Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL break content manager #2424

Closed
BroTrue opened this issue Dec 3, 2018 · 33 comments · Fixed by #3664

Comments

@BroTrue
Copy link

commented Dec 3, 2018

Informations

  • Node.js version: v10.12.0
  • NPM version: 6.4.1
  • Strapi version: 3.0.0-alpha.15
  • Database: MongoDB
  • Operating system: Debian

Upgrade of #2357

What is the current behavior?

When entering to create/edit User got blank page. with such error in console
48855275-09da5580-edb4-11e8-83bf-946e9a5cd1b2

main.js:16 TypeError: Cannot read property 'type' of undefined
    at r.renderAttr (main.js:48)
    at Array.map (<anonymous>)
    at t.value (main.js:48)
    at Mo (main.js:16)
    at So (main.js:16)
    at Fo (main.js:16)
    at Jo (main.js:16)
    at Zo (main.js:16)
    at gn (main.js:16)
    at fn (main.js:16)
Ro @ main.js:16
main.js:72 uncaught at o TypeError: Cannot read property 'type' of undefined
    at r.renderAttr (https://mysite.com/admin/content-manager/main.js:48:311374)
    at Array.map (<anonymous>)
    at t.value (https://mysite.com/admin/content-manager/main.js:48:312290)
    at Mo (https://mysite.com/admin/main.js:16:42968)
    at So (https://mysite.com/admin/main.js:16:42763)
    at Fo (https://mysite.com/admin/main.js:16:46086)
    at Jo (https://mysite.com/admin/main.js:16:59256)
    at Zo (https://mysite.com/admin/main.js:16:59637)
    at gn (https://mysite.com/admin/main.js:16:65916)
    at fn (https://mysite.com/admin/main.js:16:65296)

Steps to reproduce the problem
I go 2 apps:

<VirtualHost *:80>
	ServerName mysite.com
	ServerAdmin admin@gmail.com
	Redirect permanent / https://mysite.com/
	CustomLog ${APACHE_LOG_DIR}/mysite-access.log combined
        ErrorLog ${APACHE_LOG_DIR}/mysite-error.log
</VirtualHost>
<VirtualHost *:443>
        ServerName mysite.com
        ServerAdmin admin@gmail.com

	ProxyPass /content http://127.0.0.1:1337
	ProxyPassReverse /content http://127.0.0.1:1337
	ProxyPass /admin http://127.0.0.1:1337/admin
	ProxyPassReverse /admin http://127.0.0.1:1337/admin
	ProxyPass /settings-manager http://127.0.0.1:1337/settings-manager
	ProxyPassReverse /settings-manager http://127.0.0.1:1337/settings-manager
	ProxyPass /content-manager http://127.0.0.1:1337/content-manager
	ProxyPassReverse /content-manager http://127.0.0.1:1337/content-manager
	ProxyPass /upload/ http://127.0.0.1:1337/upload/
	ProxyPassReverse /upload/ http://127.0.0.1:1337/upload/
	ProxyPass /auth http://127.0.0.1:1337/auth
	ProxyPassReverse /auth http://127.0.0.1:1337/auth
	ProxyPass /content-type-builder http://127.0.0.1:1337/content-type-builder
	ProxyPassReverse /content-type-builder http://127.0.0.1:1337/content-type-builder
	ProxyPass /users-permissions http://127.0.0.1:1337/users-permissions
	ProxyPassReverse /users-permissions http://127.0.0.1:1337/users-permissions
	#ProxyPass /plugins http://127.0.0.1:1337/plugins
        #ProxyPassReverse /plugins http://127.0.0.1:1337/plugins

        ProxyPass / http://127.0.0.1:8081/
        ProxyPassReverse / http://127.0.0.1:8081/
        ProxyPreserveHost off

	#LogLevel debug
        CustomLog ${APACHE_LOG_DIR}/mysite-access.log combined
        ErrorLog ${APACHE_LOG_DIR}/mysite-error.log
	SSLEngine on
	SSLCertificateFile /etc/apache2/ssl/mysite.crt
        SSLCertificateKeyFile /etc/apache2/ssl/mysite.key
        SSLCACertificateFile /etc/apache2/ssl/intermediate.crt
</VirtualHost>

Important information:

  • without ssl all is working fine without any bug
  • I found the difference between no ssl / with ssl: when I entering to edit "User", admin panel made request on this url https://mysite.com/content-manager/explorer/user/5bc5ce527834a56e60853347?source=users-permissions

Without SSL in responce I received:
ITS GOOD!

