Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No picture displayed (due to http accesses after login with https) #184

Closed
3 tasks
guiyou65 opened this issue Oct 31, 2019 · 87 comments
Closed
3 tasks

No picture displayed (due to http accesses after login with https) #184

guiyou65 opened this issue Oct 31, 2019 · 87 comments
Labels
bug high prio security
Milestone
Release 1.1.0

Comments

@guiyou65
Copy link

guiyou65 commented Oct 31, 2019
edited by ramack
Loading

Each of my tablett and smartphone with Android 9 Pie are unable to show pictures with the latest v1.0.2. Folders are there. But no picture. I tried a standard user and a privileged one. No result.

Edit, ramack, Status:
Some servers return strange URLs for the images depending on settings like original_url_protection and also if piwigo server is behind an reversproxy like nginx or haproxy

Solution:
see comment from @EddyLB we need to:

  • extract a port number if given by the user during login and store it separately in the account
  • from URLs returned by the server remove protocol and port and replace it by what is stored in the account
  • fix '&' (and maybe ' ') characters in URL received from Server by %.. URLencoding (happens e. g. if $conf['original_url_protection'] = 'images' or 'all' is set in the config of the server)
@bhlevca
Copy link

bhlevca commented Oct 31, 2019

Same here, pictures do not show even for public albums. I do not think that permission is the issue. I tried with admin and guest. Same thing, no pictures show. It is not timing either, because I waited for days. Only albums, subalbum and number of images are shown

@ramack ramack added the bug label Nov 1, 2019
@ramack ramack added this to the Release 1.1.0 milestone Nov 1, 2019
@ramack
Copy link
Contributor

ramack commented Nov 1, 2019

Thanks for reporting. I have heard now several times of that, but so far I cannot reproduce the issue. Would anyone of you mind sharing an URL to a piwigo setup showing the effect? - Feel free to send it by mail only to android@ pigigo org if you don't want to share it publicly.

@guiyou65
Copy link
Author

guiyou65 commented Nov 2, 2019

Here are 2 sites.
The first one https://www.guiyou.fr/piwigo doesn't show any picture. I own this site, on my own server.
And the second one https://tugdualgaro.piwigo.com works well. It belongs to a friend of mine, on a piwigo server.

@ramack
Copy link
Contributor

ramack commented Nov 2, 2019

Thanks, that should be very good start for a first investigation. I'll come back in case I have further questions.

@ramack
Copy link
Contributor

ramack commented Nov 2, 2019

What is at least interesting is that on https://www.guiyou.fr - even though access via https, the thumbnail images have all a http (unencrypted) URL. But from another report is seems not affecting it.

@bhlevca
Copy link

bhlevca commented Nov 3, 2019

I don't think that the https vs http is the issue behind not showing pictures. My site piwigo.hlxxxx.com has https everywhere and the android client does not show the pictures

@bhlevca
Copy link

bhlevca commented Nov 3, 2019

From what I have seen so far all albums hosted on piwigo.com work and almost none of the private ones. Is this a pattern?

@ramack
Copy link
Contributor

ramack commented Nov 3, 2019

I am also not yet 100% convinced that http/https mix is the reason, as I could not yet reproduce it. But when I look what @bhlevca's site returns I see strange thumbnail URLS: https://piwigo.hlxxx.com:80/_data/i/upload/....jpg So yes, the protocol is giving https, but the port 80 doesn't fit to that and not even loading in the browser. (If I open the tn-URL delivered by the REST interface). So I believe that there is something in the piwigo-config that triggers the thumbnail URLs to be different. @plegall or @EddyLB did one of you see this before and can explain why it happens? Does the iOS app handle it in a specific way?

@jeff-amn
Copy link
Contributor

jeff-amn commented Nov 3, 2019

I host my site on a private server and have never seen any issue with either http or https in displaying the images. You can use the app called Packet Capture to look at the ethernet traffic from the piwigo app to the host site. I also noticed that if I use my phone to look at my site in mobile mode some of the images do not load.

