Please do NOT post requests for help here. Use the Help forum for that.

TOPIC: derive port from HTTP_X_FORWARDED_PROTO

derive port from HTTP_X_FORWARDED_PROTO 3 years 4 months ago #1

  • stijnh
  • stijnh's Avatar
I am hosting my webtrees (www.haezebrouck.be) at One.com and ran into problems when enabeling https.
When https is enabled, webtrees (1.6.x, 1.7.0, 1.7.1) generates absolute URLs like www.haezebrouck.be:80 (with https protocol!) which is incorrect of course.

When we look at the HTTP headers and server environment:
$_SERVER when accessing over www.haezebrouck.be :
HTTP_X_FORWARDED_PROTO => null
HTTP_X_FORWARDED_PORT => null
HTTP_X_ONECOM_FORWARDED_PROTO => http
HTTPS => null
SERVER_NAME => www.haezebrouck.be
SERVER_PORT => 80
REDIRECT_URL => null
-> pretty normal

$_SERVER when accessing over www.haezebrouck.be :
HTTP_X_FORWARDED_PROTO => https
HTTP_X_FORWARDED_PORT => null (ouch)
HTTP_X_ONECOM_FORWARDED_PROTO => https
HTTPS => on
SERVER_NAME => www.haezebrouck.be
SERVER_PORT => 80 (proxied as HTTP to PHP)
REDIRECT_URL => null

So when accessing over https:
* HTTPS request are proxied as HTTP request to PHP (but that's ok)
* The HTTP_X_FORWARDED_PROTO is set to https
* But the HTTP_X_FORWARDED_PORT is NOT set. And this causes the problem for webtrees.

In de code, includes/session.php, the $port is retrieved as:
$port = Filter::server('HTTP_X_FORWARDED_PORT', '80|443', Filter::server('SERVER_PORT', null, '80'));

In my example, the outcome for $port is read from SERVER_PORT, which is 80 and incorrect in this case.

In my opinion, when the variable HTTP_X_FORWARDED_PROTO is set, but HTTP_X_FORWARDED_PORT is not, the port should be derived as the default port from the protocol given at HTTP_X_FORWARDED_PROTO, instead of falling back to SERVER_PORT.
If neither HTTP_X_FORWARDED_PROTO or HTTP_X_FORWARDED_PORT are defined, then and only then should SERVER_PORT be used.

I have made the following change to my session.php to get it working with https on One.com:

if (isset($_SERVER['HTTP_X_FORWARDED_PORT'])) {
  $port = $_SERVER['HTTP_X_FORWARDED_PORT'];
} elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
  if ($_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
      $port='443';
  } else {
      $port='80';
  }
} elseif (isset($_SERVER['SERVER_PORT'])) {
  $port = $_SERVER['SERVER_PORT'];
} else {
  $port = '80';
}

Is this a more correct way of deriving the port number in case of a proxy?

I first opened a webtrees bug report (sorry, I should have posted this before opening the bug report)
bugs.launchpad.net/webtrees/+bug/1462827
The bug was reported in june, the bug is still new and unassigned, but the discussion within the bug report is stalled.

I also have opened a support ticket with one.com asking why they do set the HTTP_X_FORWARDED_PROTO and not HTTP_X_FORWARDED_PORT. I will post their answer here when I get it.
Last Edit: 3 years 4 months ago by stijnh. Reason: https was hidden in the text because of forum auto hyperlinking
The administrator has disabled public write access.

derive port from HTTP_X_FORWARDED_PROTO 3 years 4 months ago #2

  • Pirate96
  • Pirate96's Avatar
  • Offline
  • New
  • Posts: 23
I am trying to move my website to all https all the time.

If I make SERVER_URL and LOGIN_URL blank then I am seeing the same behavior with SERVER_PORT.

The URL for login that works https://wokokon.com/webtree/login.php

The URL after hitting login button https://wokokon.com:80/webtree/login.php


Here is a pretty good explanation of the enviroment on the Host
Operating System: Fedora 28, Browser: Firefox 62.0, WebHost: WebFaction, Server OS: CentOS 7, webtrees 1.7.11 Apache 2.4.6, PHP 7.2.9, MySQL 5.6.41
The administrator has disabled public write access.

derive port from HTTP_X_FORWARDED_PROTO 3 years 4 months ago #3

  • stijnh
  • stijnh's Avatar
It seems indeed that you have the same issue. If you look at the environment, check what the value is for HTTP_X_FORWARDED_PORT. If it is not set, then it explains why webtrees behaves this way.

