Reverse proxy to ispconfig on port 8080 does not work due cookie storage problem
I tried to setup a reverse proxy for
config.mydomain.de pointing to
localhost:8080. Login page appears, enter credentials and submit. Login page appears again. So usage of ispconfig via reverse proxy isn't possible.
This is the snippet I use:
SSLProxyEngine On SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPass / https://localhost:8080/ ProxyPassReverse / https://localhost:8080/
It should work as accessing it via 8080
Happens with nginx and apache.
The reason is line 73 in
app.inc.php: You assign the
$cookie_domain, which is in that case
I think it was made for CSRF protection, but IMHO this is the wrong way. For CSRF you should send an extra CSRF-Token with each post and the cookiedomain should be blank (browser bind it themself to called domain). this is the way, application servers like Ruby on Rails or tomcat and php software like wordpress and so on do it.
Alternative check for
The current way is no real protection agains CSRF (realy) and another reason does not exist for that I think.
Alternative you may give an option for admins "forbid proxy redirection to ispconfig panel" which enables the current behaviour and for those don't want it, eg, want access it via there own domain name (or can not use port 8080 due firewall restrictions) may let it unchecked and
$cookie_domain is not set this hard way.
$cookie_domain = (isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']);
$cookie_domain = '';
makes our resellers happy 'cause them can use snippet above.