server-side HTTPS detection misses support for Forwarded HTTP Extension (RFC 7239)

[aschuch247]

Describe the bug

The phpMyAdmin login dialogue says There is mismatch between HTTPS indicated on the server and client. This can lead to non working phpMyAdmin or a security risk. Please fix your server configuration to indicate HTTPS properly. This is not fully correct.

PHP runs via Apache on HTTP, but protected by a reverse proxy (SSL accelerator) which unpacks HTTPS and reverse proxies the request via HTTP.

This is indicated via a HTTP header. The output of phpinfo() shows this as HTTP_FORWARDED with for=10.10.10.10; host=pma.net.example.com; proto=https. This is according to RFC 7239 (https://tools.ietf.org/html/rfc7239).

The relevant source code is in libraries/classes/Config.php, method isHttps(). This method already supports, among other things, the HTTP header HTTP_X_FORWARDED_PROTO. Support for HTTP_FORWARDED is missing.

To Reproduce

Steps to reproduce the behaviour:

1. Set up PHP served via HTTP.
2. Set up a reverse proxy which converts HTTPS to HTTP.
3. Try to log in to phpMyAdmin.

Expected behaviour

No warning shall be shown, as the HTTP header indicates HTTPS via a reverse proxy.

Server configuration

• phpMyAdmin version: 4.8.5

[ibennetch]

I believe this is a duplicate of #14184

In general, this often can be worked around by entering your credentials a second time or sometimes resolved by clearing your current phpMyAdmin cookies. Those cookies start with “pma” and clearing them may reset a few settings and could clear the stored username from the login form, but may resolve the issue for you.

Switching your connection to https rather than http, if your web server is properly configured, may also help.

[aschuch247]

@ibennetch: I don't think this is a duplicate. Logging in works without a problem. The bug is just the fact that the error/warning message is shown.

JavaScript compares the scheme used on the client with the scheme reported back by the back-end. As JavaScript sees https, but the back-end reports http, JavaScript decides to show the error/warning message.

If the reverse proxy is configured to use the non-standard HTTP header X-Forwarded-Proto, the back-end will also report a HTTPS connection. However, Forwarded is a standard way via an RFC, while X-Forwarded-Proto is not.

The method isHttps() already supports quite some vendor-specific HTTP headers, so according to my understanding, nothing speaks against also supporting the RFC standard.

[aschuch247]

The algorithm for parsing is pretty straight forward:

        } elseif (($forwarded = Core::getenv('HTTP_FORWARDED')) != '') {
            $hops = explode(',', $forwarded);
            $parts = explode(';', $hops[0]);
            foreach ($parts as $part) {
                $key_value = explode('=', $part);
                if ((strtolower(trim($key_value[0])) == 'proto') && (isset($key_value[1]) && (strtolower(trim($key_value[1])) == 'https'))) {
                    $is_https = true;
                    break;
                }
            }
        }

[aschuch247]

@williamdes: What does help wanted mean? Anything I can help you with?

[williamdes]

@aschuch247 it means that I would want someone to help us solve this issue with a pull-request

[aschuch247]

There is mismatch between HTTPS indicated on the server and client. This can lead to non working phpMyAdmin or a security risk. Please fix your server configuration to indicate HTTPS properly.

What is the actual idea behind this? I am using phpMyAdmin behind a HTTPS accelerator proxy and it works very well. At the moment, I consider phpMyAdmin as very proxy-friendly.

Examples of not so friendly applications are Jira and Review Board. What do they do wrong?

• They embed absolute FQDN links in their HTML (Jira).
• They embed absolute FQDN links in their RPC responses (Jira and Review Board).

A properly configured proxy can rewrite FQDN references at the HTTP level, for example as part of a Location header. But there is no fool-proof way to rewrite the HTTP body.

So, why does phpMyAdmin bother with HTTP and HTTPS detection and why does it even compare the detected values between server and client? If I tell my browser to send a proper X-Forwarded-Proto HTTP header, I can trick phpMyAdmin to believe whatever I want and the warning is not shown.

Maybe the solution to this problem here is to add a new option to dismiss the server/client comparison and the resulting warning message. By default, it is enabled (safe and conservative defaults), but it can be disabled to not scare users on a properly configured HTTPS accelerator proxy.

How about that?

Technically, NGINX does it the right way: https://nginx.org/en/docs/http/ngx_http_realip_module.html. All upstream proxies are logged in Forwarded (X-Forwarded-For), one by one. The server also knows a list of trusted proxies and when iterating the list, the first non-trusted IP address obviously is the (untrusted) client. This way, not even the gateway proxy needs to clear/reset Forwarded (X-Forwarded-For).

So from a conceptual point of view, what kind of trust is phpMyAdmin supposed to have in any of the HTTP headers? If it is just to display a message, not that much trust is required.

