Running BoZoN behing a reverse proxy - do not use hard encoded names

Question

Running BoZoN behing a reverse proxy - do not use hard encoded names

Opened this issue 8 years ago · 18 comments

I need to patch some part in the system where it gets local SERVER_NAME or SERVER_HOST.

Running BoZoN behind a proxy, the internal servername is different from outside-view!

Would be nice if one could define this part in config.
Maybe with:
$default_i_srv_name = "www.uni-heaven.de";
and later

$servername = (empty($default_i_srv_name)? $_SERVER["SERVER_NANE"]:$default_i_srv_name);

....

core/auto_restrict.php: if (!isset($auto_restrict['domain'])){ $auto_restrict['domain']= "www.uni-heaven.de";}
core/core.php:		$servername = "www.uni-heaven.de";
core/core.php:	    $servername = "www.uni-heaven.de";

Answer 1 · 2017-03-21T14:48:11.000Z

Hi,
I have the same problem because my box does not accept the NAT loopback so that I can't call my dynamic DNS from local network to target my local equipment.
As I have no time to investigate it right now, thanks to the ones that would have it :)

Answer 2 · 2017-03-22T08:36:44.000Z

Thanks a lot: I think it should be usefull indeed.
I'll add it in the next version. ;-)

Answer 3 · 2017-03-22T09:03:03.000Z

Hi again ^^
Could you try this version ?

core.zip

Theres a new variable in config.php and core.php sets a $_SESSION['SERVER_NAME'] used in auto_restrict.
Tell me if it works ;-)

Answer 4 · 2017-03-22T09:15:52.000Z

Nope - not working -> "referer error!" :-)

Answer 5 · 2017-03-22T12:49:33.000Z

Even after a logout / login ?
(to clear session vars)

Answer 6 · 2017-03-22T13:06:55.000Z

$_SESSION['SERVER_NAM'] is empty at this time. (Where is it set?)
(Next answer will be in 14 days - I am out on vacation now:-)

Answer 7 · 2017-03-22T15:42:56.000Z

Maybe I have found the issue: in config.php, remove the space before the «=»:
$default_i_srv_name ="" => $default_i_srv_name=''"

Answer 8 · 2017-03-22T15:45:59.000Z

I will test it soon bronco and get back to you here asap :)

Answer 9 · 2017-03-22T15:49:14.000Z

Thanks a lot ;-)

Answer 10 · 2017-03-27T07:04:56.000Z

Bronco, just to be sure (sorry I didn't have time to test this week-end), can you confirm that I just need to edit the line in config.php, or do I need to apply the last patch you sent core.zip ?

Answer 11 · 2017-04-03T05:42:42.000Z

Hi,
Yes, you just have to edit config.php ;-)

Answer 12 · 2017-04-14T09:39:53.000Z

Hello,

Bronco sorry for the delay of testing but I changed my Internet provider and had troubles to get my local network and NAT rules to work correctly again...
The problem is that I can't find the line containing $default_i_srv_name anywhere (config.php, core/core.php...) :o
I have an up-to-date version of the code on my Raspberry PI (directly cloned from GitHub).

What I found recently is that when trying to connect from the local network with the IP address while my BoZoN web server is configured with my dyn DNS, I get an error similar to the one I get if I try to enter multiple times a wrong password, which is "referer error"...
Is it relevant to you? Does it bring some clue?

Cheers.
Brice

Answer 13 · 2017-04-18T10:13:24.000Z

@bohnelang : which kind of server do you use? Apache or nginx ? Or whatever else?
I'm wondering if the problem does not come from both BoZoN and web server configuration in fact...

On my side I'm running nginx and I'm struggling with the server_name directive in the configuration, which brings me the "referer error" message if I try to access the application from the local network (with the IP address) if the server_name directive is set to my dyn DNS name...

After reading again the messages on this issue, I guess I had some misunderstanding, trying to search "default_i_srv_name" instead of "$_SESSION"... So for me it also doesn't work with the modification in config.php.

That's why I think maybe two problems are mixed, and one is affecting the other...
Perhaps there is an issue with the web server configuration, but also a security case inside BoZoN that hasn't been taken into account...

Answer 14 · 2017-04-18T10:24:05.000Z

Hi, first time back in office :-)

We are using Apache as a reverse proxy.
Outside name is like (I do not want the real url in this post):
https://www.umm.uni-heidelberg.de/FileUploader/

The Apache redirects this requests to www5.medma.uni-heidelberg.de

ProxyPass /FileUploader/ http://www5.medma.uni-heidelberg.de/FileUploader/
ProxyPassReverse /FileUploader/ http://www5.medma.uni-heidelberg.de/FileUploader/

Thus: The server name is www.umm.uni-heidelberg.de and not www5.medma.uni-heidelberg.de. The www5 is only for internal use.

After patching BoZoN my installtion works without problems. Thus I think, my Apache config is quit right.

Greetings :-)

Answer 15 · 2017-04-18T11:01:32.000Z

So you managed to get it working only by patching the auto_restrict.php at line 68 :
$auto_restrict['domain']=$_SESSION['SERVER_NAME'];}
instead of
$auto_restrict['domain']=$_SERVER['SERVER_NAME'];}
?
This means I was wrong (apologize bronco), and my case only comes from my nginx configuration :/

Answer 16 · 2017-04-18T11:26:29.000Z

No - at the moment I am using hard encoded names like in the first post. At the moment we are testing this tool - thus this is OK for us.

Answer 17 · 2017-04-23T11:37:05.000Z

Don't worry @briceparmentier ! So, finally: is it workig or not ? ^^

Answer 18 · 2017-05-03T14:03:42.000Z

Well, maybe I was wrong thinking that the current case was the same than mine... It seems not, so I won't disturb this post with my case ;)