Skip to content
This repository has been archived by the owner on Aug 16, 2024. It is now read-only.

Plugin doesn't work behind reverse proxy #120

Open
alesuiss opened this issue Dec 2, 2022 · 8 comments
Open

Plugin doesn't work behind reverse proxy #120

alesuiss opened this issue Dec 2, 2022 · 8 comments

Comments

@alesuiss
Copy link

alesuiss commented Dec 2, 2022

Hello,

We encountered an issue where SAML responses were rejected with:

The response was received at http://domain:8080/plugins/phpsaml/front/acs.php instead of https://domain/plugins/phpsaml/front/acs.php

This is because the app is hosted on Kubernetes and thus behind a reverse proxy. The upstream php-saml lib has a few ways to work around that, c.f. its README; in our case it was enough to enable the setProxyVars parameter.

Ideally this parameters and/or other workarounds should be exposed in the settings UI; sorry that I don't have the time to create a proper patch and pull request for this.

Thanks,
Arthur
@Izanagi52
Copy link

Hello @alesuiss,
I think I have a similar issue (redirect doesn't work because it tries to redirect to http instead of https).
How can I enable this parameter? Which file do I need to edit?

@alesuiss
Copy link
Author

alesuiss commented Dec 8, 2022

Hello @Izanagi52

Here is my very crude patch:

diff --git a/lib/php-saml/src/Saml2/Utils.php b/lib/php-saml/src/Saml2/Utils.php
index c6e912c..75a92d1 100644
--- a/lib/php-saml/src/Saml2/Utils.php
+++ b/lib/php-saml/src/Saml2/Utils.php
@@ -39,7 +39,7 @@ class Utils
     /**
      * @var bool Control if the `Forwarded-For-*` headers are used
      */
-    private static $_proxyVars = false;
+    private static $_proxyVars = true;
 
     /**
      * @var string|null

@Izanagi52
Copy link

Thanks for the tips!
(In my case, my problem must be somewhere else, the RelaySate url is still in http)

@alesuiss
Copy link
Author

@Izanagi52 you may need to make sure your proxy actually does set the X-Forwarded-* headers. Example for nginx:

proxy_set_header X-Forwarded-For $remote_addr ;        
proxy_set_header X-Forwarded-Host $host ;        
proxy_set_header X-Forwarded-Proto $scheme ;
proxy_set_header X-Forwarded-Port $server_port ;

... or in the same Utils.php file there are other params to force these ($_host, $_protocol and $_port).

@Izanagi52
Copy link

Thanks again, but it doesn't change anything for me...
X-Forwarded headers are set (I can see it in GLPI debug mode), and setting on line 52
private static $_protocol = "https";
or
private static $_protocol = "https://";
doesn't work...
I have GLPI 10.0.5 and phpsaml 1.2.1.
I run GLPI with apache (http) and Nging Proxy Manager as reverse proxy (https).
I don't really understand why, but I think it's not the same problem as you, maybe a problem with my apache config.

@adhil0
Copy link

adhil0 commented Feb 20, 2023
edited
Loading

@Izanagi52 Something that helped me was changing this line to something like $returnTo = (((isset($_GET['redirect']) ? $_GET['redirect'] : isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) ? $_SERVER['HTTP_X_FORWARDED_PROTO'] : isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? "https" : "http" . "://" . $realhost . $_SERVER['REQUEST_URI']);

After I changed that and set $_proxyVars=true, my RelayState used https.

@adhil0 adhil0 mentioned this issue Feb 22, 2023
Open
@AldarisPale
Copy link

Adding to #120 (comment) as it did not work for me.
This should be changed to:
$returnTo = ((((isset($_GET['redirect']) ? $_GET['redirect'] : isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) ? $_SERVER['HTTP_X_FORWARDED_PROTO'] : isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? "https" : "http") . "://" . $realhost . $_SERVER['REQUEST_URI']);

and additionally doing this solved the problem in my instance, which is Apache running behind nginx reverse proxy.

@AldarisPale AldarisPale mentioned this issue May 26, 2023
Open
DonutsNL added a commit to DonutsNL/phpsaml that referenced this issue May 30, 2023
@DonutsNL
Added suggestion to phpSaml redirect
4ac1942 
derricksmith#120
This needs additional testing in cojunction with proxyVars(true)
@dkdlv
Copy link

dkdlv commented Apr 19, 2024

@Izanagi52 you may need to make sure your proxy actually does set the X-Forwarded-* headers. Example for nginx:

proxy_set_header X-Forwarded-For $remote_addr ;        
proxy_set_header X-Forwarded-Host $host ;        
proxy_set_header X-Forwarded-Proto $scheme ;
proxy_set_header X-Forwarded-Port $server_port ;

... or in the same Utils.php file there are other params to force these ($_host, $_protocol and $_port).

For apache, the syntax is like that, if it helps:

<Location /glpi/>

       Proxypass               /glpi/          https://10.20.30.40/glpi/
       ProxyPassReverse        /glpi/          https://10.20.30.40/glpi/

        ProxyPreserveHost On


        RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s
        RequestHeader set X-Forwarded-Host %{HTTP_HOST}s
        RequestHeader set X-Forwarded-Proto %{REQUEST_SCHEME}s
        RequestHeader set X-Forwarded-Port %{SERVER_PORT}s

</Location>

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alesuiss @dkdlv @Izanagi52 @AldarisPale @adhil0