Forum OpenACS Development: [ad_conn behind_proxy_p] "" when proxy_mode is true

Request notifications

Hi there,

It seems there's a bug on Naviserver, running behind NGINX and HTTPS.

The error happens only when proxy_mode is assigned "true" within NS config-file.tcl

Then, It returns "", instead of 0/1, in the command line [ns_set iget [ns_conn headers] X-SSL-Request], wihin ad_proc ad_conn

Then, it breaks collaterally an IF statement within the file packages/acs-tcl/tcl/utilities-procs.tcl, at line 2761

...
 if { [ad_conn behind_proxy_p] } {
        #                                                                                                                                                                                                   
        # We are running behind a proxy                                                                                                                                                                     
        #                                                                                                                                                                                                   
        # 
        if {[ad_conn behind_secure_proxy_p] } { 
...



####

File: packages/acs-tcl/tcl/request-processor-procs.tcl
...
behind_secure_proxy_p {
                            #
                            # Check, if we are running behind a secure proxy: 
                            # a) [ad_conn behind_proxy_p] must be true
                            # b) the header-field X-SSL-Request must be 1
                            #
                            set ad_conn(behind_secure_proxy_p) 0
                            if {[ad_conn behind_proxy_p]} {
                                set ad_conn(behind_secure_proxy_p) [ns_set iget [ns_conn headers] X-SSL-Request]
                            }
                            return $ad_conn(behind_secure_proxy_p)
                        }

####
I wonder if it could be related to my Debian installation too.

Does anyone use NGINX with Naviserver behind of it? Haven't you got the same problem? The error that shows in the browser is bellow.

[15/Sep/2018:14:08:55][4075.7ff64e7d3700][-conn:litli:0:0-] Error: rp_report_error: Error rendering error page (!)
expected boolean value but got ""
    while executing
"if {[ad_conn behind_secure_proxy_p]} {
            #
            # We know, the request was an https request
            #
            set proto https..."
    (procedure "util_current_location" line 42)
    invoked from within
"util_current_location"
    (procedure "security::get_register_subsite" line 3)
    invoked from within
"security::get_register_subsite"
    (procedure "::nsf::procs::ad_get_login_url" line 4)
    invoked from within
"ad_get_login_url -return"
    ("uplevel" body line 66)
    invoked from within
"uplevel {
    ad_page_contract {
  This is the highest level site specific master template.

Collapse
Posted by Iuri Sampaio on
Hi there,

It seems there's a bug on Naviserver, running behind NGINX and HTTPS.

The error happens only when proxy_mode is assigned "true" within NS config-file.tcl

Then, It returns "", instead of 0/1, in the command line [ns_set iget [ns_conn headers] X-SSL-Request], wihin ad_proc ad_conn

Then, it breaks collaterally an IF statement within the file packages/acs-tcl/tcl/utilities-procs.tcl, at line 2761

...
if { [ad_conn behind_proxy_p] } {
#
# We are running behind a proxy
#
#
if {[ad_conn behind_secure_proxy_p] } {
...

####

File: packages/acs-tcl/tcl/request-processor-procs.tcl
...
behind_secure_proxy_p {
#
# Check, if we are running behind a secure proxy:
# a) [ad_conn behind_proxy_p] must be true
# b) the header-field X-SSL-Request must be 1
#
set ad_conn(behind_secure_proxy_p) 0
if {[ad_conn behind_proxy_p]} {
set ad_conn(behind_secure_proxy_p) [ns_set iget [ns_conn headers] X-SSL-Request]
}
return $ad_conn(behind_secure_proxy_p)
}

####

I wonder if it could be related to my Debian installation too.

Does anyone use NGINX with Naviserver behind of it? Haven't you got the same problem?

The error that shows in the browser is bellow.

[15/Sep/2018:14:08:55][4075.7ff64e7d3700][-conn:litli:0:0-] Error: rp_report_error: Error rendering error page (!)
expected boolean value but got ""
while executing
"if {[ad_conn behind_secure_proxy_p]} {
#
# We know, the request was an https request
#
set proto https..."
(procedure "util_current_location" line 42)
invoked from within
"util_current_location"
(procedure "security::get_register_subsite" line 3)
invoked from within
"security::get_register_subsite"
(procedure "::nsf::procs::ad_get_login_url" line 4)
invoked from within
"ad_get_login_url -return"
("uplevel" body line 66)
invoked from within
"uplevel {
ad_page_contract {
This is the highest level site specific master template.

Properties allowed

Collapse
Posted by Gustaf Neumann on
Dear Iuri,

You have probably found an issue, that was fixed about a year ago [1], where OpenACS reacted unfriendly in case of incorrect configurations. The more robust, actual code is in [2].

If you want to use nginx as secure proxy, you have to add a line like the following to you nginx config file.

proxy_set_header        X-SSL-Request 1;

.. and yes, we are using nginx as secure proxy on some sites, and "ad_conn behind_secure_proxy_p" returns 1. This has nothing to do with Debian or NaviServer.

[1] https://github.com/openacs/openacs-core/commit/05c58b86a65e39091565891128ddc76622928014
[2] https://github.com/openacs/openacs-core/blob/master/packages/acs-tcl/tcl/request-processor-procs.tcl#L1603

Collapse
Posted by Iuri Sampaio on
Hi Gustaf,

Even with NGINX parameter assigned (i.e. proxy_set_header), and proxy_mode assigned to "true" (i.e. within ns-config.tcl), most of the links weren't affected.

proxy_set_header X-SSL-Request 1;

# Are we running behind a proxy?
set proxy_mode false

In fact, the system behaves better when proxy_mode is false and NGINX is present. It's weird and unexpected.

Furthermore, I enabled the parameter SuppressHttpPort (i.e. acs-tcl parameter), and I noticed fewer port redirections, and that was a good sign.

Actually, there's only one now, at /admin/ section (i.e. Subsite Administration: Main Site).

It's the last link in the page:

"ACS Site-Wide Administration (Site-wide administration)", which links to /acs-admin/

When I click on that one, the address changes from
https://iurix.com/acs-admin/ to https://iurix.com:8443/acs-admin/

I solved it, by restarting Navisever listening on IP 0.0.0.0. But that isn't the best solution.
Before it was only localhost 127.0.0.1, as per your scripts, and that better!

The problem isn't quite solved yet, but at least now, It's easier to track down the bug within OACS core!

Let you know when I find anything.