Re: HTTP-Request in confirmpasswordrequest

Mon, 04 Dec 2023 01:40:37 -0800 

Hi Timo,
what you describe below sounds like one of the typical problems of running 
Tomcat (where I suppose your Enduser instance is deployed) behind an HTTP 
reverse proxy which servers as TLS terminator.

It's plenty of references out there; in particular:

https://examples.javacodegeeks.com/java-development/enterprise-java/tomcat/apache-tomcat-reverse-proxy-configuration-tutorial/

Look at section 9.

Regards.

On 30/11/23 08:45, Timo Weber wrote:


Hi there,

we are using Syncope in Docker containers and are facing a strange issue. We 
are not quite sure if it caused by our Apache server configuration or an 
internal Syncope issue.

Syncope Version is 3.0.2

When the link for a password reset is clicked, the first request is of course a 
https request which our apache routes to the enduser container. Then a redirect 
occurs which is a http request an has an integer (a counter?) as first 
parameter. I assume this is done by Syncope. This request is then again 
redirected by our Apache Server to port 443.

In principle everything works but the insecure http request is forbidden in our 
environment and stops the whole process.

Are there any additional instructions in the reverse proxy configuration which 
are necessary for this to work?

Here is the relevant server log:

- my.domain.de:443 192.168.0.51 - [24/Apr/2023:08:56:02 +0200] "GET 
/syncope-enduser/confirmpasswordreset?token=8kA1tw8sN...QEWNHL HTTP/1.1" 302 - "-" 
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"

- my.domain.de:80 192.168.0.51 - [24/Apr/2023:08:56:03 +0200] "GET 
/syncope-enduser/confirmpasswordreset?2&token=8kA1tw8sN...QEWNHL HTTP/1.1" 302 602 "-" 
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"

- my.domain.de:443 192.168.0.51 - [24/Apr/2023:08:56:03 +0200] "GET 
/syncope-enduser/confirmpasswordreset?2&token=8kA1tw8sN...QEWNHL HTTP/1.1" 200 12738 "-" 
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"

The reverse proxy configuration contains amongst others already the following 
lines:

RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}

RequestHeader set X-Forwarded-SSL expr=%{HTTPS}

RequestHeader set Sec-Fetch-Dest: "document"

RequestHeader set Sec-Fetch-Mode: "navigate"

RequestHeader set Sec-Fetch-Site: "none"

ProxyPreserveHost On

Any help would be appreciated.

Kind regards

Timo



--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply via email to