Reverse proxy to ispconfig on port 8080 does not work due cookie storage problem
I tried to setup a reverse proxy for config.mydomain.de
pointing to localhost:8080
. Login page appears, enter credentials and submit. Login page appears again. So usage of ispconfig via reverse proxy isn't possible.
This is the snippet I use:
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass / https://localhost:8080/
ProxyPassReverse / https://localhost:8080/
correct behaviour
It should work as accessing it via 8080
environment
Happens with nginx and apache.
The reason is line 73 in app.inc.php
: You assign the SERVER_NAME
to $cookie_domain
, which is in that case localhost
.
I think it was made for CSRF protection, but IMHO this is the wrong way. For CSRF you should send an extra CSRF-Token with each post and the cookiedomain should be blank (browser bind it themself to called domain). this is the way, application servers like Ruby on Rails or tomcat and php software like wordpress and so on do it.
Alternative check for $_SERVER['HTTP_X_FORWARDED_SERVER']
, too.
The current way is no real protection agains CSRF (realy) and another reason does not exist for that I think.
Alternative you may give an option for admins "forbid proxy redirection to ispconfig panel" which enables the current behaviour and for those don't want it, eg, want access it via there own domain name (or can not use port 8080 due firewall restrictions) may let it unchecked and $cookie_domain
is not set this hard way.
rewrite line
$cookie_domain = (isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']);
to
$cookie_domain = '';
makes our resellers happy 'cause them can use snippet above.