@bhlevca
Copy link

bhlevca commented Nov 3, 2019

if it is of any help on "I see strange thumbnail URLS: https://piwigo.hlxxx.com:80"

This site is behind haproxy and the relevant config is below:

frontend http_proxy
         bind *:80
         bind *:443 ssl crt /etc/haproxy/certs/www.hlxxx.com.pem
         mode http
         option http-keep-alive
         http-request set-header X-SSL %[ssl_fc]
         reqadd X-Forwarded-Proto:\ https
         rspadd Strict-Transport-Security:\ max-age=15768000
         rspadd Content-Security-Policy:\ upgrade-insecure-requests

@ramack
Copy link
Contributor

ramack commented Nov 4, 2019

@guiyou65 do you also have a proxy in your piwigo setup?

@guiyou65
Copy link
Author

guiyou65 commented Nov 5, 2019

No, actually there is no proxy, confirmed by my host provider www.online.net

@lergolas
Copy link

lergolas commented Nov 13, 2019
edited
Loading

Hi.
I have the same problem. When I set up my account over the lan, the thumbnails load in the app. But, when i setup it over my reverse proxy with Nginx (https), the thumbnails don´t load.
With the other app piwigo-client from the Play Store, the thumbnails load over my proxy without problem.

The config of Nginx for this host is this:

`
server {
server_name xxxxxxx.duckdns.org;
# The internal IP of the VM that hosts your Apache config
set $upstream 192.168.10.10;

    location / {
            proxy_pass_header Authorization;
            proxy_pass http://$upstream;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_http_version 1.1;
            proxy_set_header Connection “”;
            proxy_buffering off;
            client_max_body_size 0;
            proxy_read_timeout 36000s;
            proxy_redirect off;
    }

}
`

@mrufflesmcghie
Copy link

I'll have a play, seemed to be working fine for me... I've switched back to just local lan at the moment. When I'm home I'll pop my port forward back on and see what happens.

@ramack
Copy link
Contributor

ramack commented Nov 15, 2019

@plegall do you have any idea why the piwigo installation delivers thumbnail URLs with an explicit port setting or with http even though it is accessed via https? Is there any "base_url" setting?

@tvass
Copy link

tvass commented Nov 17, 2019

Same error here.

From what i can see on my setup, when you configure a Piwigo account with HTTPS, the apps get a reply with a 301 (Moved Permanently) but does not follow the redirect.

@ramack
Copy link
Contributor

ramack commented Nov 18, 2019

Thanks for investigation. Do you happen to know which URL is accessed and to which it gets redirected? This would give us a more complete picture.

@tvass
Copy link

tvass commented Nov 19, 2019
edited
Loading

Hi @ramack
Please find the details from NGINX (configured as a reverse proxy) with Let's Encrypt TLS.

It is OK when you configure an account with the full HTTPS URL. Requests are sent to the HTTPS vhost (server directive in NGINX).

==> /var/log/nginx/ssl.access.log <==
x.x.x.x - - [19/Nov/2019:13:39:41 +0000] "GET / HTTP/1.1" 200 2203 "-" "Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QP1A.191105.004)"
x.x.x.x - - [19/Nov/2019:13:39:41 +0000] "POST /ws.php?method=pwg.session.login&format=json HTTP/1.1" 200 68 "-" "Piwigo-Android 1.0.0"
x.x.x.x - - [19/Nov/2019:13:39:41 +0000] "GET /ws.php?method=pwg.session.getStatus&format=json HTTP/1.1" 200 346 "-" "Piwigo-Android 1.0.0"
x.x.x.x - - [19/Nov/2019:13:40:06 +0000] "GET /ws.php?method=pwg.categories.getImages&cat_id=0&format=json HTTP/1.1" 200 119 "-" "Piwigo-Android 1.0.0"
x.x.x.x - - [19/Nov/2019:13:40:06 +0000] "GET /ws.php?method=pwg.categories.getList&cat_id=0&thumbnail_size=medium&format=json HTTP/1.1" 200 492 "-" "Piwigo-Android 1.0.0"
x.x.x.x - - [19/Nov/2019:13:40:06 +0000] "POST /ws.php?method=pwg.session.login&format=json HTTP/1.1" 200 68 "-" "Piwigo-Android 1.0.0"
x.x.x.x - - [19/Nov/2019:13:40:06 +0000] "GET /ws.php?method=pwg.session.getStatus&format=json HTTP/1.1" 200 346 "-" "Piwigo-Android 1.0.0"

Then, when you start to browse albums, Thumbnails do not show because the Piwigo Android application requests HTTP URL and not HTTPS.