{
  "confirmed": true,
  "blocked": false,
  "notification": true,
  "_id": "5bc5ce527834a56e60853347",
  "username": "admin",
  "email": "myemail@gmail.com",
  "password": "$2a$10$3Edxx0gxxH8gfh3.xEe9Wt7oxU7x6u4b.k325bpF1sI8UJOTe",
  "__v": 0,
  "id": "5bc5ce527834a56e60853347",
  "role": {
    "_id": "5b8932347836f94c9fd0222e",
    "name": "Authenticated",
    "description": "Default role given to authenticated user.",
    "type": "authenticated",
    "__v": 0,
    "permissions": null,
    "users": null,
    "id": "5b8932347836f94c9fd0222e"
  },
  "resetPasswordToken": "69569be8bab53ff3x38d48404ba34ba7e12f6b153966996a2d9454223ba49cd17f74fca62f7d81bc92bc70afbe5ca8551c90bf0f4ee7a088327143926bf1e767"
}

With SSL in responce I received:
It`s bad, no password field :(

{
  "confirmed": true,
  "blocked": false,
  "notification": true,
  "_id": "5bc5ce527834a56e60853347",
  "username": "admin",
  "email": "myemail@gmail.com",
  "__v": 0,
  "id": "5bc5ce527834a56e60853347",
  "role": {
    "_id": "5b8932347836f94c9fd0222e",
    "name": "Authenticated",
    "description": "Default role given to authenticated user.",
    "type": "authenticated",
    "__v": 0,
    "permissions": null,
    "users": null,
    "id": "5b8932347836f94c9fd0222e"
  },
  "resetPasswordToken": "69569be8bab53ff3x38d48404ba34ba7e12f6b153966996a2d9454223ba49cd17f74fca62f7d81bc92bc70afbe5ca8551c90bf0f4ee7a088327143926bf1e767"
}

Suggested solutions

My apache config is bad? Should I change Apache to nginx? Can I add in another way SSL to strapi ? Some tips and advices will be nice! Thank you strapi team for help!

@soupette

This comment has been minimized.

Copy link
Member

commented Dec 3, 2018

@BroTrue you have an issue with your plugin_content_manager_schema you'll need to remove the resetPasswordToken from your view. You can ping me on slack so I can explain you how to do that directly from your UI.

@lauriejim lauriejim changed the title Cannot read property 'type' of undefined SSL break content manager Dec 3, 2018
@BroTrue

This comment has been minimized.

Copy link
Author

commented Dec 3, 2018

@soupette thank you for answering. I've removed resetPasswordToken by myself. And create totally clean project +drop db.

Now I got like this:

  1. No ssl
{
  "confirmed": true,
  "blocked": false,
  "_id": "5c051d6e7879dc5141e370ab",
  "username": "admin",
 "password": "$2a$10$hNouNJck9DBtwbGzUdXDd.LKpuxyLTyTRJhQNaW.Lp5aRAPqhEvtq",
  "email": "test@gmail.com",
  "provider": "local",
  "role": {
    "_id": "5c051d567879dc5141e36fc7",
    "name": "Administrator",
    "description": "These users have all access in the project.",
    "type": "root",
    "__v": 0,
    "permissions": null,
    "users": null,
    "id": "5c051d567879dc5141e36fc7"
  },
  "__v": 0,
  "id": "5c051d6e7879dc5141e370ab"
}
  1. with ssl
{
  "confirmed": true,
  "blocked": false,
  "_id": "5c051d6e7879dc5141e370ab",
  "username": "admin",
  "email": "test@gmail.com",
  "provider": "local",
  "role": {
    "_id": "5c051d567879dc5141e36fc7",
    "name": "Administrator",
    "description": "These users have all access in the project.",
    "type": "root",
    "__v": 0,
    "permissions": null,
    "users": null,
    "id": "5c051d567879dc5141e36fc7"
  },
  "__v": 0,
  "id": "5c051d6e7879dc5141e370ab"
}

Now difference is: no password field with ssl. Maybe you need more info (db collections etc.)?

