Pages: 1
Hello
* My config should force everyone to use https connections. However while using the user upload photo from the community plugin I got a wrong XMLHttpRequest endpoint call to http instead of https.
(login user, menu upload photo, select one photo, push "start upload". Nothing happens due to error)
* I use a debian linux system with nginx proxy which terminates ssl and redirect to my piwigo docker (12.2 version). The link between my nginx frontend and my docker-piwogo backend is http, port 8085:80.
* Error stack:
l9b5xp.js:94 Mixed Content: The page at 'https://foto-acc.creaski.eu/index.php?/add_photos' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://foto-acc.creaski.eu/ws.php?method=pwg.images.upload&format=json'. This request has been blocked; the content must be served over HTTPS. send @ l9b5xp.js:94 index.php:1 Uncaught SyntaxError: Unexpected end of JSON input at JSON.parse (<anonymous>) at Function.m.parseJSON (l9b5xp.js:8:15998) at o.Uploader.Error (index.php:680:40) at o.Uploader.<anonymous> (l9b5xp.js:108:14560) at Array.<anonymous> (l9b5xp.js:93:20062) at i (l9b5xp.js:93:3482) at l9b5xp.js:93:3505 at Array.<anonymous> (l9b5xp.js:93:20055) at i (l9b5xp.js:93:3482) at l9b5xp.js:93:3505 index.php?/add_photos:694 Uncaught TypeError: Cannot read properties of null (reading 'label') at o.Uploader.UploadComplete (index.php:694:112) at o.Uploader.<anonymous> (l9b5xp.js:108:14560) at Array.<anonymous> (l9b5xp.js:93:20062) at i (l9b5xp.js:93:3482) at Object.r [as inSeries] (l9b5xp.js:93:3589) at o.Uploader.dispatchEvent (l9b5xp.js:93:20101) at o.Uploader.trigger (l9b5xp.js:93:20386) at o.Uploader.g (l9b5xp.js:108:3868) at l9b5xp.js:108:11385
* Piwigo URL: https://foto-acc.creaski.eu/
* I'm not sure I should look for an piwigo config error or a nginx frontend error. Any help welkom.
* my nginx frontend config (part of it):
############################################################ ## http config server { listen 80; listen [::]:80; server_name creaski.eu *.creaski.eu; error_log /var/www/creaski.eu/logs/error.log error; access_log /var/www/creaski.eu/logs/access.log combined; #redirect http to https except for localhost using 301 redirect if ($remote_addr !~ "^127\.0\.0\.1$"){ return 301 https://$host$request_uri; } } ###################################################################### ###################################################################### ## foto-acc.creaski.eu server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name foto-acc.creaski.eu; root /var/www/piwigo; index index.html index.htm index.php; error_log /var/www/creaski.eu/logs/piwigo-acc_error.log error; access_log /var/www/creaski.eu/logs/piwigo-acc_access.log combined; ssl_certificate /root/.ssh/LE4096/0007_chain.pem; ssl_certificate_key /root/.ssh/LE4096/www.creaski.eu_privkey.pem; ############# begin ssl defaults # JVD add_header X-Frame-Options sameorigin; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; # Set Headers proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; ##proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Proxy ""; # Mitigate httpoxy attack # Send the HTTP Strict-Transport-Security header (HSTS) to the Client ##add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always; # HTTP 1.1 support proxy_http_version 1.1; # Disable buffering of responses from the proxied server. proxy_buffering off; # Parameters for SSL/TLS configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; # Ciphers should be same as the ciphers on Middleware Server configuration_{instance}.xml file ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:CM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-R> # Disable the verification of the proxied HTTPS server certificate (eg: MWS certificate). # Note: this might violate the corporate securtiy policy of the customer. proxy_ssl_verify off; # Set the timeouts depending on the usage of the IFS Applications. # The values should be correlated with the timeouts in the Middleware Server configuration_{instance}.xml file proxy_connect_timeout 60s; proxy_send_timeout 600s; proxy_read_timeout 600s; send_timeout 600s; proxy_next_upstream timeout error; # Set the maximum allowed size of the client request body. # This should be set depending on the requests to the IFS Applications (eg: document upload or integrations body size) - original 50m client_max_body_size 350m; #vergroot om upload/download mogelijk te maken ############# end ssl defaults location / { proxy_pass http://127.0.0.1:8085; } location /phpmyadmin { # location ~ \/phpmyadmin { rewrite ^/phpmyadmin(/.*)$ $1 break; proxy_pass http://127.0.0.1:8185; client_max_body_size 128; } }# end server foto-acc ######################################################################
Offline
Hi
After investigating further, it seems this issue breaks down to "piwigo after a rproxy handling ssl offload". Piwigo struggles with the subject sinds 2012! As the rproxy is talking http to the backend, piwigo generates url with http and this should be https.
for a nice explaination: [Github] Piwigo issue #1183
See [Github] Piwigo issue #982 for further investigation. This results in a pull request to solve this (See https://github.com/Piwigo/Piwigo/pull/1274)
There are several sollutions, depending on your needs. I choose this hack:
"The fix I did for my instance is to modify gallery/include/functions_url.inc.php
line 48 http should be change to https, because of reverse proxy external protocol being HTTPS."
Kind regards
Johan
Offline
Hello Sharky!
I just hit the same problem. Was trying to test the Android Piwigo NG app. It wouldn't load any images. Turns out it issues http requests for those. I am running HAProxy which does SSL termination, so the php app only sees http requests. I applied your line 48 hack, and the NG app works just fine now. Thank you for that.
tjk :)
Offline
Pages: 1