This is surprising as we configured an HTTPS base URL in account:

  • It does NOT follow redirect sent back by NGINX reverse proxy (HTTP 301).
  • It leaks covers direct JPG link over HTTP (with no S) which are supposed to be private.
==> /var/log/nginx/no_ssl.access.log <==
x.x.x.x - - [19/Nov/2019:13:44:20 +0000] "GET /_data/i/upload/2019/11/18/20191118132721-2dfa2902-me.jpg HTTP/1.1" 301 185 "-" "Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QP1A.191105.004)"
x.x.x.x - - [19/Nov/2019:13:44:20 +0000] "GET /_data/i/upload/2019/11/16/20191116144652-bf42f26a-me.jpg HTTP/1.1" 301 185 "-" "Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QP1A.191105.004)"
x.x.x.x - - [19/Nov/2019:13:44:20 +0000] "GET /_data/i/upload/2019/11/16/20191116143320-f25abf50-me.jpg HTTP/1.1" 301 185 "-" "Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QP1A.191105.004)"
x.x.x.x - - [19/Nov/2019:13:44:22 +0000] "GET /_data/i/upload/2019/11/16/20191116143320-f25abf50-me.jpg HTTP/1.1" 301 185 "-" "Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QP1A.191105.004)"
x.x.x.x - - [19/Nov/2019:13:44:22 +0000] "GET /_data/i/upload/2019/11/18/20191118132721-2dfa2902-me.jpg HTTP/1.1" 301 185 "-" "Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QP1A.191105.004)"
x.x.x.x - - [19/Nov/2019:13:44:22 +0000] "GET /_data/i/upload/2019/11/16/20191116144652-bf42f26a-me.jpg HTTP/1.1" 301 185 "-" "Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QP1A.191105.004)"

Thanks

@ramack
Copy link
Contributor

ramack commented Nov 19, 2019

Thanks for investigation. Actually the App tries to load the photos directly from the URL that is returned by the piwigo server. And there just takes whatever is in the URL, including the protocol or a port specification.
@plegall can you tell us why piwigo server is returning a full URL and not just relative URLs in the WS interface?
@EddyLB how does the iOS app handle this? Does it modify the protocol from what was returned by the piwigo web service? Because I agree with @tvass that we normally should not do http accesses in case the piwigo URL is using https.

@EddyLB
Copy link

EddyLB commented Nov 20, 2019

Hi @ramack

The iOS app checks the validity of the URL provided manually by the user, removes any extra "/" or " " and stores separately the protocol "http(s)://" and the "host, port and path".

Then, as some servers return strange image URLs (other protocol, wrong port, wrong encoding, etc.), the app checks that the URL is RFC compliant and tries to guess it if not. Then, it keeps only the path and the query (protocol, host, port and path are replaced with those stored), checks/correct the encoding and finally concatenates the URL that will be used.

When $conf['original_url_protection'] = 'images' or 'all' is set in the config of the server, the URLs returned by the servers contain "&" instead of & (UTF8). So the app also replaces "&" with the proper char to fix that too.

@ramack
Copy link
Contributor

ramack commented Nov 22, 2019

ok thanks @EddyLB, then we have to do the same on Android.

@ramack ramack mentioned this issue Nov 22, 2019
Closed
@ramack ramack changed the title No picture displayed No picture displayed (due to http accesses after login with https) Nov 24, 2019
@tvass
Copy link

tvass commented Nov 26, 2019

@ramack Thanks for the help + high prio label.
Let me know if i can help you with something.

@ramack
Copy link
Contributor

ramack commented Nov 26, 2019

I think the problem is quite clear and for the fix I have updated the issue text. If you have some programming skills you could help out implementing, otherwise I don't see any blocking point, so as soon as we find the time we'll implement it. And I think we'll do so for the next release.

@jscmidt
Copy link

jscmidt commented Aug 12, 2021
edited
Loading

As with the picasso update the https redirect should work properly I close this for now. Please try with upcoming release and report a new ticket if there is still an issue.

Do I still have to use one of the “hacks” showed above or should it work out of the box right now? Because actually that isn’t the case when using Piwigo behind a Treafik reverse-proxy. I’m only getting white squares…

@ioogithub
Copy link

As with the picasso update the https redirect should work properly I close this for now. Please try with upcoming release and report a new ticket if there is still an issue.