@BroTrue

This comment has been minimized.

Copy link
Author

commented Dec 3, 2018

Owwww In my opinion, the reason is here \plugins\users-permissions\models\User.settings.json

"password": {
      "type": "password",
      "minLength": 6,
      "configurable": false,
      "private": true
    },

and after proxy its doesn't send password ( like /user/me )

:)

@soupette

This comment has been minimized.

Copy link
Member

commented Dec 3, 2018

Did it happen after migrating your app from 14.5 to 15?

@BroTrue

This comment has been minimized.

Copy link
Author

commented Dec 3, 2018

@soupette no, I got the same problem at v14.0, v14.5 and now at v15.0

@soupette

This comment has been minimized.

Copy link
Member

commented Dec 3, 2018

So each time you create a new project with a clean db and use ssl?

@BroTrue

This comment has been minimized.

Copy link
Author

commented Dec 3, 2018

Yes I create new project, with clean db. I got apache with ssl and with proxy like this:

<VirtualHost *:80>
	ServerName mysite.com
	ServerAdmin admin@gmail.com
	Redirect permanent / https://mysite.com/
	CustomLog ${APACHE_LOG_DIR}/mysite-access.log combined
        ErrorLog ${APACHE_LOG_DIR}/mysite-error.log
</VirtualHost>
<VirtualHost *:443>
        ServerName mysite.com
        ServerAdmin admin@gmail.com

	ProxyPass /content http://127.0.0.1:1337
	ProxyPassReverse /content http://127.0.0.1:1337
	ProxyPass /admin http://127.0.0.1:1337/admin
	ProxyPassReverse /admin http://127.0.0.1:1337/admin
	ProxyPass /settings-manager http://127.0.0.1:1337/settings-manager
	ProxyPassReverse /settings-manager http://127.0.0.1:1337/settings-manager
	ProxyPass /content-manager http://127.0.0.1:1337/content-manager
	ProxyPassReverse /content-manager http://127.0.0.1:1337/content-manager
	ProxyPass /upload/ http://127.0.0.1:1337/upload/
	ProxyPassReverse /upload/ http://127.0.0.1:1337/upload/
	ProxyPass /auth http://127.0.0.1:1337/auth
	ProxyPassReverse /auth http://127.0.0.1:1337/auth
	ProxyPass /content-type-builder http://127.0.0.1:1337/content-type-builder
	ProxyPassReverse /content-type-builder http://127.0.0.1:1337/content-type-builder
	ProxyPass /users-permissions http://127.0.0.1:1337/users-permissions
	ProxyPassReverse /users-permissions http://127.0.0.1:1337/users-permissions
	#ProxyPass /plugins http://127.0.0.1:1337/plugins
        #ProxyPassReverse /plugins http://127.0.0.1:1337/plugins

        ProxyPass / http://127.0.0.1:8081/
        ProxyPassReverse / http://127.0.0.1:8081/
        ProxyPreserveHost off

	#LogLevel debug
        CustomLog ${APACHE_LOG_DIR}/mysite-access.log combined
        ErrorLog ${APACHE_LOG_DIR}/mysite-error.log
	SSLEngine on
	SSLCertificateFile /etc/apache2/ssl/mysite.crt
        SSLCertificateKeyFile /etc/apache2/ssl/mysite.key
        SSLCACertificateFile /etc/apache2/ssl/intermediate.crt
</VirtualHost>

With such proxy strapi app http://127.0.0.1:1337/admin is available under https://mysite.com/admin.

When I'm trying to edit User from http://127.0.0.1:1337/admin - everything is ok.
When I'm trying to edit User from https://mysite.com/admin - got this bug.

In my opinion, the problem is in password field which is "private": true.
If I understand correctly:

  1. when you hit endpoint /user/me - in response you have all data about User but no password ( because of "private": true)
  2. when you entering to User through admin panel - you get the same data like in (1) + password field ( because you are in admin panel)
  3. when you entering to User through admin panel + proxy and ssl - - you get same date like in (1) without password and UI says Cannot read property 'type' of undefined

I don't wanna delete this private: true - its very important and I understand this. I just wanna fix this. I can send you also Response Headers, Request Headers , if it will be useful? But I dont see there important differences.

@javialon26

This comment has been minimized.

