New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File upload is broken when SSL is offloaded on a reverse proxy #89

Open
kykc opened this Issue Dec 18, 2017 · 0 comments

Comments

Projects
None yet
2 participants
@kykc

kykc commented Dec 18, 2017

Used configuration

CommunityServer is being launched from docker container like this:

onlyoffice-cs:
  image: onlyoffice/communityserver:9.5.2.546
  restart: always
  stdin_open: true
  tty: true
  container_name: onlyoffice-cs
  external_links:
   - onlyoffice-ds:document_server
  ports:
   - "172.17.0.1:5080:80"
   - "172.17.0.1:50443:443"
   - "5222:5222"
  volumes:
   - /home/████████/server_data/onlyoffice/cs/logs:/var/log/onlyoffice
   - /home/████████/server_data/onlyoffice/cs/data:/var/www/onlyoffice/Data
   - /home/████████/server_data/onlyoffice/cs/mysql:/var/lib/mysql
   - /home/████████/server_data/onlyoffice/ds/data:/var/www/onlyoffice/DocumentServerData
  environment:
   - MYSQL_SERVER_HOST=172.17.0.1
   - MYSQL_SERVER_DB_NAME=onlyoffice_cs
   - MYSQL_SERVER_USER=root
   - MYSQL_SERVER_PASS=████████
   - MYSQL_SERVER_PORT=3306
   - DOCUMENT_SERVER_PORT_80_TCP_ADDR=oods.████████

It is accessed through nginx reverse proxy which offloads SSL and then redirects plain http to 172.17.0.1:5080 like this:

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    listen 80;
    server_name office.████████;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    ssl on;
    server_name office.████████;
    ssl_certificate ████████;
    ssl_certificate_key ████████;

    location = /favicon.ico {
        return 204;
        access_log off;
        log_not_found off;
    }

    location / {
        client_max_body_size    4G;

	proxy_pass http://172.17.0.1:5080;
	proxy_read_timeout 1800;
	proxy_connect_timeout 1800;
	proxy_set_header Host $http_host;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $connection_upgrade;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Real-IP $remote_addr;
    }
}

Steps to reproduce

In Documents click upload button and select any file.

Observed behavior

I'm getting error like this:

Mixed Content: The page at 'https://office.████████/products/files/#1' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://office.████████/products/files/ChunkedUploader.ashx?uid=73b614d569e448d4ac753a7f19507a62'. This request has been blocked; the content must be served over HTTPS.

I've tinkered a little with client JS code and found out that this http link to ChunkedUploader is being sent by server in a response to /api/2.0/files/1/upload/create_session.json call. As JS is minified on the client I can't provide exact file/line of code where it happens. Code in the debugger looks like this:

 var i = jq.format("{0}files/{1}/upload/create_session.json", ASC.Resources.Master.ApiPath, n.fid)
          , t = null;
        return jq.ajax({

The whole response that I'm getting looks like this:

{
  "success": true,
  "data": {
    "id": "b7d920e3776742d9832367fcbcd37131",
    "path": [
      1
    ],
    "created": "2017-12-17T14:46:05.832996Z",
    "expired": "2017-12-18T02:46:05.832996Z",
    "location": "http://office.████████/products/files/ChunkedUploader.ashx?uid=b7d920e3776742d9832367fcbcd37131",
    "bytes_uploaded": 0,
    "bytes_total": 12354
  }
}

Expected behavior

File upload working as intended 😁

Side notes

  • If I place breakpoint in the aforementioned code and correct returned link by hand the rest part of file upload is working as intended.
  • As seen from my nginx virtualhost config I pass X-Forwarded-Proto header, but seems that it's not being considered by the server when generating ChunkedUploader link

@alexeybannov alexeybannov self-assigned this Dec 22, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment