My server configuration is a TYPO3 installation Vs. 6.2.31 combined with a reverse proxy. The system is running fine with http.
When we try to switch to https we geht this Error Message in the backend:
"Connection Problem
Sorry, but an error occurred while connecting to the server. Please check your network connection."
And the page tree is not loading.
When switching back to http all is working one again.
Our settings:
[SYS][reverseProxyIP] = (IP of our reverse Proxy)
[SYS][reverseProxyHeaderMultiValue] = last
[SYS][reverseProxySSL] = *
What i tried:
deactivate all extensions apart from the system extensions
no entry in syslog (error reporting is on development)
no entries in the server logs
lockSSL in install tool 3 results in never ending 302 redirects
lockSSL with option 2 results in this error message:
Fatal error: Uncaught exception 'RuntimeException' with message 'TYPO3 Backend not accessed via SSL: TYPO3 Backend is configured to only be accessible through SSL. Change the URL in your browser and try again.' in /srv/httpd/sites/fland_ww1/typo3_src-6.2.31/typo3/sysext/core/Classes/Core/Bootstrap.php:897 Stack trace: #0 /srv/httpd/sites/fland_ww1/typo3_src-6.2.31/typo3/init.php(54): TYPO3\CMS\Core\Core\Bootstrap->checkSslBackendAndRedirectIfNeeded() #1 /srv/httpd/sites/fland_ww1/typo3_src-6.2.31/typo3/index.php(21): require('/srv/httpd/site...') #2 {main} thrown in /srv/httpd/sites/fland_ww1/typo3_src-6.2.31/typo3/sysext/core/Classes/Core/Bootstrap.php on line 897
It seems that some requests e.g. for the page tree are made without ssl - ajax calls i presume - but i dont have a clue how to debug it.
Andy ideas?
Thanks!
I have the same version at a customer and with a load balancer / proxy.
The only difference is [SYS][reverseProxyHeaderMultiValue] = first.
Also, [BE][lockSSL] = 1 is set.
Maybe it helps?
This thread is quite old, but because many people do read until now i will try an answer. We could solve the problem (and once again in a different installation) with the following settings:
[SYS][reverseProxyIP] = (IP of our reverse Proxy)
[SYS][reverseProxyHeaderMultiValue] = firt
[SYS][reverseProxySSL] = *
AND - that is important - changes in the server config too:
RequestHeader set X-Forwarded-Proto "https"
SetEnv proxy-nokeepalive 1
SetEnv proxy-initial-not-pooled 1
I assume it was the first:
RequestHeader set X-Forwarded-Proto "https"
So in the end the problem was in the server config.
Related
I have the following allowed redirect uri set for my client: exp://192.168.2.212:19000
After a code exchange using the following URL:
GET /auth/realms/xxxxx/protocol/openid-connect/auth?code_challenge=m71Cl...D4hw&redirect_uri=exp%3A%2F%2F192.168.2.212%3A19000&client_id=3B03...
X-Forwarded-For: 178.84.x.x
X-Forwarded-Host: oidc.production.my.domain.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 09918a799a23
X-Real-Ip: 178.84.x.x
I get a HTTP/1.1 302 Found with the following Location field:
Location: exp://192.168.2.212?state=T0pvzPyHF6&session_state=b1cf16ad-b.....
The port is missing. My (Expo) client in android emulator then barfs about not being able to connect to 192.168.2.212 port 80. Naturally.
I am using the docker hub images 11.0.0
How can I prevent this? Is it a bug?
(The iOS version of my app uses a different redirect_uri (exp://127.0.0.1:19000), but although Keycloak strips the port there as well and it receives a Location: exp://127.0.0.1?state=T0p... it does connect to port 19000 and works fine for some reason.)
EDIT: Note that authentication works fine on iOS, and I run exactly the same Keycloak settings in iOS as Android (It's a React Native application).
Keycloak logs no error, and the following debug message:
13:24:33,365 DEBUG [org.keycloak.events] (default task-47) type=LOGIN, realmId=neemop, clientId=3B03FD35, userId=28619cd3-c51d-4756-9d06-fb47********, ipAddress=178.84.x.x, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=exp://192.168.2.212:19000, consent=no_consent_required, code_id=a0faa4d4-6826-4c2f-9243-*******, response_mode=query, username=ron.arts#mydomain.com, authSessionParentId=a0faa4d4-6826-4c2f-9243-*******, authSessionTabId=-Pn******
shows the redirect_uri is parsed correctly. It's just that in the actual HTTP response the Location: header omits the port. Which imho should not happen.
Seems like a bug: https://issues.redhat.com/browse/KEYCLOAK-9405?_sscc=t
Tested on 12.0.4 and it still occurs. It appears to be an issue with any non-http(s) protocol
another bug has been submitted to keycloak team:
https://issues.redhat.com/browse/KEYCLOAK-17141
a fix is available in keycloak version >= 13.0.0
I am trying to set cache header for service worker through nginx in create react app project, in the configuration, I tried
location /service-worker.js {
add_header Cache-Control "no-cache";
proxy_cache_bypass $http_pragma;
proxy_cache_revalidate on;
expires off;
access_log off;
}
However when I load my page, sw registration fails with the message.