Copy link

commented Dec 4, 2018

Same here with alpha 15. In my local development environment everything works well but in the staging environment, the content manager plugins break. This happens for example when I want to add a new user or edit one.

TypeError: Cannot read property 'type' of undefined
    at r.renderAttr (main.js:48)
    at Array.map (<anonymous>)
    at t.value (main.js:48)
    at Mo (main.js:16)
    at So (main.js:16)
    at Fo (main.js:16)
    at Jo (main.js:16)
    at Zo (main.js:16)
    at gn (main.js:16)
    at fn (main.js:16)
Ro @ main.js:16
Wo.o.callback @ main.js:16
Jt @ main.js:16
$t @ main.js:16
yn @ main.js:16
gn @ main.js:16
fn @ main.js:16
dn @ main.js:16
on @ main.js:16
enqueueSetState @ main.js:24
i.setState @ main.js:40
d.onStateChange @ main.js:72
l @ main.js:72
(anonymous) @ main.js:72
(anonymous) @ main.js:72
dispatch @ main.js:72
(anonymous) @ main.js:72
(anonymous) @ main.js:72
r @ main.js:72
a @ main.js:72
o @ main.js:72
S @ main.js:72
b @ main.js:72
m @ main.js:72
n @ main.js:72
Promise.then (async)
w @ main.js:72
k @ main.js:72
b @ main.js:72
m @ main.js:72
a @ main.js:72
C @ main.js:72
b @ main.js:72
m @ main.js:72
n @ main.js:72
s @ main.js:72
t @ main.js:72
(anonymous) @ main.js:72
(anonymous) @ main.js:72
r @ main.js:72
a @ main.js:72
o @ main.js:72
(anonymous) @ main.js:72
t @ main.js:72
(anonymous) @ main.js:72
(anonymous) @ main.js:72
value @ main.js:48
yn @ main.js:16
gn @ main.js:16
fn @ main.js:16
dn @ main.js:16
on @ main.js:16
enqueueSetState @ main.js:24
i.setState @ main.js:40
t @ main.js:72
(anonymous) @ main.js:72
Promise.then (async)
s._loadModule @ main.js:72
s.componentWillMount @ main.js:72
fo @ main.js:16
So @ main.js:16
Fo @ main.js:16
Jo @ main.js:16
Zo @ main.js:16
gn @ main.js:16
fn @ main.js:16
dn @ main.js:16
on @ main.js:16
enqueueSetState @ main.js:24
a.setState @ main.js:45
p.onStateChange @ main.js:37
notify @ main.js:37
t.notifyNestedSubs @ main.js:37
p.onStateChange @ main.js:37
notify @ main.js:37
t.notifyNestedSubs @ main.js:37
p.onStateChange @ main.js:37
l @ main.js:45
(anonymous) @ main.js:37
(anonymous) @ main.js:45
dispatch @ main.js:45
(anonymous) @ main.js:45
(anonymous) @ main.js:45
n @ main.js:45
s @ main.js:45
r @ main.js:45
k @ main.js:45
b @ main.js:45
f @ main.js:45
o @ main.js:45
n @ main.js:45
t @ main.js:45
o @ main.js:45
Promise.then (async)
j @ main.js:45
T @ main.js:45
b @ main.js:45
(anonymous) @ main.js:45
S @ main.js:45
b @ main.js:45
f @ main.js:45
o @ main.js:45
Promise.then (async)
j @ main.js:45
T @ main.js:45
b @ main.js:45
f @ main.js:45
o @ main.js:45
C @ main.js:45
b @ main.js:45
f @ main.js:45
s @ main.js:45
P @ main.js:45
b @ main.js:45
f @ main.js:45
o @ main.js:45
i @ main.js:45
t @ main.js:45
(anonymous) @ main.js:45
(anonymous) @ main.js:45
n @ main.js:45
s @ main.js:45
r @ main.js:45
(anonymous) @ main.js:45
t @ main.js:45
(anonymous) @ main.js:45
(anonymous) @ main.js:45
value @ main.js:1
yn @ main.js:16
gn @ main.js:16
fn @ main.js:16
dn @ main.js:16
on @ main.js:16
enqueueSetState @ main.js:24
a.setState @ main.js:45
p.onStateChange @ main.js:37
notify @ main.js:37
t.notifyNestedSubs @ main.js:37
p.onStateChange @ main.js:37
l @ main.js:45
(anonymous) @ main.js:37
(anonymous) @ main.js:45
(anonymous) @ main.js:1
Promise.then (async)
u @ main.js:1
./node_modules/strapi-helper-plugin/lib/src/app.js @ main.js:45
a @ main.js:1
(anonymous) @ main.js:1
(anonymous) @ main.js:1
main.js:72 uncaught at o TypeError: Cannot read property 'type' of undefined
    at r.renderAttr (https://mysite.com/admin/content-manager/main.js:48:311414)
    at Array.map (<anonymous>)
    at t.value (https://mysite.com/admin/content-manager/main.js:48:312330)
    at Mo (https://mysite.com/admin/main.js:16:42968)
    at So (https://mysite.com/admin/main.js:16:42763)
    at Fo (https://mysite.com/admin/main.js:16:46086)
    at Jo (https://mysite.com/admin/main.js:16:59256)
    at Zo (https://mysite.com/admin/main.js:16:59637)
    at gn (https://mysite.com/admin/main.js:16:65916)
    at fn (https://mysite.com/admin/main.js:16:65296)