Meanwhile, I got a response from my hosting provider (one.com): "We have placed a temporary fix. Please retry and give us feeback so we can make this fix permanent".

I have retried and the problem is solved. Using phpinfo(), I looked at the server environment, and now they set the HTTP_X_FORWARDED_PORT to 443.

Pirate96, are you also hosting at one.com?
Last Edit: 3 years 4 months ago by stijnh. Reason: I always post and then re-read for errors
The administrator has disabled public write access.

derive port from HTTP_X_FORWARDED_PROTO 3 years 4 months ago #4

  • Pirate96
  • Pirate96's Avatar
  • Offline
  • New
  • Posts: 23
stijnh wrote:
It seems indeed that you have the same issue. If you look at the environment, check what the value is for HTTP_X_FORWARDED_PORT. If it is not set, then it explains why webtrees behaves this way.

Meanwhile, I got a response from my hosting provider (one.com): "We have placed a temporary fix. Please retry and give us feeback so we can make this fix permanent".

I have retried and the problem is solved. Using phpinfo(), I looked at the server environment, and now they set the HTTP_X_FORWARDED_PORT to 443.

I do not have a value for HTTP_X_FORWARDED_PORT, however that should not be an issue. The problem comes when webtrees is trying to add a port to the string.

Actually looking at php bugs it is not a php issue and this indicates that is a server config/ mod_rewrite issue.

stijnh wrote:
Pirate96, are you also hosting at one.com?

No, I am using WebFaction quite happily I might add!
Operating System: Fedora 28, Browser: Firefox 62.0, WebHost: WebFaction, Server OS: CentOS 7, webtrees 1.7.11 Apache 2.4.6, PHP 7.2.9, MySQL 5.6.41
Last Edit: 3 years 4 months ago by Pirate96. Reason: clarfication
The administrator has disabled public write access.

derive port from HTTP_X_FORWARDED_PROTO 3 years 4 months ago #5

  • Pirate96
  • Pirate96's Avatar
  • Offline
  • New
  • Posts: 23
So I configured a backend nginx server for my webtrees site and still was seeing the same error. I could tell it was picking up the value of the port at it was trying to make the url as follows.

https://wokokon.com:24088/webtree/login.php


So I decided to do a fresh install and had the same exact experience


I can get the webtrees. site to behave by changing the following line from
#define('WT_BASE_URL', $protocol . '://' . $host . $port . $path);

to the following
define('WT_BASE_URL', $protocol . '://' . $host . $path);

I have tried setting the base url via Control Panel--> Websites-->Website URL with no success.

That appears to be a bug with webtrees in my opinion as the application should not be trying the $port when the base url is set.


The great news is that my webtrees site is now working all the time over https and I now have a working nginx and php-fpm installation that I can spin up as needed.
Operating System: Fedora 28, Browser: Firefox 62.0, WebHost: WebFaction, Server OS: CentOS 7, webtrees 1.7.11 Apache 2.4.6, PHP 7.2.9, MySQL 5.6.41
The administrator has disabled public write access.

derive port from HTTP_X_FORWARDED_PROTO 3 years 4 months ago #6

  • stijnh
  • stijnh's Avatar
It seems to be a webtrees bug indeed.

* When a server is a forwarding proxy, and the port is not a standard port, then the proxy should set the HTTP_X_FORWARDED_PORT environment, otherwise, there is no way for webtrees to know on which port urls must be requested
* However, we now have 2 providers that do not set the HTTP_X_FORWARDED_PORT when running on a default port (https in both examples). Here, webtrees incorrectly uses "SERVER_PORT" which will be 80, but not correct. The port 80 is not a standard port for HTTPS, so webtrees generates url of the form https://domain:80. I also consider this as a bug.

A bug report is already created: bugs.launchpad.net/webtrees/+bug/1462827
Status of bug remains 'new' and 'unassigned'

Perhaps with a second user reporting it in the forum, it will get more attention...
The administrator has disabled public write access.

derive port from HTTP_X_FORWARDED_PROTO 3 years 4 months ago #7

  • stijnh
  • stijnh's Avatar
Pirate96: You will need to redo that change on every webtrees update

You can't set the url via Control Panel. It's a drop-down that will only let to choose from domains it detects. This is done deliberately to avoid users setting an incorrect value which lock them out their own site. In this case, that works against us :-)
Last Edit: 3 years 4 months ago by stijnh.
The administrator has disabled public write access.

derive port from HTTP_X_FORWARDED_PROTO 3 years 4 months ago #8

  • fisharebest
  • fisharebest's Avatar
  • Online
  • Administrator
  • Posts: 10569
> Perhaps with a second user reporting it in the forum, it will get more attention...