Any opinion on this?

Summary of the problem: Forwarded is a comma-separated list of tuples. How to figure out which of the tuples represents the (JavaScript) client, in order to then fetch the proto attribute from the tuple. Or always use the very first tuple, but this means that the list is trusted to not be manipulated by the client.

[williamdes]

Thanks for the feedback @aschuch247 !

[williamdes]

@ibennetch If I can have your comments on this issue, I am okay with implementing the code @aschuch247 sent us.

[lonix1]

Yeah I also encountered this bug! 😞

@aschuch247 Is it safe to just ignore this warning?

[aschuch247]

@lonix1: phpMyAdmin 4.9.1 works like a charm, if the proxy is properly configured. The message can be ignored.

From what I figured out is that the client (your browser) tells the server how phpMyAdmin was accessed. This is either by HTTP or HTTPS. The server checks how it is accessed. This also is either by HTTP or HTTPS. The message is shown if both ways of accessing differ.

This can happen if you use an SSL accelerator, that is, a HTTPS to HTTP 'unpacking' proxy in-between.

[williamdes]

After more research, I think I can implement it before 4.9.3 is out

[pamamolf]

I am getting the same warning message with the latest version :(

Using Nginx.

But before the latest update it was ok...

[williamdes]

@pamamolf can you post the nginx config?

[pamamolf]

It is for my hostname that i am using for Phpmyadmin and it worked with no issues a long time:

server {
	listen                       443 ssl http2;
	server_name                  server.mydomain.com;

	ssl_certificate              /usr/local/nginx/conf/ssl/server.mydomain.com/server.mydomain.com-acme.cer;
	ssl_certificate_key          /usr/local/nginx/conf/ssl/server.mydomain.com/server.mydomain.com-acme.key;
	ssl_certificate_key          /usr/local/nginx/conf/ssl/server.mydomain.com/server.mydomain.com.key;
	include                      /usr/local/nginx/conf/ssl_include.conf;

	keepalive_timeout            3000;
	client_body_buffer_size      256k;
	client_body_timeout          3000s;
	client_header_buffer_size    256k;
	##                           how long a connection has to complete sending
	##                           it's headers for request to be processed
	client_header_timeout        60s;
	client_max_body_size         512m;
	connection_pool_size         512;
	directio                     512m;
	ignore_invalid_headers       on;
	large_client_header_buffers  8 256k;

	http2_max_field_size         16k;
	http2_max_header_size        32k;
	#                            dual cert supported ssl ciphers
	ssl_ciphers                  EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
	ssl_prefer_server_ciphers    on;
	#add_header                  Alternate-Protocol 443:npn-spdy/3;
	#add_header                  Strict-Transport-Security "max-age=31536000; includeSubdomains;";
	#add_header                  X-Frame-Options SAMEORIGIN;
	#add_header                  X-Xss-Protection "1; mode=block" always;
	#add_header                  X-Content-Type-Options "nosniff" always;
	#spdy_headers_comp           5;
	ssl_buffer_size              1369;
	ssl_session_tickets          on;

	#                            enable ocsp stapling
	resolver                     8.8.8.8 8.8.4.4 valid=10m;
	resolver_timeout             10s;
	ssl_stapling                 on;
	ssl_stapling_verify          on;
	ssl_trusted_certificate      /usr/local/nginx/conf/ssl/server.mydomain.com/server.mydomain.com-acme.cer;

	root                         html;
	access_log                   /var/log/nginx/localhost.access.log main;
	error_log                    /var/log/nginx/localhost.error.log error;

	#                            ngx_pagespeed & ngx_pagespeed handler
	#include                     /usr/local/nginx/conf/pagespeed.conf;
	#include                     /usr/local/nginx/conf/pagespeedhandler.conf;
	#include                     /usr/local/nginx/conf/pagespeedstatslog.conf;

	#                            limit_conn limit_per_ip 16;
	#                            ssi on;
	location /nginx_status {
		stub_status                 on;
		access_log                  off;
		allow                       127.0.0.1;
		#allow                      youripaddress;
		deny                        all;
	}

	location / {

		#                           block common exploits, sql injections etc
		#include                    /usr/local/nginx/conf/block.conf;

		#Enables                    directory listings when index file not found
		#autoindex                  on;
	}

	include                      /usr/local/nginx/conf/staticfiles.conf;
	include                      /usr/local/nginx/conf/include_opcache.conf;
	include                      /usr/local/nginx/conf/php.conf;
	#include                     /usr/local/nginx/conf/phpstatus.conf;
	include                      /usr/local/nginx/conf/drop.conf;
	#include                     /usr/local/nginx/conf/errorpage.conf;
	#include                     /usr/local/nginx/conf/vts_mainserver.conf;