The only difference between my environments is the URL (host with ssl) and the Nginx reverse proxy for the staging environment.

@gksander

This comment has been minimized.

Copy link

commented Dec 4, 2018

I'm having the same issue. Running alpha 15 on MacOS development machine works fine, but my production server (Ubuntu 16.04) with SSL crashes with the same error. I'm happy to provide more details if it's helpful.

@soupette

This comment has been minimized.

Copy link
Member

commented Dec 4, 2018

As seen with @gksander as said by @BroTrue the bug is due to the ssl configuration and not with the content-manager itself.
A mask is applied for all requests that aren't coming from admin (with a header :x-forwarded-host': 'strapi') so the password attribute from the User model is hidden and the content-manager is expecting it to generate the view.

Here's the line:

if ([200, 201, 202].includes(ctx.status) && ctx.type === 'application/json' && !ctx.request.admin) {
ctx.body = mask(ctx.body);
}

@BroTrue

This comment has been minimized.

Copy link
Author

commented Dec 4, 2018

@soupette I have checked Request Headers with ssl and I found there X-Forwarded-Host: strapi.

Here is full Request Headers:

  1. with ssl
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en,fr;q=0.9,ru;q=0.8,pl;q=0.7,en-US;q=0.6,uk;q=0.5
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI1Yjg5MzI4ZTc4MzZmOTRjOWZkMDIzMTEiLCJpZCI6IjViODkzMjhlNzgzNmY5NGM5ZmQwMjMxMSIsImlhdCI6MTU0MjkxOTczNywiZXhwIjoxNTQ1NTExNzM3fQ.8Dg7QHZr28Sfc-isvDdgtZUf8EKyHLbUCZrkizXYKBo
Connection: keep-alive
Content-Type: application/json
Cookie: auth.strategy=local; auth._token.local=false; _ga=GA1.2.648763560.1543933405; _gid=GA1.2.1290014567.1543933405; _gat=1
Host: mysite.com
Referer: https://mysite.com/admin/plugins/content-manager/user/5bb63803b71b2146b2cf8f36?redirectUrl=/plugins/content-manager/user?_limit=10&_page=1&_sort=username&source=users-permissions
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
X-Forwarded-Host: strapi
  1. no SSL
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en,fr;q=0.9,ru;q=0.8,pl;q=0.7,en-US;q=0.6,uk;q=0.5
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI1Yjg5MzI4ZTc4MzZmOTRjOWZkMDIzMTEiLCJpZCI6IjViODkzMjhlNzgzNmY5NGM5ZmQwMjMxMSIsImlhdCI6MTU0Mzk2MTc1NCwiZXhwIjoxNTQ2NTUzNzU0fQ.B-hocw8-wMJmVPm32-d6N5CNYydIlcLC2XOSEuBhO4c
Connection: keep-alive
Content-Type: application/json
Cookie: _ga=GA1.2.1334692033.1543961743; _gid=GA1.2.36711495.1543961743; _gat=1
Host: mysite.com:1337
Referer: http://mysite.com:1337/admin/plugins/content-manager/user/5bb63803b71b2146b2cf8f36?redirectUrl=/plugins/content-manager/user?_limit=10&_page=1&_sort=username&source=users-permissions
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
X-Forwarded-Host: strapi
@gksander

This comment has been minimized.