I aim to fix all reported bugs (eventually!). If there were more hours in the day, I would fix them sooner...

> A bug report is already created: bugs.launchpad.net/webtrees/+bug/1462827
> Status of bug remains 'new' and 'unassigned'

The launchpad bug tracker hasn't been used for some time (although I am aware of this bug report). New bugs should be reported on the github issue tracker github.com/fisharebest/webtrees/issues The github tracker is so much nicer. It doesn't email your own comments back to you, it lets you edit your post to fix typos, it lets you use formatting and inline attachments, it lets you close bugs automatically by including their number in the commit message, etc., etc.

I just haven't had time to set up a test proxy server to make sure that any fix doesn't break existing logic.

> The great news is that my webtrees site is now working all the time over https and I now have a working nginx and php-fpm

So does mine :-) fisharebest.webtrees.net

I simply added
fastcgi_param HTTPS on;
to the vhost defintion - to match the parameters set by Apache.

Now there are thousands of ways to configure webservers and proxy servers. You have chosen to set HTTP_X_FORWARDED_PROTO (but not HTTP_X_FORWARDED_PORT). I have not used this configuration myself, and always assumed the two would be used together. They were for the first person who asked for HTTP_X_FORWARDED to be supported.

What I intend to do is look at some other frameworks (e.g. symfony) and follow similar logic to them.
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net
The administrator has disabled public write access.
Do you need a web hosting solution for your webtrees site?
If you prefer a host that specialises in webtrees, the following page lists some suppliers able to provide one for you: 

derive port from HTTP_X_FORWARDED_PROTO 3 years 4 months ago #9

  • stijnh
  • stijnh's Avatar
Thanks fisharebest for your feedback.

And next time:
- I will first post something in the forum
- and only then if needed, a bug report in the correct bug tracking tool
The administrator has disabled public write access.

derive port from HTTP_X_FORWARDED_PROTO 3 years 3 months ago #10

  • Pirate96
  • Pirate96's Avatar
  • Offline
  • New
  • Posts: 23
stijnh wrote:
Pirate96: You will need to redo that change on every webtrees update

Took me longer to remember where the sessions.php file was then it did to update webtrees to 1.7.2 and make the change to the file.
Operating System: Fedora 28, Browser: Firefox 62.0, WebHost: WebFaction, Server OS: CentOS 7, webtrees 1.7.11 Apache 2.4.6, PHP 7.2.9, MySQL 5.6.41
The administrator has disabled public write access.

derive port from HTTP_X_FORWARDED_PROTO 2 years 8 months ago #11

  • Pirate96
  • Pirate96's Avatar
  • Offline
  • New
  • Posts: 23
Took me longer once again to find the session.php to edit then the upgrade to 1.7.4.


That said it is smoking fast on php 7.0
Operating System: Fedora 28, Browser: Firefox 62.0, WebHost: WebFaction, Server OS: CentOS 7, webtrees 1.7.11 Apache 2.4.6, PHP 7.2.9, MySQL 5.6.41
The administrator has disabled public write access.

derive port from HTTP_X_FORWARDED_PROTO 2 months 2 weeks ago #12

  • Pirate96
  • Pirate96's Avatar
  • Offline
  • New
  • Posts: 23
I do not believe anything changed on the Web Hosting side, however a quick note to the Devs.......

Great job.

Just upgraded to 1.7.11 and did not have to make any changes as I had in prior upgrades!
Operating System: Fedora 28, Browser: Firefox 62.0, WebHost: WebFaction, Server OS: CentOS 7, webtrees 1.7.11 Apache 2.4.6, PHP 7.2.9, MySQL 5.6.41
The administrator has disabled public write access.

derive port from HTTP_X_FORWARDED_PROTO 2 months 2 weeks ago #13

  • fisharebest
  • fisharebest's Avatar
  • Online
  • Administrator
  • Posts: 10569
Since 1.7.10, we now use the Symfony http-foundation library to identify the server/request setup.

It handles a much wider range of server configurations.
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net
The administrator has disabled public write access.

derive port from HTTP_X_FORWARDED_PROTO 2 months 2 weeks ago #14

  • Pirate96
  • Pirate96's Avatar
  • Offline
  • New
  • Posts: 23
I thought that was the change. Superb job on a wonderful project!
Operating System: Fedora 28, Browser: Firefox 62.0, WebHost: WebFaction, Server OS: CentOS 7, webtrees 1.7.11 Apache 2.4.6, PHP 7.2.9, MySQL 5.6.41
The administrator has disabled public write access.
Moderators: makitso
Powered by Kunena Forum