Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#466 closed New feature (fixed)

Support https reverse proxying

Reported by: landure Owned by:
Priority: major Milestone: RobotRock
Component: Core Keywords: reverse proxy login https
Cc: Sensitive:

Description

I'm using Piwik behind a Apache 2 reverse proxy.

Here is my configuration:

Internet -> Apache 2 (http, OR https) -(reverse proxying)-> lighttpd (http) hosting piwik.

Since the Piwik login page use a absolute URL for the login form, even if i access the Apache 2 reverse proxy using:

https://piwik.domain.com/

the login form action use the protocol value detected from lighttpd:

http://piwik.domain.com/

This is an issue. The solution is to add an option to disable complete URL for forms. (so that the action is just / in stead of http://piwik.domain.com.

This would allow to use different protocols between reverse proxy and actual piwik http server.

Attachments (2)

virtualhost.conf (929 bytes) - added by vipsoft 5 years ago.
Thanks for clarifying your set-up. I've attached a sample reverse proxy configuration using mod_proxy_html to rewrite the login form's action URL. Other than masking some information about my set-up, this is the configuration I tested. It might still need a little "magic" (e.g., ProxyHTMLLinks for some legacy html elements).
466.diffs (357 bytes) - added by vipsoft 5 years ago.

Download all attachments as: .zip

Change History (15)

comment:1 Changed 5 years ago by vipsoft (robocoder)

This actually sounds like a bug in the reverse proxy.

comment:2 Changed 5 years ago by landure

Actually it is more of a feature request than a bug.

The reverse proxy can not tell the web server behind if it use http or https.
Since the web server behind the reverse proxy does not use https, but http. Piwik believe that it use http.. but for the user that see only the reverse proxy, piwik is on https.

so, with a url https://piwik.domain.com, the form created by piwik point to http://piwik.domain.com

So i'm requesting a feature that allow to disable the complete url for form, or to tell piwik that it should use https instead of http.

At the end, it the web application responsability to offer such a feature. For example, phpmyadmin allow it.

comment:3 Changed 5 years ago by vipsoft (robocoder)

  • Summary changed from Piwik does not support https reverse proxying to Support https reverse proxying
  • Type changed from Bug to New feature

comment:4 Changed 5 years ago by vipsoft (robocoder)

Have you configured your reverse proxy to use

SSLProxyEngine On

?

comment:5 Changed 5 years ago by landure

Hi,

I've just tried it, without anything else, in my Apache 2 config. It has no visible effect. After digging a little, it seems that it is needed to do reverse proxy with a https site in backend:

https -> proxy -> https

My configuration use piwik in HTTP:

https -> proxy -> http

This morning, while playing with Piwik, i've found out that Piwik worked well either in HTTP or in HTTPS. The only problem i have with HTTPS is with the login form.

The action of the login form is http://piwik.domain.fr/index.php?module=CoreHome&action= even when i'm accessing piwik in HTTPS.

Would it be a security issue to use relative URL for the login form ? Something like :

/index.php?module=CoreHome&action=

This would bypass the problem. This could be an Piwik option that enable people using https to http reverse proxy to use Piwik without problems.

Changed 5 years ago by vipsoft (robocoder)

Thanks for clarifying your set-up. I've attached a sample reverse proxy configuration using mod_proxy_html to rewrite the login form's action URL. Other than masking some information about my set-up, this is the configuration I tested. It might still need a little "magic" (e.g., ProxyHTMLLinks for some legacy html elements).

comment:6 Changed 5 years ago by vipsoft (robocoder)

  • Resolution set to wontfix
  • Status changed from new to closed

comment:7 Changed 5 years ago by vipsoft (robocoder)

  • Resolution wontfix deleted
  • Status changed from closed to reopened

See patch

Changed 5 years ago by vipsoft (robocoder)

comment:8 Changed 5 years ago by matt (mattab)

have committed patch from vipsoft, please close ticket if that actually fixes the bug. thanks!

comment:9 Changed 5 years ago by matt (mattab)

  • Resolution set to fixed
  • Status changed from reopened to closed

I close it because of missing feedback; when next release is published, if you still experience the issue, please reopen the ticket.

comment:10 Changed 5 years ago by landure

without using the provided virtualhost (that use mod_proxy_html), the patch fixe half of the problem:

when accessing to login form in https, the form is submitted over https, so the password is not sent over the network in plain text.

but once logged in, the user is redirected to the http connection (probably due to the fact that form_url hidden input is something like "http://...".)

as said before, my setup is "HTTPS ---- reverse proxy ---> HTTP".

so i leave this bug as closed... but without using mod_proxy_html, or https on the server behind the reverse proxy.. it just allow to have password protected by https

comment:11 Changed 5 years ago by matt (mattab)

landure of others, if you can think of any way to fix something in Piwik to make it work with your setup let us know by commenting here. how other php projects handle this problem for example?

comment:12 Changed 5 years ago by vipsoft (robocoder)

(In [1155]) fixes #691 - use relative URLs (except in Widgetize iframe & flash embed
code); refs #466 and #647 - should also resolve the reverse proxy issues

comment:13 Changed 5 years ago by alivenk

Note: See TracTickets for help on using tickets.