@ramack I just tried this with Piwigo NG version 1.0.3 from fdroid and it did not work. I was getting white squares and broken links for all images in the app while the www workes fine. You mentioned https redirect are you refering to adding RequestHeader set X-Forwarded-Proto "http" to the server? I just tried this and it did not work.

The hack definitely works, I was researching this for several hours before I found this thread but if it is supposed to work out of the box it definitely did not. Can we reopen this issue?

Do I still have to use one of the “hacks” showed above or should it work out of the box right now? Because actually that isn’t the case when using Piwigo behind a Treafik reverse-proxy. I’m only getting white squares…
It fixed the issue for me, I believe this hack is still necessary the other redirect didn't work for me.

@ramack
Copy link
Contributor

ramack commented Jul 22, 2022

Piwigo NG is not in fdroid, I guess you installed it from Play store.
@remi-martin @plegall maybe you should consider restructuring the repos here such that users are ending up in the right one.

Also the NG should be made available in f-droid to officially phase out the old android app. Maybe even think of moving the new one into the old android package name to have a upgrade path...

@ioogithub
Copy link

Piwigo NG is not in fdroid, I guess you installed it from Play store.

As I mentioned in the other thread, I downloaded and am using version 1.0.3 from the fdroid app. I do not have the google play store on my device.

@guiyou65
Copy link
Author

I think you did not download the last version which is Piwigo NG, only on Playstore

@bhlevca
Copy link

bhlevca commented Jul 24, 2022
edited
Loading

I downloaded the latest version from playstore, but the empty squares problems are still there. The app since its early inception has not worked. Luckily, the mobile web version is very good, which makes the app not necessary.
I believe the developers only test with direct connection and not through a proxy such as ha_proxy. Otherwise, one cannot understand why it takes so long to figure out that the app does not work in such conditions

@remi-martin
Copy link
Contributor

Hi @bhlevca, Piwigo NG is not officially released on f-droid. As the Android Developer of Piwigo, I know that I never did.

@bhlevca
Copy link

bhlevca commented Jul 25, 2022
edited
Loading

Hi @bhlevca, Piwigo NG is not officially released on f-droid. As the Android Developer of Piwigo, I know that I never did.

@remi-martin, I did not say anything about f-droid, which I don't even have on my phone, I said playstore. Check my previous post above. However, you forgot to mention that this does not change the fact the Piwigo NG or the previous piwigo app never worked properly, at least behind a proxy like ha-proxy. If you want to fix the https issue you need to have such an environment for developing and testing.

@remi-martin
Copy link
Contributor

Hi @bhlevca, then if it concerns Piwigo NG I'll recommend you to check the right repository piwigo-flutter-app
There is an issue that might match yours no image show on android piwigo_ng app or piwigo

Then, yes we mainly work with Piwigo.com. Having an environment for every type of server that can host a Piwigo is nearly impossible. The best would be to work with you in order to find and resolve the issue you encounter. I'll check for more information on the compatibility with flutter networking and ha-proxy.

@bhlevca
Copy link

bhlevca commented Jul 26, 2022

Thanks for the info, I will check it out. However, bear in mind that it is not every type of server. This is a specific issue with the piwigo server behind an https proxy or load balancer such as ha_proxy. There are many reports about this and only your app has this issue, the browser copes with the problem.

Since the browser on the phone works just fine probably I am going to continue using that.

@bluebrad
Copy link

bluebrad commented Feb 6, 2023

im having a simlar issue. all my users cant see the full size image but there are thumbnails. not only is the full size image missing but the images for the menus are also missing.

@Gegele1
Copy link

Gegele1 commented Sep 6, 2023

HI,
I get no pictures through Piwigo NG 2.2.3 running on Android 9 with a Piwigo server 13.8.0 running on FreBSD since it is behind an HAProxy reverse proxy.
The connection gets all right, but all thumbnails and pictures appear as broken files.
When using any browser (Edge, Firefox, Chrome …) I can get the pictures, but some thumbnails appear only after refreshing the pages, not immediately,
When the Piwigo NG application accesses to the Piwigo server by its IP address from the internal network, the thumbnails and pictures display correctly.
Using the iPhone Piwigo client also works fine from anywhere.
HAProxy with a let’s encrypt certificate redirects in https to Piwigo Server with a self-signed certificate
Piwigo Free client from the Play Store displays the pictures normally, but also displays a warning
“unexpected authority piwigo.piquot.eu:80 found in URL and replaced by piwigo.piquot.eu. Your server could be misconfigured”
Is there a solution to this problem that appear in several forums without a practical solution?