A bad HTTP response code (404) was received when fetching the script.
registerServiceWorker.js:71 Error during service worker registration: TypeError: Failed to register a ServiceWorker: A bad HTTP response code (404) was received when fetching the script.
Can someone please suggest a way with nginx using create-react-app?
as per your configuration service-worker.js must be in / root directory defined with root nginx directive.
Please check if the file is present there. If you are using express and express static and have placed the file in public/assets directory, it won't work. if for this file you want to to have different location. you can use alias directive.
I'm getting "Socket Error #10060, Connection timed out" when trying to access a https link.
Here is how you can reproduce it with INDY 10.6.2.0 and OpenSSL 1.0.2d DLLs (also happens with older Indy 10 version and dlls):
create a project and add a TButton, TIdHTTP and TMemo objects to the form
add to button onclick this code:
IdHTTP1.Request.UserAgent:='Indy';
IdHTTP1.HandleRedirects:=true;
Memo1.text:=IdHTTP1.Get('https://www.itv.com');`
now compile and run it, it will download correctly the file.
BUT if you are using a service like www.smartydns.com which redirects DNS request to their server, INDY sample above will not work and fail with "Socket Error #10060, Connection timed out" message.
Have tried it with WGET too (https://eternallybored.org/misc/wget/) and in version 1.13 its initializing the SSL handshake and freezes, but works without problems with version 1.15.
So the question is, what IdHTTP settings do I have to use to make it work, or is it a bug in Indy10 ?
I'll start with the log that I am receiving below:
Dec.15.11.56-Rf: Incoming Request URL: /
Dec.15.11.56-Rf: SECURE GET Path: / From: mlocal.cldeals.com Rewritten: www.cldeals.com
Dec.15.11.56-Rf: Received 302 Found [text/html; charset=UTF-8] response for /
Dec.15.11.56-Rf: Sending 302 text/html; charset=UTF-8 response for /
Dec.15.11.56-Rf: Stats. Total: 0.52088702, Upstream: 0.48212701, Processing: 0.00105600, ProcessingOther: 0.04037500
Basically, when I go to mlocal.cldeals.com, it loads fine. If I click on another page, say mlocal.cldeals.com/products, that loads fine as well. The issue seems to be when I go to the account page and try to switch back to the homepage, maybe some type of security issue? When I try to switch back to mlocal.cldeals.com, the home page, it boots me off and sends me to www.cldeals.com. Is there something I can add to force this from not happening? Additionally, is this just a local server issue that would go away when I launch it on Moovweb's server? Any help is greatly appreciated.
Thank you.
It looks like the backend response to https://www.cldeals.com is a 302 to http://www.cldeals.com:80/. Not sure why that is the case (see note below *)
curl -v -o /dev/null https://www.cldeals.com
This response contains a hardcoded Location header and your project is passing along the response as is, which is why you are being booted off your local server.
Because the Location header value has a port specified, you'll need to modify your config.json to include this line in the mapping:
{
"host_map": [
"$.cldeals.com => www.cldeals.com",
"$.cldeals.com => www.cldeals.com:80"
]
}
This way, the SDK knows to rewrite that specific host:port value... (By default all HTTP requests go through port 80, so that information isn't really necessary)
*This is might be bug in the backend implementation because once you log in, you should be in HTTPS mode until you log out. (I can see some pages with personal information being transmitted over plain HTTP)
I'm troubleshooting an existing webservice. It previously worked just fine, but now SOAP-based requests to the postgreSQL database result in an "unknown error: Error Fetching http headers" error.
In looking up this problem, I come across the following tip:
When you get errors like: "Fatal error: Uncaught SoapFault exception:
[HTTP] Error Fetching http headers in" after a few (time intensive)
SOAP-Calls, check your webserver-config.
Sometimes the webservers "KeepAlive"-Setting tends to result in this
error. For SOAP-Environments I recommend you to disable KeepAlive.
Hint: It might be tricky to create a dedicated vhost for your
SOAP-Gateways and disable keepalive just for this vhost because for
normal webpages Keepalive is a nice speed-boost.
I haven't been able to figure out exactly how you disable KeepAlive or where this parameter would be set. I've tried grep -i "keepalive" /usr/share/tomcat5/conf/*, result negative.
Perhaps due to the variability of server environments this is a question for my sysadmin, but I do have root privileges.
Thanks for your help, stack!
In your Tomcat's server.xml file, set the maxKeepAliveRequests attribute to 1 on your HTTP connectors to effectively disable keep alive.
For more information:
http://tomcat.apache.org/tomcat-5.5-doc/config/http.html#Standard_Implementation