Issue with apache httpd reverse proxy | https to http (scm 2.2.0)
305 views
Skip to first unread message
Federico Bernoldi
Jul 22, 2020, 10:41:10 AM7/22/20
to scmmanager
Hi,
I'm using a reverse proxy with apache httpd listening with https protocol, i.e: https://<public domain>/scm, sending the traffic to http://<private scm server ip>:8080/scm (this was working ok with scm 1.60).
But then I upgrade to 2.2.0 yesterday and the new version is forming some urls with the "http" scheme, so when you access it via the public domain through https, and a request is made to http, the web browser does't perform the request for security reasons (protocol downgrade).
Request for plugins with https scheme with http urls response:
$ curl https://<public domain>/scm/api/v2/ui/plugins
{"_links":{"self":{"href":"http://<public domain>/scm/api/v2/ui/plugins"}},"_embedded":{"plugins":[{"name":"scm-git-plugin","bundles":["/scm/assets/scm-git-plugin.bundle.js"],"_links":{"self":{"href":"http://<public domain>/scm/api/v2/ui/plugins/scm-git-plugin:2.2.0"}}},{"name":"scm-hg-plugin","bundles":["/scm/assets/scm-hg-plugin.bundle.js"],"_links":{"self":{"href":"http://<public domain>/scm/api/v2/ui/plugins/scm-hg-plugin:2.2.0"}}},{"name":"scm-ldap-plugin","bundles":["/scm/assets/scm-ldap-plugin.bundle.js"],"_links":{"self":{"href":"http://<public domain>/scm/api/v2/ui/plugins/scm-ldap-plugin:2.0.0"}}},{"name":"scm-legacy-plugin","bundles":["/scm/assets/scm-legacy-plugin.bundle.js"],"_links":{"self":{"href":"http://<public domain>/scm/api/v2/ui/plugins/scm-legacy-plugin:2.2.0"}}},{"name":"scm-svn-plugin","bundles":["/scm/assets/scm-svn-plugin.bundle.js"],"_links":{"self":{"href":"http://<public domain>/scm/api/v2/ui/plugins/scm-svn-plugin:2.2.0"}}}]}}
I couldn't figure out a way to walk around this.
The application is working correctly from http://<private scm server ip>:8080/scm.
When you access it via https://<public domain>/scm through proxy it "hangs" in "loading plugin information" for the browser doesn't allow the ajax load of url http://<public domain>/scm/api/v2/ui/plugins via http. (apiclient.ts:155 Safari error "Fetch API cannot load http://<public domain>/scm/api/v2/ui/plugins due to access control checks.").
The domain is public and you can see the error, but I'll not post it here.
Can you help me?
Thanks!
Federico.
Sebastian Sdorra
Jul 23, 2020, 1:47:50 AM7/23/20
to scmma...@googlegroups.com
Hi Federico,
You have to send X-Forwarded-Proto header to SCM-Manager to tell SCM-Manager which scheme to use.
Please have a look at the following issue, which describes the apache configuration in more detail:
https://github.com/scm-manager/scm-manager/issues/1253
Please have a look at the following issue, which describes the apache configuration in more detail:
https://github.com/scm-manager/scm-manager/issues/1253
Sebastian
--
You received this message because you are subscribed to the Google Groups "scmmanager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to scmmanager+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/scmmanager/9db47964-69d0-4708-a8e6-c5afe526bee1o%40googlegroups.com.
Sebastian Sdorra
Jul 23, 2020, 9:45:23 AM7/23/20
to scmma...@googlegroups.com
We have now updated our reverse proxy configuration documentation:
Sebastian
Message has been deleted
Sebastian Sdorra
Oct 30, 2020, 2:55:00 AM10/30/20
to scmma...@googlegroups.com
Hi Christian,
This is strange. ModProxy should send a X-Forwarded-Host Header, which should fix the problem with the local hostname. The X-Forwarded-Proto should fix the problem with the wrong scheme in the url. Could you try to analyze the headers? For example with ngrep:
ngrep -W -dlo port 8082
After you have started ngrep make a request to your reverse proxy and check the ngrep outcome for the http headers.
Sebastian
Am Fr., 30. Okt. 2020 um 06:19 Uhr schrieb Christian Weisskopf <chr...@gmail.com>:
HiSorry to bring this topic up again, but it's still not solved for me.We use a similar setup with Apache on HTTPS that proxies to a local Jetty on 80xx with the SCM Manager WAR, a setup we've used with SCM Manager prior to 2.x for years. I checked with the latest documentation and don't see anything that I missed, but the /v2 API endpoint still returns HTTP links.Also for me, if I don't use ProxyPreserveHost On, the API endpoint actually returns links to the local URL, eg. http://127.0.0.1:8080/scm. I tried to experiment with "base-url" property from config.xml, but that did not solve anything.ProxyPreserveHost OnAllowEncodedSlashes NoDecodeRequestHeader set X-Forwarded-Port "443"RequestHeader set X-Forwarded-Proto "https"RequestHeader set X-Forwarded-Ssl "on"ProxyPass /scm http://127.0.0.1:8082/scm nocanonProxyPassReverse /scm http://127.0.0.1:8082/scmAny pointers would be appreciated.ThanksChris
To view this discussion on the web visit https://groups.google.com/d/msgid/scmmanager/65bd4491-d41b-4911-a12f-ef14842a2d9bn%40googlegroups.com.
Christian Weisskopf
Nov 5, 2020, 4:02:20 AM11/5/20
to scmmanager
Hi Sebastian
Thanks for the tip with ngrep. Here's the output when I run "ngrep -W byline -d lo '' 'tcp port 8082'" (replaced real host with "mydomain.com"):
interface: lo (127.0.0.0/255.0.0.0)
filter: ( tcp port 8082 ) and ((ip || ip6) || (vlan && (ip || ip6)))
######
T 127.0.0.1:59768 -> 127.0.0.1:8082 [AP] #6
GET /scm/ HTTP/1.1.
Host: mydomain.com.
Pragma: no-cache.
Cache-Control: no-cache.
Upgrade-Insecure-Requests: 1.
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.0 Safari/537.36.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9.
Sec-Fetch-Site: none.
Sec-Fetch-Mode: navigate.
Sec-Fetch-User: ?1.
Sec-Fetch-Dest: document.
Accept-Encoding: gzip, deflate, br.
Accept-Language: en-US,en;q=0.9.
X-Forwarded-Port: 443.
X-Forwarded-Proto: https.
X-Forwarded-Ssl: on.
##
T 127.0.0.1:59768 -> 127.0.0.1:8082 [AP] #8
X-Forwarded-For: xxx.xxx.xxx.xxx.
X-Forwarded-Host: mydomain.com.
X-Forwarded-Server: mydomain.com.
Connection: Keep-Alive.
.
##
T 127.0.0.1:8082 -> 127.0.0.1:59768 [AP] #10
HTTP/1.1 200 OK.
Content-Type: text/html;charset=utf-8.
Content-Length: 1891.
Server: Jetty(9.4.33.v20201020).
.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="theme-color" content="#000000">
<!--
manifest.json provides metadata used when your web app is added to the
homescreen on Android. See https://developers.google.com/web/fundamentals/engage-and-retain/web-app-manifest/
-->
<link rel="manifest" href="/scm/manifest.json">
<link rel="shortcut icon" href="/scm/favicon.ico">
<base href="/scm">
<title>SCM-Manager</title>
(...)
Thanks
Chris
Reply all
Reply to author
Forward
0 new messages