Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Piwik does not run well behind SSL proxy, generates mixed content http / https. #8030

Closed
monty241 opened this issue Jun 2, 2015 · 9 comments
Closed

Piwik does not run well behind SSL proxy, generates mixed content http / https. #8030

monty241 opened this issue Jun 2, 2015 · 9 comments
Labels
duplicate For issues that already existed in our issue tracker and were reported previously.
Milestone
2.16.0

Comments

@monty241
Copy link

monty241 commented Jun 2, 2015

See "Wrong URL construction in morpheus template #4433".
Running Piwik 2.13.1.
Error in latest stable release Chrome:
Mixed Content: The page at 'https://piwik.invantive.com/index.php?module=CoreAdminHome&action=generalSettings&idSite=2&period=day&date=today&updated=2' was loaded over HTTPS, but requested an insecure image 'http://piwik.invantive.com/misc/user/logo-header.png'. This content should also be served over HTTPS.

We are running behind a proxy for SSL offloading, so piwik itself is http, but the client's browser sees https. This is a normal setup for larger environments.

Included in source by (Dutch):

<a href='#main' tabindex="0" class="accessibility-skip-to-content">Ga naar de inhoud</a>
    <span id="logo">
    <a href="index.php" title="Mogelijk gemaakt door Piwik # Open Source Web Analytics platform">
            <img src='http://piwik.invantive.com/misc/user/logo-header.png' alt="Mogelijk gemaakt door Piwik" />
    </a>
</span>

In _logo.twig:

<img src='{{ logoHeader }}' alt="{% if isCustomLogo %}{{ 'General_PoweredBy'|translate }} {% endif %}Piwik" />

And in CustomLogo.php, function getPathToLogo:

SettingsPiwik::getPiwikUrl()

And in SettingsPiwik.php, function getPiwikUrl:

Url::getCurrentUrlWithoutFileName

This is incorrect. The current URL is not used, the presumed URL is used, but proxying and rewriting are ignored. See for more background for instance http://www.invantive.com/about-invantive/news/entryid/897/ssl-offloading-for-apache-tomcat

Solution something like this:

# Alternative 1, only works for some cases :-)
# Is preferred method, but $currentUrl assignment should be smarter.
#
if (!empty($_SERVER['HTTP_X_FORWARDED_HOST']))
{
        $currentUrl = 'https://piwik.invantive.com/';
}
else
{
# ORIGINAL LINE
        $currentUrl = Common::sanitizeInputValue(Url::getCurrentUrlWithoutFileName());
# END OF ORIGINAL LINE
}
#
# Alternative 2, do not use absolute addressing
#
$currentUrl = "./";
@mattab
Copy link
Member

mattab commented Jul 15, 2015

Thanks for the tip. This refs many issues: #6880 #5288 #6644 #5290

@mattab mattab added this to the 2.15.0 milestone Jul 15, 2015
@mattab
Copy link
Member

mattab commented Jul 15, 2015

Adding to 2.15.0 as this is really important to fix since we get many reports about this issue.

@tsteur
Copy link
Member

tsteur commented Aug 6, 2015

I presume we cannot trust HTTP_X_FORWARDED_HOST? Should we only accept $_SERVER['HTTP_X_FORWARDED_HOST'] configured/allowed hosts? From what I've seen there is no such config yet unless we use trusted_hosts[] config?

Also not sure re possible downsides of ./

@tsteur
Copy link
Member

tsteur commented Aug 6, 2015

Also we would probably not read HTTP_X_FORWARDED_HOST hard coded but only configured proxy_host_headers headers?

It would be really good to have an environment where one can test it.

@mattab
Copy link
Member

mattab commented Aug 10, 2015

FYI: during installation, if user is already using a proxy, the config proxy_host_headers ini will be set to HTTP_X_FORWARDED_HOST header.

@tsteur
Copy link
Member

tsteur commented Aug 12, 2015

@monty241 can you maybe let us know the content of PHP $_SERVER? We kinda need it in order to fix this issue.

To get it, can you create a file like test.php in your Piwik directory and paste

<?php

var_export($_SERVER);

afterwards you can open this file by opening the URL https://yourdomain/test.php in the browser. Please remove this file afterwards again

tsteur added a commit that referenced this issue Aug 12, 2015
@tsteur
refs #8030 added a comment that this code may be buggy
7d8211f
@tsteur
Copy link
Member

tsteur commented Aug 12, 2015

Fixing this issue will most likely fix as well #6703

@tsteur tsteur mentioned this issue Aug 20, 2015
Closed
@tsteur tsteur mentioned this issue Sep 7, 2015
Closed
@mattab
Copy link
Member

mattab commented Sep 11, 2015

Kinda duplicates #6880 but i'll leave this one opened (I have a feeling we have 5-6 or more duplicate issues re: SSL Proxy). Hopefully we will be able to investigate sometime. Any help is very welcome

@mattab mattab modified the milestones: 2.15.1, 2.15.0 Sep 11, 2015
@mattab
Copy link
Member

mattab commented Nov 2, 2015

Duplicates #6703 and will be fixed with: #9145

@mattab mattab closed this as completed Nov 2, 2015
@mattab mattab added the duplicate For issues that already existed in our issue tracker and were reported previously. label Nov 2, 2015
@halfer halfer mentioned this issue Jun 16, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate For issues that already existed in our issue tracker and were reported previously.
Projects
None yet
Milestone
2.16.0
Development

No branches or pull requests
3 participants
@tsteur @mattab @monty241