Copy link

commented Dec 6, 2018

@soupette Thank you! This helped. For anyone else having this issue, here's how I solved it using Nginx:

I added a location block for /content-manager and set the X-Forwarded-Host header to 'strapi'.

location /content-manager {
  proxy_set_header X-Forwarded-Host 'strapi';
  proxy_pass http://localhost:1337;
}
@soupette

This comment has been minimized.

Copy link
Member

commented Dec 6, 2018

@lauriejim @Aurelsicoko should we add this config in our documentation?

@javialon26

This comment has been minimized.

Copy link

commented Dec 10, 2018

@gksander @soupette ok I have this working with my nginx reverse proxy. After a little of an investigation, I found the problem.

In line 13 of this file https://github.com/strapi/strapi/blob/master/packages/strapi/lib/middlewares/index.js

strapi do a check over x-forwarded-host header, if is equal to 'strapi' the ctx.request.admin is true, otherwise false.

With Nginx reverse proxy is a common practice change the x-forwarded-host to a static value, maybe the server name, this breaks the admin requests.

I found a map header for nginx and problem solved.

Example:

map $http_forwarded $proxy_add_forwarded {
    # If the incoming Forwarded header is syntactically valid, append to it
    "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded";

    # Otherwise, replace it
    default "$server_name";
}

server {
  listen 80 default_server;
  listen [::]:80 default_server;

  server_name _;

  location / {
    proxy_pass http://localhost:1337;
    proxy_redirect off;
    proxy_connect_timeout 2;
    proxy_read_timeout 86400;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}
@javialon26

This comment has been minimized.

Copy link

commented Dec 10, 2018

another better nginx config

map $http_x_forwarded_host $custom_forwarded_host {
  default "$server_name";
  strapi "strapi";
}

server {
  listen 80 default_server;
  listen [::]:80 default_server;

  server_name _;

  location / {
    proxy_pass http://localhost:1337;
    proxy_redirect off;
    proxy_connect_timeout 2;
    proxy_read_timeout 86400;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $custom_forwarded_host;
  }
}
@gksander

This comment has been minimized.

Copy link

commented Dec 14, 2018

I want to add another comment, in case this helps anyone. I received this same error message after updating some of my schemas and pushing up to production. To fix this, I did the following (Ubuntu 16.04):

  1. Shell into MongoDB shell with mongo.
  2. Use the DB that your Strapi instance is using
    use yourDBname
  3. From the core_store collection, delete the record corresponding to the Content Manager schema:
    db.core_store.remove({key: 'plugin_content-manager_schema'})
  4. Then reboot your Strapi application (I believe it'll recreate that record when it boots up, but now with your updated schema).

Again, this was an issue that I didn't have on my local machine, but my production machine (with SSL) gave me some issues.

@ron-edison

This comment has been minimized.

Copy link

commented Dec 18, 2018

Hello trying to resolve this issue using an apache proxy, we're using:

ProxyPass / http://127.0.0.1:1337/
RequestHeader set X-Forwarded-Host "strapi"

have tried both with ProxyPreserveHost Off and On which doesn't seem to make a difference, strapi does see the X-Forwarded-Host header but when logging in via the proxy (with SSL) editing is not possible as described, any input or suggestions would be of interest

thanks very much

@BroTrue

This comment has been minimized.

Copy link
Author

commented Dec 19, 2018

@ron-edison for Apache2 I solved problem adding to my config this

ProxyAddHeaders Off
@BroTrue

This comment has been minimized.

Copy link
Author

commented Dec 19, 2018

I think we can close this issue. Above You can find solutions for Nginx and Apache :)

@BroTrue BroTrue closed this Dec 19, 2018
@danbruegge

This comment has been minimized.

Copy link

commented Jan 24, 2019

Hi, i have the same issue. How can i solve it with only a htaccess?

My htaccess:

RewriteEngine On
RewriteRule ^(.*) http://localhost:1337/$1 [P]
@ron-edison

This comment has been minimized.

Copy link

commented Jan 24, 2019

Hi Dan, we got it working by adding this directive:

ProxyAddHeaders Off

Also I think your rewriterule will not achieve the needed result, you want something like this:

ProxyPass / http://127.0.0.1:1337/

Hope that helps!

