Reverse proxy and redirection
162 views
Skip to first unread message
Julien Thomas
Mar 11, 2021, 3:25:36 PM3/11/21
to SimpleSAMLphp
Good afternoon.
As discussed on https://github.com/simplesamlphp/simplesamlphp/issues/1437, I am facing two strange issues when using SSP as an IdP.
case 1
- setup up SSP as a SP over port 8443 behind a proxy on port 443
- perform login requests
- error occurs with issue as NO STATE ("ld not load state specified by InResponseTo: NOSTATE Processing response as unsolicited")
case 2
- setup up SSP as a SP over port 8443 behind a proxy on port 443
- force cookies to be secure (HTTPS only) on config file of SSP
- perform login requests
- Redirections is made to port 8443
so secure cookie fix No State, ok. Thought I do not fully get why
But why is the redirection browser dependent?
Could that be Nginx config related?
I made a fix with a PREROUTING redirect (with iptables) from 8443 to 443 but better tofix it correctly.
Thanks for the help
Peter Schober
Mar 11, 2021, 3:35:15 PM3/11/21
to SimpleSAMLphp
* Julien Thomas <julien...@yourosoft.com> [2021-03-11 21:25]:
ever know (nor be able to successfully connect) about the port your
proxied web server runs at, i.e., nothing should ever access or
redirect to port 8443.
Do you literally run Apache httpd as web server and then again Nginx
as yet another web server? (Why?)
If so I'd make sure Apache httpd is properly configured, meaning
ServerName is properly virtualised (with the externally -- from your
browser -- visible schema and port).
Maybe only getting SSP's baseurlpath right (as suggested by Tim in
that issue) will suffice but getting the virtualisiation right in the
web server can't hurt.
Cookie issues limited to Chrome and Edge (which is them same thing
these days, AFAIK) but not Firefox also scream SameSite, as also
mentioned by Tim.
-peter
"Redirections is made to port 8443"
If your SP web server is behing an HTTP Reverse Proxy nothing should
ever know (nor be able to successfully connect) about the port your
proxied web server runs at, i.e., nothing should ever access or
redirect to port 8443.
Do you literally run Apache httpd as web server and then again Nginx
as yet another web server? (Why?)
If so I'd make sure Apache httpd is properly configured, meaning
ServerName is properly virtualised (with the externally -- from your
browser -- visible schema and port).
Maybe only getting SSP's baseurlpath right (as suggested by Tim in
that issue) will suffice but getting the virtualisiation right in the
web server can't hurt.
Cookie issues limited to Chrome and Edge (which is them same thing
these days, AFAIK) but not Firefox also scream SameSite, as also
mentioned by Tim.
-peter
Message has been deleted
Julien Thomas
Mar 11, 2021, 3:53:14 PM3/11/21
to SimpleSAMLphp
Hi Peter.
You are right, "nothing should ever know (nor be able to successfully
connect) about the port your proxied web server runs at" and they do not.
Tthe issue was spotted as SSP itself tries to redirect to port 8443 after
getting successful data from IdP (from port 443).
That is the strange
thing: the issue occurs internally within SSP.
Note that baseurlpath is already fine.
On diagnostics, the only thing is having HTTP_HOST and SERVER_PORT with
port 8443.
I will try to see it through but why is SSP doing this redirect when all
the setup is correct apart at this step and only for some browsers?
Peter Schober
Mar 11, 2021, 4:29:36 PM3/11/21
to SimpleSAMLphp
* Julien Thomas <julien...@yourosoft.com> [2021-03-11 21:53]:
But I already suggested to fix your virtualisation in httpd so I'm not
going to suggest that again.
-peter
> You are right, "nothing should ever know (nor be able to successfully
> connect) about the port your proxied web server runs at" and they do not.
>
> Tthe issue was spotted as SSP itself tries to redirect to port 8443 after
> getting successful data from IdP (from port 443).
SSP shouldn't even know about the physical port Apache httpd runs as.
> connect) about the port your proxied web server runs at" and they do not.
>
> Tthe issue was spotted as SSP itself tries to redirect to port 8443 after
> getting successful data from IdP (from port 443).
But I already suggested to fix your virtualisation in httpd so I'm not
going to suggest that again.
-peter
Reply all
Reply to author
Forward
0 new messages