Environnement
Piwigo 13.8.0 Dernière version ?
Installé le 12 Septembre 2021, il y a 1 an 11 mois 3 semaines 2 jours
Système d'exploitation: FreeBSD
PHP: 7.4.23 (Montrer les informations) [2023-09-06 11:50:49]
MySQL: 5.5.5-10.5.12-MariaDB [2023-09-06 13:50:49]
Bibliothèque graphique: GD 2.3.1
Taille du cache 0.96 Mo   calculé il y a 3 mois Rafraîchir
Liste des plugins activés15
Admin Tools
Batch Downloader
Community
Fotorama
gdThumb
GThumb+
Language Switch
LocalFiles Editor
Meta Open Graph
OpenStreetMap
ShareAlbum
Tag Groups
Take A Tour of Your Piwigo
User Collections
VideoJS

@bluebrad
Copy link

bluebrad commented Sep 6, 2023 via email

@Gegele1
Copy link

Gegele1 commented Sep 6, 2023 via email

@bhlevca
Copy link

bhlevca commented Sep 6, 2023 via email

@ramack
Copy link
Contributor

ramack commented Sep 6, 2023

This app here is dead. Piwigo NG is the one where some further development is ongoing... if the problem is there, you should better report it in the repository of piwigo flutter app.

@calmor15014
Copy link

calmor15014 commented Sep 6, 2023 via email

@calmor15014
Copy link

calmor15014 commented Sep 6, 2023 via email

@bhlevca
Copy link

bhlevca commented Sep 6, 2023 via email

@bhlevca
Copy link

bhlevca commented Sep 6, 2023 via email

@calmor15014
Copy link

calmor15014 commented Sep 6, 2023 via email

@bhlevca
Copy link

bhlevca commented Sep 6, 2023 via email

@Gegele1
Copy link

Gegele1 commented Sep 6, 2023

Hi Jim and Bogdan,

According to what I read on other forums, it seems that the Piwigo server responds with the 80 port when sending the pictures through HAProxy, and this seems to be corrected by iPhone Piwigo Client and by the other Play Store application. It appeared when I installed the HAProxy, with no SSL on the Piwigo server in a first step, and the problem remained the same after I implemented https on my Piwigo server. If this is true, the best way to fix this system would probably to make sure that the piwigo server, when behind HAProxy, do not send the frames in the form https://piwigo.piquot.eu:80/...

thanks,
Gerard

@bhlevca
Copy link

bhlevca commented Sep 6, 2023 via email

@calmor15014
Copy link

calmor15014 commented Sep 7, 2023 via email

@Gegele1
Copy link

Gegele1 commented Sep 7, 2023 via email

@calmor15014
Copy link

calmor15014 commented Sep 7, 2023 via email

@bhlevca
Copy link

bhlevca commented Sep 7, 2023 via email

@Gegele1
Copy link

Gegele1 commented Sep 7, 2023

Jim, Bogdan,

I can send you the working configuration, but I cannot usefully send the non _working, as I am using HAProxy as a pfSense package and even if I restore the configuration recorded before my cleaning operation, it is working fine with it, now. The only thing I did when cleaning was to remove the SQUID proxy and Reverse Proxy packages that I tried to use before I decided to switch to HAProxy. Squid was disabled, and mentions all services are disabled. With restoring the configuration of pfSense (including all SQUID packages) I cannot reproduce the Piwigo NG problem any more, sorry.

here is the latest working configuration (automatically generated by pfSense):
202309071800_working.txt

I also added the following lines to the vhost section of sites-available/bsd.lan-ssl.conf and to httpd.conf (did not know where should be) after installing mod_remoteip :

RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy xxx.yyy.zzz.1/24

Concerning the browser problem that I mentionned, I agree that it worked with Android in the same way as from any other environment: some thumbnails and associated links were unavailable on the first display of the page. To display all of them, I had to refresh the page. This is working fine now

I understand this is not very helpful and apologize,

thanks for your help

Gérard

@bhlevca
Copy link

bhlevca commented Sep 7, 2023 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug high prio security
Projects
None yet
Milestone
Release 1.1.0
Development

No branches or pull requests