View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0020285 | phpList 3 application | Browser Issues | public | 04-11-20 14:29 | 05-11-20 22:29 |
Reporter | michiel | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | resolved | Resolution | fixed | ||
Product Version | 3.5.5-RC1 | ||||
Target Version | 3.5.7-RC1 | ||||
Summary | 0020285: incorrect redirect of stylesheet on announce.phplist.org | ||||
Description | wget https://announce.phplist.org/lists/admin/ui/phplist-ui-bootlist-ph/css/style.css --2020-11-04 14:27:36-- https://announce.phplist.org/lists/admin/ui/phplist-ui-bootlist-ph/css/style.css Resolving announce.phplist.org (announce.phplist.org)... 45.33.29.14 Connecting to announce.phplist.org (announce.phplist.org)|45.33.29.14|:443... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://announce.phplist.org/admin/ui/phplist-ui-bootlist-ph/css/style.css [following] --2020-11-04 14:27:37-- http://announce.phplist.org/admin/ui/phplist-ui-bootlist-ph/css/style.css Connecting to announce.phplist.org (announce.phplist.org)|45.33.29.14|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://announce.phplist.org/admin/ui/phplist-ui-bootlist-ph/css/style.css [following] --2020-11-04 14:27:37-- https://announce.phplist.org/admin/ui/phplist-ui-bootlist-ph/css/style.css Connecting to announce.phplist.org (announce.phplist.org)|45.33.29.14|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 152421 (149K) [text/css] Saving to: ‘style.css’ it redirects to HTTP and then back to HTTPS | ||||
Tags | No tags attached. | ||||
|
@martin can you have a look? This causes the stylesheet not to load See attachments |
|
weird, it worked recently just fine. so I don't think it's redirection, I'll try to reset the template first. |
|
After some tests, I must confirm the security measures in some browsers detect that there's http:// redirect in the page. I'm going to review and test apache2 config files; However, I find the redirect quite complex and I don't understand them too well, so I let you check the modified files before placing them live . Perhaps staging should have haproxy with ssl offloading too, otherwise I cant test SSL issues properly. [UPDATE: using acl on aspen in haproxy gives possibility to test it] @michiel |
|
Thanks @martin I will have a look as well. We should remove any redirects to http as we are now fully SSL even on custom domains. |
|
It's this line https://gitlab.com/phpList/ansible/-/blob/master/roles/pqserver/templates/sites-enabled/001-hosted-custom-domain.conf.j2#L29 We should change that to https and it will be fine. Do you want to process that? You will then need to run the playbook to update the servers. |
|
So, change RewriteRule ^/lists(.*) http://%{HTTP_HOST}$1 [R=permanent,L] to RewriteRule ^/lists(.*) https://%{HTTP_HOST}$1 [R=permanent,L] |
|
Actually, maybe that will cause an eternal redirect, so we should take the line out. |
|
and then take the line above out as well. |
|
Ah, no, on second check, the intention is to redirect /lists to / so that's fine. Sorry, back to the original plan, change http to https |
|
I'm reading your suggestion now, after I finished some tests already. We can't use https, because there's SSL offloading in haproxy and the backend servers work on http over private network. I'm not sure if there's another way of configuring ssl in our environment, and have properly working all the certificates that are managed by aspen(haproxy) now. [UPDATE actually, it's possible to use https redirect, because it would go again to haproxy and offload the SSL. It's getting bit confusing] So I've removed all http:// parts from the redirects and it seems to work just fine. [UPDATE - wrong, wget fails ] I'll post the config before I go live If you give me your ip , I'll add it to haproxy , so you could test too. there's one server (aronia) that's separate backend , only specified src ip can use it |
|
the updated configs are in /etc/apache2/sites-enabled on aronia @michiel |
|
I try also your suggestion. and how wget will work |
|
if we're able to not use full url in redirects , I'd prefer that |
|
It's fine to use HTTPS because it's only a browser header, so it will send the browser back to HTTPS and that's fine, even behind the proxy. It only makes testing while using HTTP directly to the server harder, but we're not doing that anyway. |
|
thanks, I'm correcting that. In 300-phplist-hosted.conf.j2 , I've found redirects to http, so I suppose they should too be corrected: ## force lowercase and redirect the site root to /lists RewriteCond ${lowercase:%{HTTP_HOST}} [a-z0-9-]+\.hosted\.phplist\.com RewriteRule ^(.+) ${lowercase:%{HTTP_HOST}}$1 [C] RewriteRule ^([a-z0-9-]+)\.hosted\.phplist\.com/$ http://$1.hosted.phplist.com/lists/ [R=permanent,L] RewriteRule ^([a-z0-9-]+)\.hosted\.phplist\.com/lists$ http://$1.hosted.phplist.com/lists/ [R=permanent,L] RewriteRule ^([a-z0-9-]+)\.hosted\.phplist\.com/lists/admin$ http://$1.hosted.phplist.com/lists/admin/ [R=permanent,L] |
|
Yes, that would be good. |
|
because http is redirected to https on haproxy frontend, the last two lines should be removed., I think |
|
No, just change it to use https. The lines add a / to the folders, so they force the browser to the index.php files. Also, the top one redirects / to /lists/ so that loading the main URL redirects to the subscribe page. |
|
updated pqserver apache2 config in ansible repo and loaded to all pqservers |
|
Nice one! |