server do you use? Apache? Nginx? Would you mind posting your config?

Answer 2 · 2017-09-22T07:54:07.000Z

Hi @karsasmus,

Here is the information about my hosting, http://info.newwebhosting.nl/

Answer 3 · 2017-09-24T09:45:22.000Z

On nginx I'm able to do a clean install 1.1.9 over HTTPS and log in/out successfully (the usual PHP redirects to index.php).

Looks like an issue with HTTPS configuration on your hosting. From what I see in phpinfo(), even Apache is running as root - this is a serious security issue. Did you configure that machine yourself or are you using a shared hosting?

If the former, join Leafpub's gitter, I can help with that. In case you're using a shared web hosting, contact their support, server admins there should be able to resolve these issues.

Answer 4 · 2017-09-24T10:03:26.000Z

Hi @micalm, thansk for the testing. I'm on a shared hosting. Did you also tried to login on www.domain.com/admin? Because when I login on www.domain.com/admin/login I wont get an error. When i pres logout it redirectd to www.domain.com/admin/login. So it only happends on /admin.

But I forwarded ur message to my hosting and I will let you know what they replyed. Thansk for the help! Greetings, bryan

Answer 5 · 2017-09-24T10:07:15.000Z

Yes, I did, both methods work correctly (with GET redirect and without). It would help if you didn't redact the real domain, then I could debug directly on the troublesome Leafpub instance.
If you don't want to disclose this publicly, again, I'm on gitter.

Answer 6 · 2017-09-24T14:38:50.000Z

After some time debugging with @BryanHeijmans we've figured out that it's an issue in Middleware::requireAuth(), where Slim's $request->getUri() returns the URI with :80 appended and thus, Leafpub generates an invalid redirect URL which won't (hopefully) ever work on HTTPS.
This will require further investigation if it's an issue to be solved upstream in Slim or an incorrectly configured environment.

A quick & very ugly hack is to add $uri = str_replace(':80', '', $uri); right after $uri = $request->getUri(); in sources/classes/Middleware.php for those experiencing the (exact) same problem, until it is resolved here.

Answer 7 · 2017-09-24T15:02:55.000Z

Hi @micalm ,
thanks for your time to help @BryanHeijmans
I've looked into Slim's source code to find out if it's a bug or a feature to add the port to the url.
It's a feature, Slim follows PSR-7 spec.
If you read the comment above the method getPort() @ https://github.com/slimphp/Slim/blob/3.x/Slim/Http/Uri.php#L424 you'll see that something with your server config seems to be wrong as Slim only returns port 80 if it's the wrong port for actual scheme (https).

Answer 8 · 2017-09-24T16:32:19.000Z

Hi @karsasmus,

Thanks for the reply and yes again , thanks @micalm! I will send this information to my hosting company as well. I will let you know what they have to say about this. Greetings Bryan

Answer 9 · 2017-09-25T15:56:07.000Z

Hi @karsasmus, @micalm,

The hosting responded,

We arrange the permissions via apparmor (so, "root" has no or limited rights in this case). The security is so alright: This is consciously set!

As for the port: This is an error in the code that determines the redirect, which one accepts the wrong port. Port 80 is not determined by our system, this seems to be a default value that the code accepts when it does not get the expected response.

If you guys think the problem is with my hosting, please say so im willing to Switch hosting. If its a problem within the code , I hope you can spend some more time on it to fix it.

Please let me know. Greetings Bryan

Answer 10 · 2017-09-26T13:27:34.000Z

I don't agree.
I'm pretty sure that setting REQUEST_SCHEME to http and SERVER_PORT to 80 while using a completely valid HTTPS connection is at best a PHP-CGI misconfiguration on their part. In a worst case scenario they're just plain incompetent.

Anyway, this can't be fixed in code, because neither Slim nor Leafpub should handle broken environments like this. If you're willing to use that fix I provided before it'll work, but certainly doesn't belong in the repo. It's possible updates will break it too.