@danbruegge

This comment has been minimized.

Copy link

commented Jan 25, 2019

@ron-edison thanks for your answer. Sadly both cause an Internal Server Error. :(

@ron-edison

This comment has been minimized.

Copy link

commented Jan 25, 2019

Hi Dan, if you've already ruled out the necessary Apache modules all enabled I would say check your error log, shouldn't be too tough to troubleshoot, I can probably look in our working config and compare if it doesn't resolve. Good luck!

@danbruegge

This comment has been minimized.

Copy link

commented Jan 25, 2019

@ron-edison looks like they are not allowed on my hoster. I will contact them. Thanks. :)

@AlbanVelco

This comment has been minimized.

Copy link

commented Jan 30, 2019

Hi, i have the same issue. I'am using apache 2.4.

I have tried several configurations, but none of them worked.
What is your complete configuration please?

Thanks very much!

@indatawetrust

This comment has been minimized.

Copy link

commented Feb 5, 2019

the above recommendations do not work. another solution way?

@AlbanVelco

This comment has been minimized.

Copy link

commented Feb 5, 2019

Finally, I managed to understand why the solution proposed above didn't work for me. It didn't work because I had a <Proxy></Proxy> tag in my VirtualHost declaration.

So if you have a <Proxy></Proxy> tag in your VirtualHost declaration, you have to put ProxyAddHeaders Off inside this tag for it to work.

And if you don't have a <Proxy></Proxy> tag in your VirtualHost declaration, it should work if you put ProxyAddHeaders Off inside your VirtualHost declaration.

Thanks. :-)

@derrickmehaffy

This comment has been minimized.

Copy link
Contributor

commented Feb 5, 2019

@AlbanVelco I've spoken to @soupette about this, strapi uses a header called x-forwarded-for and sets it to strapi, if your proxy overwrites this (and it should) it will break the adminUI.

I've told soupette that Strapi shouldn't be overwriting this header, but for now your solution should work.

@easydrops

This comment has been minimized.

Copy link

commented Feb 27, 2019

I want to add another comment, in case this helps anyone. I received this same error message after updating some of my schemas and pushing up to production. To fix this, I did the following (Ubuntu 16.04):

  1. Shell into MongoDB shell with mongo.
  2. Use the DB that your Strapi instance is using
    use yourDBname
  3. From the core_store collection, delete the record corresponding to the Content Manager schema:
    db.core_store.remove({key: 'plugin_content-manager_schema'})
  4. Then reboot your Strapi application (I believe it'll recreate that record when it boots up, but now with your updated schema).

Again, this was an issue that I didn't have on my local machine, but my production machine (with SSL) gave me some issues.

This helped me to solve this issue (in 24.1)

@derrickmehaffy

This comment has been minimized.

Copy link
Contributor

commented Feb 27, 2019

another better nginx config

map $http_x_forwarded_host $custom_forwarded_host {
  default "$server_name";
  strapi "strapi";
}

server {
  listen 80 default_server;
  listen [::]:80 default_server;

  server_name _;

  location / {
    proxy_pass http://localhost:1337;
    proxy_redirect off;
    proxy_connect_timeout 2;
    proxy_read_timeout 86400;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $custom_forwarded_host;
  }
}

@javialon26
Worked Great, thank you. I will work on updating my SSL guide to use this.

@facundofarias

This comment has been minimized.

Copy link

commented Jun 27, 2019

ProxyAddHeaders Off did the trick.

@shnigi

This comment has been minimized.

Copy link

commented Jul 1, 2019

For Apache I solved it by adding ProxyAddHeaders Off for the SSL conf file.

And a solution for the proxy headers problem in kubernetes ingress-nginx was to add a ConfigMap to the ingress-nginx service (in ingress-nginx namespace):

data:
  use-forwarded-headers: "true"
kind: ConfigMap
metadata:
  name: nginx-configuration
@derrickmehaffy

This comment has been minimized.

Copy link
Contributor

commented Jul 19, 2019

I am re-opening this issue as it still happens as of Beta.13 when using Strapi in a production level environment behind a proxy.

This one should remain open until these work arounds are no longer required

@lauriejim lauriejim referenced this issue Aug 12, 2019
9 of 13 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.