Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Installation and Upgrades / usercorner wrong http state code 403 forbidden -- but it works
« on: March 20, 2014, 12:57:28 pm »
Hello community,
I have a strange behavior with Usercorner starting from (at least) 3.0.6 including actual 3.2 and also 3.3 release.
When i try to access usercorner with firefox directly all is working like a charm.
Accessing the same site via Squid Proxy or Apache reverse proxy the connection fails.
Digging deeper into it with firefox webdeveloper extension i was very suprised.
The site (/) or (/Login/Index) always return with http state 403 but the website is delivered as well and firefox is rendering it as expected.
Squid proxy and Apache reverse proxy are terminating the connection after receiving the 403.
Does anyone have some hints how to debug this strange behavior?
--> my configuration? See here https://forum.zentyal.org/index.php/topic,16724.0.html
I have a strange behavior with Usercorner starting from (at least) 3.0.6 including actual 3.2 and also 3.3 release.
When i try to access usercorner with firefox directly all is working like a charm.
Accessing the same site via Squid Proxy or Apache reverse proxy the connection fails.
Digging deeper into it with firefox webdeveloper extension i was very suprised.
The site (/) or (/Login/Index) always return with http state 403 but the website is delivered as well and firefox is rendering it as expected.
Squid proxy and Apache reverse proxy are terminating the connection after receiving the 403.
Does anyone have some hints how to debug this strange behavior?
--> my configuration? See here https://forum.zentyal.org/index.php/topic,16724.0.html
2
Installation and Upgrades / Tip: usercorner (port 8888) redirect to new subdomain at port 443 with mod_proxy
« on: July 10, 2013, 10:35:21 am »
It took me nearly 2 days to solve the above issue with zentyal but now it works and i want to share it with you.
The goal
the usercorner (port 8888) has to be redirected to an extra subdomain (port 443) at the same IP address as the current
The plan
First we have to define some dependencies for the specific environment. For this HowTo I take the following:
The solution
create a proxy statement
A ProxyPass/ProxyPassReverse statement will also lead to a running solution but I like that balancer features
extend apache module list
a2enmod headers proxy proxy_balancer proxy_connect proxy_html rewrite ssl
apache2ctl graceful
Proxy SSL
To allow access to https://localhost you have to enable SSLProxyEngine. Otherwise you can only connect via http://
redirect '/' to '/Login/Index'
I don't know why, but when I try to login via '/' after successful login I will be redirected the login again. Starting from '/Login/Index' will have success.
password change is only possible via changed referer header
To avoid man in the middle attacks zentyal will deny password changes if the referer header does not match the zentyal connection. (Thanks for the Zentyal Guys for that nice feature but we will break this feature, now)
In our case zentyal will be connected via https://localhost:8888 but the browser will send the referer header https://security.foobar.com.
apaches mod_header can do the trick:
Certificates
To avoid certificate errors i recommend to use a wildcard certificate.
And now the solution
EDIT: while using /etc/apache2/conf.d I had problems with the other vhosts at that domain while extending /etc/apache2/sites-available/ the whole stuff works as espected.
The goal
the usercorner (port 8888) has to be redirected to an extra subdomain (port 443) at the same IP address as the current
The plan
First we have to define some dependencies for the specific environment. For this HowTo I take the following:
- Current Domain (URL): https://www.foobar.com
- new Domain (URL): https://security.foobar.com
- local usercorner port: 8888
- create a working proxy (reverse proxy) from incoming requests at https://security.foobar.com to https://localhost:8888
The solution
create a proxy statement
A ProxyPass/ProxyPassReverse statement will also lead to a running solution but I like that balancer features
Code: [Select]
<Proxy balancer://usercorner>
BalancerMember https://localhost:8888/
</Proxy>
<Location / >
ProxyPass balancer://usercorner/
Order allow,deny
Allow from all
</Location>extend apache module list
a2enmod headers proxy proxy_balancer proxy_connect proxy_html rewrite ssl
apache2ctl graceful
Proxy SSL
To allow access to https://localhost you have to enable SSLProxyEngine. Otherwise you can only connect via http://
Code: [Select]
SSLProxyEngine Onredirect '/' to '/Login/Index'
I don't know why, but when I try to login via '/' after successful login I will be redirected the login again. Starting from '/Login/Index' will have success.
Code: [Select]
RewriteEngine On
RewriteRule ^/*$ /Login/Index [R]password change is only possible via changed referer header
To avoid man in the middle attacks zentyal will deny password changes if the referer header does not match the zentyal connection. (Thanks for the Zentyal Guys for that nice feature but we will break this feature, now)
In our case zentyal will be connected via https://localhost:8888 but the browser will send the referer header https://security.foobar.com.
apaches mod_header can do the trick:
Code: [Select]
RequestHeader edit Referer security\.foobar\.com localhost:8888 early
Header edit Location ^https://localhost:8888(/.*)$ https://security.foobar.com$1Certificates
To avoid certificate errors i recommend to use a wildcard certificate.
Code: [Select]
SSLEngine on
SSLCertificateFile /etc/apache2/ssl.pem/foobar.com/foobar.com.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/foobar.com/foobar.com.key
SSLCertificateChainFile /etc/apache2/ssl.crt/ca/foobar.com.ca-bundleAnd now the solution
EDIT: while using /etc/apache2/conf.d I had problems with the other vhosts at that domain while extending /etc/apache2/sites-available/ the whole stuff works as espected.
Code: [Select]
## create a file /etc/apache2/sites-available/security.foobar.com.conf
SSLProxyEngine On
<VirtualHost security.foobar.com:443>
ServerAdmin admin@foobar.com
ServerName security.foobar.com
DocumentRoot /srv/www/security.foobar.com
ErrorLog /var/log/apache2/security.foobar.com-error.log
CustomLog /var/log/apache2/security.foobar.com-access.log combined
RewriteEngine On
RewriteRule ^/*$ /Login/Index [R]
RequestHeader edit Referer security\.foobar\.com localhost:8888 early
Header edit Location ^https://localhost:8888(/.*)$ https://security.foobar.com$1
<Proxy balancer://usercorner>
BalancerMember https://localhost:8888/
</Proxy>
<Location / >
ProxyPass balancer://usercorner/
Order allow,deny
Allow from all
</Location>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl.pem/foobar.com/foobar.com.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/foobar.com/foobar.com.key
SSLCertificateChainFile /etc/apache2/ssl.crt/ca/foobar.com.ca-bundle
</VirtualHost>
Now, you have to enable the new site and restart apache.Code: [Select]
a2ensite security.foobar.com.conf
apache2ctl restartcomments or improvements are welcome
Pages: [1]