}

Thank you

[williamdes]

@pamamolf so 4.9.2 version works fine ?
Also can you send php.conf; ?
Thank you

[centminmod]

@pamamolf is using my Centmin Mod LEMP stack and it has a phpadmymin.sh scrip to install phpmyadmin via git clone of stable branch. Here's a cleaner markdown formatted phpmyadmin https self-signed ssl vhost from my test server which is also experiencing the mismatch issue on update to phpmyadmin 5.0 - prior versions were fine

contents of https vhost /usr/local/nginx/conf/conf.d/phpmyadmin_ssl.conf

# https SSL SPDY phpmyadmin
server {
        listen 443 ssl http2;
            server_name centos7.localdomain;
            root   html;

keepalive_timeout  3000;

 client_body_buffer_size 256k;
 client_body_timeout 3000s;
 client_header_buffer_size 256k;
 client_header_timeout  60s;
 client_max_body_size 512m;
 connection_pool_size  512;
 directio  512m;
 ignore_invalid_headers on;
 large_client_header_buffers 8 256k;

        ssl_certificate      /usr/local/nginx/conf/ssl/centos7.localdomain.crt;
        ssl_certificate_key  /usr/local/nginx/conf/ssl/centos7.localdomain.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache      shared:SSL:10m;
        ssl_session_timeout  10m;
        # mozilla recommended
        ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
        ssl_prefer_server_ciphers   on;
        add_header X-Frame-Options SAMEORIGIN;
        ssl_buffer_size 1400;
        ssl_session_tickets on;

        access_log              /var/log/nginx/localhost_ssl.access.log     main;
        error_log               /var/log/nginx/localhost_ssl.error.log      error;

    location / {
        return 302 http://$server_name$request_uri;
    }

  include /usr/local/nginx/conf/phpmyadmin_https.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  #include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  include /usr/local/nginx/conf/errorpage.conf;
}

in the non-https vhost for same domain, it has a 301 rewrite redirect for just phpmyadmin install url redirecting from non-https to https vhost

location ^~ /5119_mysqladmin19840/ {
        rewrite ^/(.*) https://centos7.localdomain/$1 permanent;
}

contents of /usr/local/nginx/conf/phpmyadmin_https.conf

location ^~ /5119_mysqladmin19840/ {
        #try_files $uri $uri/ /5119_mysqladmin19840/index.php?$args;
        include /usr/local/nginx/conf/php_5119_mysqladmin19840.conf;

        auth_basic      "Private Access";
        auth_basic_user_file  /usr/local/nginx/conf/htpassphpmyadmin;
        allow 127.0.0.1;
        #allow 192.168.0.12;
        #deny all;
}

contents of /usr/local/nginx/conf/php_5119_mysqladmin19840.conf

location ~ [^/]\.php(/|$) {
  include /usr/local/nginx/conf/503include-only.conf;
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    if (!-f $document_root$fastcgi_script_name) {
        return 404;
    }
    #fastcgi_keep_conn on;
    #fastcgi_pass dft_php;
    fastcgi_pass   127.0.0.1:9991;
    #fastcgi_pass   unix:/tmp/php5-fpm.sock;
    fastcgi_index  index.php;
    #fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param  SCRIPT_FILENAME    $request_filename;
    #fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;

# might shave 200+ ms off PHP requests
# which don't pass on a content length header
# slightly faster page response time at the
# expense of throughput / scalability
#sendfile on;
#tcp_nopush off;
#keepalive_requests 0;

fastcgi_connect_timeout 60s;
fastcgi_send_timeout 180s;
fastcgi_read_timeout 300s;
fastcgi_buffer_size 4k;
fastcgi_buffers 512 4k;
fastcgi_busy_buffers_size 1m;
fastcgi_temp_file_write_size 4m;
fastcgi_max_temp_file_size 4m;
fastcgi_intercept_errors off;

# next 3 lines when uncommented / enabled
# allow Nginx to handle uploads which then 
# passes back the completed upload to PHP
#fastcgi_pass_request_body off;
#client_body_in_file_only clean;
#fastcgi_param  REQUEST_BODY_FILE  $request_body_file;

#new .04+ map method
fastcgi_param HTTPS $server_https;

# comment out PATH_TRANSLATED line if /usr/local/lib/php.ini sets following:
# cgi.fix_pathinfo=0 
# as of centminmod v1.2.3-eva2000.01 default is set to cgi.fix_pathinfo=1

fastcgi_param  PATH_INFO          $fastcgi_path_info;
fastcgi_param  PATH_TRANSLATED    $document_root$fastcgi_path_info;

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;
fastcgi_param  HTTP_PROXY         "";

