View Issue Details

IDProjectCategoryView StatusLast Update
0020285phpList 3 applicationBrowser Issuespublic05-11-20 22:29
Reportermichiel Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version3.5.5-RC1 
Target Version3.5.7-RC1 
Summary0020285: incorrect redirect of stylesheet on
--2020-11-04 14:27:36--
Resolving (
Connecting to (||:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: [following]
--2020-11-04 14:27:37--
Connecting to (||:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: [following]
--2020-11-04 14:27:37--
Connecting to (||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 152421 (149K) [text/css]
Saving to: ‘style.css’

it redirects to HTTP and then back to HTTPS
TagsNo tags attached.



04-11-20 14:35

administrator   ~0063467

@martin can you have a look? This causes the stylesheet not to load

See attachments
image.png (34,424 bytes)   
image.png (34,424 bytes)   
image-2.png (17,233 bytes)   
image-2.png (17,233 bytes)   


04-11-20 15:42

administrator   ~0063468

weird, it worked recently just fine.
so I don't think it's redirection, I'll try to reset the template first.


05-11-20 09:05

administrator   ~0063472

Last edited: 05-11-20 14:30

View 2 revisions

After some tests, I must confirm the security measures in some browsers detect that there's http:// redirect in the page.
I'm going to review and test apache2 config files;
However, I find the redirect quite complex and I don't understand them too well, so I let you check the modified files before placing them live .
Perhaps staging should have haproxy with ssl offloading too, otherwise I cant test SSL issues properly. [UPDATE: using acl on aspen in haproxy gives possibility to test it]


05-11-20 10:03

administrator   ~0063473

Thanks @martin I will have a look as well. We should remove any redirects to http as we are now fully SSL even on custom domains.


05-11-20 10:27

administrator   ~0063474

It's this line

We should change that to https and it will be fine.

Do you want to process that? You will then need to run the playbook to update the servers.


05-11-20 10:27

administrator   ~0063475

So, change

    RewriteRule ^/lists(.*) http://%{HTTP_HOST}$1 [R=permanent,L]


    RewriteRule ^/lists(.*) https://%{HTTP_HOST}$1 [R=permanent,L]


05-11-20 10:32

administrator   ~0063476

Actually, maybe that will cause an eternal redirect, so we should take the line out.


05-11-20 10:33

administrator   ~0063477

and then take the line above out as well.


05-11-20 10:34

administrator   ~0063478

Ah, no, on second check, the intention is to redirect /lists to / so that's fine. Sorry, back to the original plan, change http to https


05-11-20 13:17

administrator   ~0063479

Last edited: 05-11-20 14:28

View 5 revisions

I'm reading your suggestion now, after I finished some tests already.

We can't use https, because there's SSL offloading in haproxy and the backend servers work on http over private network. I'm not sure if there's another way of configuring ssl in our environment, and have properly working all the certificates that are managed by aspen(haproxy) now. [UPDATE actually, it's possible to use https redirect, because it would go again to haproxy and offload the SSL. It's getting bit confusing]

So I've removed all http:// parts from the redirects and it seems to work just fine. [UPDATE - wrong, wget fails ]

I'll post the config before I go live
If you give me your ip , I'll add it to haproxy , so you could test too.
there's one server (aronia) that's separate backend , only specified src ip can use it


05-11-20 13:23

administrator   ~0063480

the updated configs are in /etc/apache2/sites-enabled on aronia


05-11-20 13:46

administrator   ~0063481

I try also your suggestion. and how wget will work


05-11-20 14:18

administrator   ~0063482

if we're able to not use full url in redirects , I'd prefer that


05-11-20 14:19

administrator   ~0063483

It's fine to use HTTPS because it's only a browser header, so it will send the browser back to HTTPS and that's fine, even behind the proxy. It only makes testing while using HTTP directly to the server harder, but we're not doing that anyway.


05-11-20 15:16

administrator   ~0063484

thanks, I'm correcting that.

In 300-phplist-hosted.conf.j2 , I've found redirects to http, so I suppose they should too be corrected:
## force lowercase and redirect the site root to /lists
  RewriteCond ${lowercase:%{HTTP_HOST}} [a-z0-9-]+\.hosted\.phplist\.com
  RewriteRule ^(.+) ${lowercase:%{HTTP_HOST}}$1 [C]
  RewriteRule ^([a-z0-9-]+)\.hosted\.phplist\.com/$ http://$ [R=permanent,L]
  RewriteRule ^([a-z0-9-]+)\.hosted\.phplist\.com/lists$ http://$ [R=permanent,L]
  RewriteRule ^([a-z0-9-]+)\.hosted\.phplist\.com/lists/admin$ http://$ [R=permanent,L]


05-11-20 15:29

administrator   ~0063485

Yes, that would be good.


05-11-20 17:12

administrator   ~0063486

because http is redirected to https on haproxy frontend, the last two lines should be removed., I think


05-11-20 17:41

administrator   ~0063487

No, just change it to use https.

The lines add a / to the folders, so they force the browser to the index.php files. Also, the top one redirects / to /lists/ so that loading the main URL redirects to the subscribe page.


05-11-20 20:28

administrator   ~0063488

updated pqserver apache2 config in ansible repo and loaded to all pqservers


05-11-20 22:29

administrator   ~0063491

Nice one!