Cookie domain wrongly set in Reverse Proxy scenario, no way to workaround
So I just updated to IspConfig 3.1 and now I can't login anymore.. so i checked open issues, debugged the code.. So it's clear that the code for setting the cookie domain doesn't account for the current scenario:
- Ispconfig runs insecure on 127.0.0.1:3000 (using php-fcgi, so standard config)
- There is an additional vhost on some.public.host:443 (SSL) having an Apache Proxy to localhost:3000 - requests come in here
Please see the code how the cookie domain is determined: https://git.ispconfig.org/ispconfig/ispconfig3/blob/74739bf25c89ca034ae36d6caf864d5567014fb4/interface/lib/app.inc.php#L73
In my scenario (and everyone where a reverse proxy is in between), the correct host would be in either
$_SERVER['HTTP_X_FORWARDED_SERVER']
resp. $_SERVER['HTTP_X_FORWARDED_HOST']
- or it should be another setting in config_sys
I'd like to open a pull request, please tell me to whether
- Take it from
HTTP_X_FORWARDED_SERVER
/HTTP_X_FORWARDED_HOST
- Take it from
config_sys
when it's there - Take in account both
Which way to go?
Consequence: As the cookie domain is wrong, login is impossible. It gets set to domain=localhost
on /login
, after the redirect to /index.php
it's not sent by the browser (as domain doesn't match), so it redirects me to /login
again ;-/
Thanks!