Shaarli via proxy: cannot login ('wrong password').

[Beun]

Two (completely up to date) CentOS7 VM's:
One is running the latest version of Shaarli. The other one is a proxy.

All is proxied with ProxyPass and ProxyPassReverse. This works just fine for all my other (CentOS) webservers (ownCloud, Piwik, etc.).

The problem: Shaarli with the FQDN (via the proxy) gets displayed alright, but I cannot log in. It keeps saying 'wrong password'.
Shaarli at the local IP: no problem logging in.

After several attempts my IP got banned. In ipbans.php I can see the banned IP is the local IP of my proxy server.

Am I doing something wrong? Have I missed something?
Or am I trying to do something Shaarli can't handle?

Thx.

[virtualtam]

Hello @Beun!

There are several cases in index.php that can cause the credentials to be refused, and the error message is quite vague.

I'll provide you with a patch to add some verbose and see what's going on in the PHP functions so you can rootcause the issue (sometimes during the weekend).

In the meantime, could you check if there is any useful information from the server / PHP access and error logs?

[Beun]

Hi!
Thanks for the swift reply!

In the error log ( /var/log/httpd/error_log ) there was a recurring error 'PHP Warning: date_default_timezone_get()', but upon setting the correct timezone in my php.ini, that problem disappeared.
And there was this error: 'httpd: Could not reliably determine the server's fully qualified domain name'. I used 'hostnamectl set-hostname --static' to fix that.

Now, while using Shaarli, there are no new errors whatsoever in the error log, not even when getting the 'wrong password' message in the browser while attempting to log in.

In the access log ( /var/log/httpd/access_log ) I can see that when I go to Shaarli on its local IP, the local IP of the machine I'm working on shows up in the access log.
And when I go to Shaarli via the FQDN, the IP address that shows up in the access log is the proxy IP, not the IP of the machine I'm working on.

Now I'm guessing here... But could it be that the password request does not get passed through correctly? Request comes from one IP, and the answer goes to another IP?

[ArthurHoaro]

Probably related: if I launch PHP internal server with localhost:8080, I can't login on 127.0.0.1:8080.

[virtualtam]

I'm currently cooking a Docker image, and am also facing issues with some pages when performing host-guest port translation:

• Shaarli is served by nginx on :80 within the Docker container instance
• the guest/container's :80 port is mapped to the host's :8080 port
• my host also has an Apache listening on :80 and :443
• http://localhost:8080 keeps being redirected to http://localhost/?test_session
• http://localhost:8080/? works fine
• most pages redirect on the proper port (8080), with the exception of the RSS feed: http://localhost/?do=rss instead of http://localhost:8080/?do=rss

There may be some checks to perform on how internal URLs are formed in index.php.

[EDIT]
Memo for URL & HTTP query utilities:

• http://php.net/parse_url
• http://php.net/http_build_query
• http://php.net/manual/en/function.strtok.php

[virtualtam]

Some points:

• the serverUrl() function uses $_SERVER information to build URLs
• the allIPs() function accesses
  • $_SERVER["REMOTE_ADDR"]
  • $_SERVER['HTTP_X_FORWARDED_FOR']
  • $_SERVER['HTTP_CLIENT_IP']

Some literature:

• http://stackoverflow.com/questions/3003145/how-to-get-the-client-ip-address-in-php
• http://stackoverflow.com/questions/5092563/how-to-fake-serverremote-addr-variable
• http://www.inetdaemon.com/tutorials/internet/tcp/3-way_handshake.shtml

@Beun could you:

• drop the following snippet in a PHP script on the same server as Shaarli
• go to the page where it is served, both from localhost and behind the proxy
• check that the information for the following variables is consistent:
  • $_SERVER["REMOTE_ADDR"]
  • $_SERVER['HTTP_X_FORWARDED_FOR']
  • $_SERVER['HTTP_CLIENT_IP']
  • $_SERVER['HTTP_HOST']

Snippet:

<?php
echo '<pre>';
ksort($_SERVER);
print_r($_SERVER);
echo '</pre>';
?>

Moreover, Shaarli authentication is logged under data/log.txt; is there any useful information logged after a successful or failed login attempt?

[Beun]

I uploaded the snippet as testing.php, and what I found was the following:

Visiting Shaarli/testing.php on its own local IP, in a browser, [REMOTE_ADDR] shows the physical IP of the machine where I'm using the browser.
Visiting Shaarli/testing.php in a browser via the proxy, on the domain name: [REMOTE_ADDR] shows the IP of the proxy.

In both cases [HTTP_HOST] shows the local IP address of the Shaarli.

[HTTP_X_FORWARDED_HOST] and [HTTP_X_FORWARDED_SERVER] are only displayed when visiting the the domain name, and both show the correct domain name.

[HTTP_CLIENT_IP] I do not see at all.

And in data/log.txt there is only login information, like:
Login successful, IP address banned from login and Ban lifted, where banned and ban lifted show the IP of the proxy server.

Thx :)

[virtualtam]

banned and ban lifted show the IP of the proxy server.

@Beun were you successful in logging in through a proxy server?

If not, I can try to reproduce this use case with a couple container appliances (though I may not have time till a couple weeks)

[EDIT] diggin' a bit through old issues / PRs:

• sebsauvage/101 - RSS feed has an incorrect url
• sebsauvage/209 - Skip webserver port detection if running behind a reverse proxy
• serverUrl fails on non-standard port #79 - serverUrl fails on non-standard port
• Fixes Port/server config problems #98 - Fixes Port/server config problems (Port/server config problems #17)

[dper]

I also get a login error with 0.5.2. It did not happen with 0.5.1 (and my workaround is to use 0.5.1). I'm not using a proxy.

[virtualtam]

@dper could you open a new issue and provide some details about your configuration?

E.g. distro, HTTP server, and any relevant logs: server access/error, PHP errors, Shaarli login attempts

The only security-related change since 0.5.1 is #306, which improves session cookie handling.

[ArthurHoaro]

@Beun The session cookie is attached to a domain, which is provided by $_SERVER['SERVER_NAME'] (ie. your virtual host name) in Shaarli. If you go through a reverse proxy, your cookie will be attached to the wrong domain.

You need to use the ProxyPassReverseCookieDomain directive.
I just made a simple successful test (no docker, sorry) with the following reverse proxy:

<VirtualHost *:8082>
    ServerName localhost
    ProxyPass /shaarliorg http://workspace.hoa.ro/shaarliorg/
    ProxyPassReverse /shaarliorg http://workspace.hoa.ro/shaarliorg/
    ProxyPassReverseCookieDomain workspace.hoa.ro 127.0.0.1
</VirtualHost>

Note that I had to use the local IP instead of localhost because of this : http://stackoverflow.com/questions/1134290/cookies-on-localhost-with-explicit-domain
I could also have used localhost.localdomain.

Let us know if this fixes your issue.

I'll add a bit of documentation on this.

[virtualtam]

• TODO: add documentation on serving Shaarli behind a proxy (Apache, Nginx)

[virtualtam]

See https://github.com/shaarli/Shaarli/wiki/Server-configuration#proxies for the documentation (don't hesitate to add practical examples!)