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# Set php-fpm geoip variables
fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
fastcgi_param GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
fastcgi_param GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
fastcgi_param GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
fastcgi_param GEOIP_REGION $geoip_region;
fastcgi_param GEOIP_CITY $geoip_city;
fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
fastcgi_param GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
fastcgi_param GEOIP_LATITUDE $geoip_latitude;
fastcgi_param GEOIP_LONGITUDE $geoip_longitude;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

                   }

phpmyadmin is installed at /5119_mysqladmin19840

[pamamolf]

4.9.1 was ok for sure !
4.9.2 if i remember correctly it was ok ... 99% yes it was ok

php.conf:

location ~ [^/]\.php(/|$) {
  include /usr/local/nginx/conf/503include-only.conf;
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    if (!-f $document_root$fastcgi_script_name) {
        return 404;
    }
    fastcgi_keep_conn on;
    fastcgi_pass dft_php;
    #fastcgi_pass   127.0.0.1:9000;
    #fastcgi_pass   unix:/tmp/php5-fpm.sock;
    fastcgi_index  index.php;
    #fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param  SCRIPT_FILENAME    $request_filename;
    #fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;

# might shave 200+ ms off PHP requests
# which don't pass on a content length header
# slightly faster page response time at the
# expense of throughput / scalability
#sendfile on;
#tcp_nopush off;
#keepalive_requests 0;

fastcgi_connect_timeout 60s;
fastcgi_send_timeout 180s;
fastcgi_read_timeout 300s;
fastcgi_buffer_size 4k;
fastcgi_buffers 512 4k;
fastcgi_busy_buffers_size 1m;
fastcgi_temp_file_write_size 4m;
fastcgi_max_temp_file_size 4m;
fastcgi_intercept_errors off;

# next 3 lines when uncommented / enabled
# allow Nginx to handle uploads which then
# passes back the completed upload to PHP
#fastcgi_pass_request_body off;
#client_body_in_file_only clean;
#fastcgi_param  REQUEST_BODY_FILE  $request_body_file;

#new .04+ map method
fastcgi_param HTTPS $server_https;

# comment out PATH_TRANSLATED line if /usr/local/lib/php.ini sets following:
# cgi.fix_pathinfo=0
# as of centminmod v1.2.3-eva2000.01 default is set to cgi.fix_pathinfo=1

fastcgi_param  PATH_INFO          $fastcgi_path_info;
fastcgi_param  PATH_TRANSLATED    $document_root$fastcgi_path_info;

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;

fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;
fastcgi_param  HTTP_PROXY         "";

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# Set php-fpm geoip variables
fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
fastcgi_param GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
fastcgi_param GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
fastcgi_param GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
fastcgi_param GEOIP_REGION $geoip_region;
fastcgi_param GEOIP_CITY $geoip_city;
fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
fastcgi_param GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
fastcgi_param GEOIP_LATITUDE $geoip_latitude;
fastcgi_param GEOIP_LONGITUDE $geoip_longitude;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

Thank you

[williamdes]

Thank you for your quick responses !
this line fastcgi_param HTTPS $https if_not_empty; is intriguing
I am going to sleep and will try to reproduce the issue you have ASAP and fix it for next 5.0 version

I someone has a docker version of the issue I would love it ;)

[williamdes]

NB: https://github.com/centminmod/phpmyadmin

[centminmod]

yes phpmyadmin.sh install is located at https://github.com/centminmod/phpmyadmin

[pamamolf]

More details please?

How you add it and where?

[travisbotello]

Just run yarn command in your terminal after git pull, manually or in your deploy script. Once the CSS resources have been compiled the error msg is gone.

[centminmod]

oh actually doing yarn install does fix phpmyadmin 5's mismatch errors it seems ! interesting :)

though get on login, the error

Failed to set session cookie. Maybe you are using HTTP instead of HTTPS to access phpMyAdmin.

despite logging in from HTTPS site with self-signed ssl cert

edit: seems this error is reported when in enter incorrect mysql user password !

[williamdes]

I am unable to reproduce the issue using a centos setup.
Can someone debug this issue or give me access to a server that has it ?

[williamdes]

@OfficialOzioma do you want to implement this issue using QA_5_0 branch as base?

NB: please add and update the unit tests

[williamdes]

I implemented it as 3db8949

@aschuch247 & @centminmod can you please test my implementation ?

[aschuch247]

@williamdes: I am not yet ready for phpMyAdmin 5, but I had a look at your implementation. I added two comments there.

[williamdes]

Thank you, re-opening so I do not forget to fix the implementation

[williamdes]

3db8949#commitcomment-37079212

[williamdes]

Fixed in 6729c89 as much as I could
thank you @aschuch247

[williamdes]

@aschuch247 I made the changes you asked for in 71a02a9

[aschuch247]

@williamdes: Thanks for really caring. You deserve more than just a single thumbs up.