Admidio cant set cookies in Docker environment in combination with Traefik

[leonfilser]

Hi! I am using Admidio in a Docker environment in combination with Traefik used as a reverse proxy.
Everytime I try to login the following error appears:

Der Login kann nicht durchgeführt werden, da Ihr Browser das Setzen von Cookies verbietet!

Damit Sie sich erfolgreich anmelden können, müssen Sie Ihren Browser so einstellen, dass dieser Cookies von 0efb778bedda akzeptiert.

English:

The login cannot be carried out, because your browser forbids the setting of cookies!

In order to log in successfully, you must set your browser to accept cookies from 0efb778bedda.

0efb778bedda. is the ID of my Traefik Container

I did a bit of debugging and found out that in
admidio/adm_program/system/bootstrap/constants.php there is (probably) an issue on line 55-60

if(isset($_SERVER['HTTP_X_FORWARDED_SERVER']) && $_SERVER['HTTP_X_FORWARDED_SERVER'] !== $_SERVER['HTTP_HOST'])
{
    // if ssl proxy is used than this proxy is the host and the cookie must be set for this
    define('HOST', $_SERVER['HTTP_X_FORWARDED_SERVER'] . $port . '/' . $_SERVER['HTTP_HOST']); // ssl.example.org/my.domain.net
    define('DOMAIN', strstr($_SERVER['HTTP_X_FORWARDED_SERVER'] . $port . ':', ':', true)); // ssl.example.org
}

I replaced the Code with the following and it turned out to work

if(isset($_SERVER['HTTP_X_FORWARDED_SERVER']) && $_SERVER['HTTP_X_FORWARDED_SERVER'] !== $_SERVER['HTTP_HOST'])
{
    // if ssl proxy is used than this proxy is the host and the cookie must be set for this
    define('HOST', $_SERVER['HTTP_X_FORWARDED_HOST'] . $port . '/' . $_SERVER['HTTP_HOST']); // ssl.example.org/my.domain.net
    define('DOMAIN', strstr($_SERVER['HTTP_X_FORWARDED_HOST'] . $port . ':', ':', true)); // ssl.example.org
}

If you want to I can open a pull request to fix this

[Fasse]

Hmm, I'm not sure if your change will work for proxy servers.

The difference between these two values is the following:

• X-Forwarded-Host The original host requested by the client in the Host HTTP request header.
• X-Forwarded-Server The hostname of the proxy server.

We add this to get the hostname of the proxy server, so it will work on ssl if the proxy server is different. We should test this change with someone who use a proxy server before we add this to the code.

[sumnerboy12]

Is there any progress on this? I would like to run Admidio in docker with Traefik as the reverse proxy also, and currently I can't login. Any known workarounds?

[Fasse]

@sumnerboy12 Did the workaround also work for you?

[sumnerboy12]

I didn't try it sorry @Fasse. I was in the middle of migrating a whole load of self-hosted services to docker and didn't fancy having to do manual steps. I will try and give it a go in the next week or so if I find time, and report back.

[sumnerboy12]

@Fasse I can confirm the workaround is working for me also.

[Fasse]

Ok, I will integrate this change to Admidio 4 and than we will see if users with proxy server have problems with this change within the beta phase.

[Fasse]

So add this fix to Admidio 4 and referenced in the sourcecode to this issue. We will see if other environments still work.

[Oberfeldwedler]

I tested leonfilser's snippet and it worked flawlessly.

Edit: I stumbled upon a problem. Unfortunately your snippet seems to break my back-button.

When clicked, it redirected to:

https://admidio.samdyndns.de/admidio.samdyndns.de/adm_program/modules/dates/dates.php

When returning to the unmodified constants.php, the button now redirects to

https://8458d0f83616/admidio.samdyndns.de/adm_program/modules/dates/dates.php

I'll do some further digging.

if(isset($_SERVER['HTTP_X_FORWARDED_SERVER']) && $_SERVER['HTTP_X_FORWARDED_SERVER'] !== $_SERVER['HTTP_HOST'])
{
    // if ssl proxy is used than this proxy is the host and the cookie must be set for this
    //define('HOST', $_SERVER['HTTP_X_FORWARDED_SERVER'] . $port . '/' . $_SERVER['HTTP_HOST']); // ssl.example.org/my.domain.net

     //This is what i am using:
    define('HOST',  $_SERVER['HTTP_HOST']); // ssl.example.org/my.domain.net
    define('DOMAIN', strstr($_SERVER['HTTP_X_FORWARDED_SERVER'] . $port . ':', ':', true)); // ssl.example.org
}

I have to admit, that i don't really know what I'm doing, but i just removed "$_SERVER['HTTP_X_FORWARDED_SERVER']" and the port from the host constant. This did the trick.

