View Issue Details

IDProjectCategoryView StatusLast Update
0020285phpList 3 applicationBrowser Issuespublic05-11-20 22:29
Reportermichiel Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version3.5.5-RC1 
Target Version3.5.7-RC1 
Summary0020285: incorrect redirect of stylesheet on announce.phplist.org
Description
wget https://announce.phplist.org/lists/admin/ui/phplist-ui-bootlist-ph/css/style.css
--2020-11-04 14:27:36-- https://announce.phplist.org/lists/admin/ui/phplist-ui-bootlist-ph/css/style.css
Resolving announce.phplist.org (announce.phplist.org)... 45.33.29.14
Connecting to announce.phplist.org (announce.phplist.org)|45.33.29.14|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://announce.phplist.org/admin/ui/phplist-ui-bootlist-ph/css/style.css [following]
--2020-11-04 14:27:37-- http://announce.phplist.org/admin/ui/phplist-ui-bootlist-ph/css/style.css
Connecting to announce.phplist.org (announce.phplist.org)|45.33.29.14|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://announce.phplist.org/admin/ui/phplist-ui-bootlist-ph/css/style.css [following]
--2020-11-04 14:27:37-- https://announce.phplist.org/admin/ui/phplist-ui-bootlist-ph/css/style.css
Connecting to announce.phplist.org (announce.phplist.org)|45.33.29.14|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 152421 (149K) [text/css]
Saving to: ‘style.css’



it redirects to HTTP and then back to HTTPS
TagsNo tags attached.

Activities

michiel

04-11-20 14:35

administrator   ~0063467

@martin can you have a look? This causes the stylesheet not to load

See attachments
image.png (34,424 bytes)   
image.png (34,424 bytes)   
image-2.png (17,233 bytes)   
image-2.png (17,233 bytes)   

martin

04-11-20 15:42

administrator   ~0063468

weird, it worked recently just fine.
so I don't think it's redirection, I'll try to reset the template first.

martin

05-11-20 09:05

administrator   ~0063472

Last edited: 05-11-20 14:30

View 2 revisions

After some tests, I must confirm the security measures in some browsers detect that there's http:// redirect in the page.
I'm going to review and test apache2 config files;
However, I find the redirect quite complex and I don't understand them too well, so I let you check the modified files before placing them live .
Perhaps staging should have haproxy with ssl offloading too, otherwise I cant test SSL issues properly. [UPDATE: using acl on aspen in haproxy gives possibility to test it]
@michiel

michiel

05-11-20 10:03

administrator   ~0063473

Thanks @martin I will have a look as well. We should remove any redirects to http as we are now fully SSL even on custom domains.

michiel

05-11-20 10:27

administrator   ~0063474

It's this line

https://gitlab.com/phpList/ansible/-/blob/master/roles/pqserver/templates/sites-enabled/001-hosted-custom-domain.conf.j2#L29

We should change that to https and it will be fine.

Do you want to process that? You will then need to run the playbook to update the servers.

michiel

05-11-20 10:27

administrator   ~0063475

So, change

    RewriteRule ^/lists(.*) http://%{HTTP_HOST}$1 [R=permanent,L]

to

    RewriteRule ^/lists(.*) https://%{HTTP_HOST}$1 [R=permanent,L]

michiel

05-11-20 10:32

administrator   ~0063476

Actually, maybe that will cause an eternal redirect, so we should take the line out.

michiel

05-11-20 10:33

administrator   ~0063477

and then take the line above out as well.

michiel

05-11-20 10:34

administrator   ~0063478

Ah, no, on second check, the intention is to redirect /lists to / so that's fine. Sorry, back to the original plan, change http to https

martin

05-11-20 13:17

administrator   ~0063479

Last edited: 05-11-20 14:28

View 5 revisions

I'm reading your suggestion now, after I finished some tests already.

We can't use https, because there's SSL offloading in haproxy and the backend servers work on http over private network. I'm not sure if there's another way of configuring ssl in our environment, and have properly working all the certificates that are managed by aspen(haproxy) now. [UPDATE actually, it's possible to use https redirect, because it would go again to haproxy and offload the SSL. It's getting bit confusing]

So I've removed all http:// parts from the redirects and it seems to work just fine. [UPDATE - wrong, wget fails ]

I'll post the config before I go live
If you give me your ip , I'll add it to haproxy , so you could test too.
there's one server (aronia) that's separate backend , only specified src ip can use it

martin

05-11-20 13:23

administrator   ~0063480

the updated configs are in /etc/apache2/sites-enabled on aronia
@michiel

martin

05-11-20 13:46

administrator   ~0063481

I try also your suggestion. and how wget will work

martin

05-11-20 14:18

administrator   ~0063482

if we're able to not use full url in redirects , I'd prefer that

michiel

05-11-20 14:19

administrator   ~0063483

It's fine to use HTTPS because it's only a browser header, so it will send the browser back to HTTPS and that's fine, even behind the proxy. It only makes testing while using HTTP directly to the server harder, but we're not doing that anyway.

martin

05-11-20 15:16

administrator   ~0063484

thanks, I'm correcting that.

In 300-phplist-hosted.conf.j2 , I've found redirects to http, so I suppose they should too be corrected:
## force lowercase and redirect the site root to /lists
  RewriteCond ${lowercase:%{HTTP_HOST}} [a-z0-9-]+\.hosted\.phplist\.com
  RewriteRule ^(.+) ${lowercase:%{HTTP_HOST}}$1 [C]
  RewriteRule ^([a-z0-9-]+)\.hosted\.phplist\.com/$ http://$1.hosted.phplist.com/lists/ [R=permanent,L]
  RewriteRule ^([a-z0-9-]+)\.hosted\.phplist\.com/lists$ http://$1.hosted.phplist.com/lists/ [R=permanent,L]
  RewriteRule ^([a-z0-9-]+)\.hosted\.phplist\.com/lists/admin$ http://$1.hosted.phplist.com/lists/admin/ [R=permanent,L]

michiel

05-11-20 15:29

administrator   ~0063485

Yes, that would be good.

martin

05-11-20 17:12

administrator   ~0063486

because http is redirected to https on haproxy frontend, the last two lines should be removed., I think

michiel

05-11-20 17:41

administrator   ~0063487

No, just change it to use https.

The lines add a / to the folders, so they force the browser to the index.php files. Also, the top one redirects / to /lists/ so that loading the main URL redirects to the subscribe page.

martin

05-11-20 20:28

administrator   ~0063488

updated pqserver apache2 config in ansible repo and loaded to all pqservers

michiel

05-11-20 22:29

administrator   ~0063491

Nice one!