This:
https://admidio.samdyndns.de/admidio.samdyndns.de/adm_program/modules/dates/dates.php

Turned into this:
https://admidio.samdyndns.de/adm_program/modules/dates/dates.php

My setup and my Headers:

Docker
traefik as a reverse proxy
php:7.4-fpm
nginx:1.19.2

nginx.conf

# user  1006 1006;
pid   /tmp/nginx.pid;

events {
  worker_connections  1024;  ## Default: 1024
}



http {
  include mime.types;
  index index.php;

  client_body_temp_path /tmp/client_temp;
  proxy_temp_path       /tmp/proxy_temp_path;
  fastcgi_temp_path     /tmp/fastcgi_temp;
  uwsgi_temp_path       /tmp/uwsgi_temp;
  scgi_temp_path        /tmp/scgi_temp;



  # Upstream to abstract backend connection(s) for php
  upstream php {
    # server unix:/tmp/php-cgi.socket;
    server php:9000;
  }

  server {
    ## Your website name goes here.
    server_name admidio.samdyndns.de;
    ## Your only path reference.
    root /var/www/html/admidio;



    location = /favicon.ico {
      log_not_found off;
      access_log off;
    }

    location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
    }

    location / {
      # This is cool because no php is touched for static content.
      # include the "?$args" part so non-default permalinks doesn't break when using query string
      try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
      #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
      include fastcgi_params;
      fastcgi_intercept_errors on;
      fastcgi_pass php;
      #The following parameter can be also included in fastcgi_params file
      fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
      expires max;
      log_not_found off;
    }
  }
}

X-Real-Ip: 93.213.207.172
X-Forwarded-Server: 8458d0f83616
X-Forwarded-Proto: https
X-Forwarded-Port: 443
X-Forwarded-Host: admidio.samdyndns.de
X-Forwarded-For: 93.213.207.172
Upgrade-Insecure-Requests: 1
Sec-Fetch-User: ?1
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Cookie: ADMIDIO_Biketeam_admidio_adm_SESSION_ID=pd8fu4k2ctf0ng6n1ns7c6fr5r; ADMIDIO_Biketeam_admidio_adm_cookieconsent_status=dismiss; ADMIDIO_Biketeam_admidio_adm_AUTO_LOGIN_ID=2%3AAbwoauaNKI2voIw3k30yvpkd5VxsOOFjADMO3LWQ
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate, br
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Host: admidio.samdyndns.de
Content-Length:
Content-Type:

PHP_EXTRA_CONFIGURE_ARGS=--enable-fpm --with-fpm-user=www-data --with-fpm-group=www-data --disable-cgi
HOSTNAME=eae7974e7a71
PHP_INI_DIR=/usr/local/etc/php
HOME=/
PHP_LDFLAGS=-Wl,-O1 -pie
PHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
PHP_MD5=
PHP_VERSION=7.4.10
GPG_KEYS=42670A7FE4D0441C8E4632349E4FDC074A4EF02D 5A52880781F755608BF815FC910DEB46F53EA312
PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
PHP_ASC_URL=https://www.php.net/distributions/php-7.4.10.tar.xz.asc
PHP_URL=https://www.php.net/distributions/php-7.4.10.tar.xz
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PHPIZE_DEPS=autoconf dpkg-dev file g++ gcc libc-dev make pkg-config re2c
PWD=/var/www/html
PHP_SHA256=c2d90b00b14284588a787b100dee54c2400e7db995b457864d66f00ad64fb010
HTTP_X_REAL_IP=93.213.207.172
HTTP_X_FORWARDED_SERVER=8458d0f83616
HTTP_X_FORWARDED_PROTO=https
HTTP_X_FORWARDED_PORT=443
HTTP_X_FORWARDED_HOST=admidio.samdyndns.de
HTTP_X_FORWARDED_FOR=93.213.207.172
HTTP_UPGRADE_INSECURE_REQUESTS=1
HTTP_SEC_FETCH_USER=?1
HTTP_SEC_FETCH_SITE=none
HTTP_SEC_FETCH_MODE=navigate
HTTP_SEC_FETCH_DEST=document
HTTP_COOKIE=ADMIDIO_Biketeam_admidio_adm_SESSION_ID=pd8fu4k2ctf0ng6n1ns7c6fr5r; ADMIDIO_Biketeam_admidio_adm_cookieconsent_status=dismiss; ADMIDIO_Biketeam_admidio_adm_AUTO_LOGIN_ID=2%3AAbwoauaNKI2voIw3k30yvpkd5VxsOOFjADMO3LWQ
HTTP_ACCEPT_LANGUAGE=de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
HTTP_ACCEPT_ENCODING=gzip, deflate, br
HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
HTTP_HOST=admidio.samdyndns.de
SERVER_NAME=admidio.samdyndns.de
SERVER_PORT=80
SERVER_ADDR=172.21.0.5
REMOTE_PORT=52408
REMOTE_ADDR=172.21.0.2
SERVER_PROTOCOL=HTTP/1.1
DOCUMENT_ROOT=/var/www/html/admidio
DOCUMENT_URI=/index.php
REQUEST_URI=/
SCRIPT_NAME=/index.php
SCRIPT_FILENAME=/var/www/html/admidio/index.php
CONTENT_LENGTH=
CONTENT_TYPE=
REQUEST_METHOD=GET
QUERY_STRING=
SERVER_SOFTWARE=nginx
GATEWAY_INTERFACE=CGI/1.1
FCGI_ROLE=RESPONDER
PHP_SELF=/index.php
REQUEST_TIME_FLOAT=1601213563.4432
REQUEST_TIME=1601213563

[Fasse]

Now also changed the condition check from
if (isset($_SERVER['HTTP_X_FORWARDED_SERVER']) && $_SERVER['HTTP_X_FORWARDED_SERVER'] !== $_SERVER['HTTP_HOST'])
to
if (isset($_SERVER['HTTP_X_FORWARDED_HOST']) && $_SERVER['HTTP_X_FORWARDED_HOST'] !== $_SERVER['HTTP_HOST'])