Page 1 of 1
Madsonic+nginx+https = broken buttons
Posted: 15 Jun 2016, 08:31
by StalkerNOVA
If you place Madsonic as HTTP backend for nginx with HTTPS frontend you get broken button "Settings" in the left tab. But "Profile" has no problem.
This bug came from Subsonic.
Chrome DevConsole:
Mixed Content: The page at 'https:...' was loaded over HTTPS, but requested an insecure resource 'http:...'. This request has been blocked; the content must be served over HTTPS.
Re: Madsonic+nginx+https = broken settings button
Posted: 16 Jun 2016, 00:57
by StalkerNOVA
Same for ranking and recommendations.
Re: Madsonic+nginx+https = broken buttons
Posted: 16 Jun 2016, 11:07
by Madsonic
Hi there,
i setup a example enviroment as follow:
*) install Madsonic server with default settings
*) install or update nginx
*) create selfsign cert
Code: Select all
cd /etc/nginx
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt
*) edit nginx config
Code: Select all
sudo nano /etc/nginx/sites-enabled/default
*) replace nginx config
Code: Select all
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name localhost; # Replace localhost with your.domain.com
ssl_certificate /etc/nginx/cert.crt;
ssl_certificate_key /etc/nginx/cert.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/madsonic.access.log;
error_log /var/log/nginx/madsonic.error.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://localhost:4040;
proxy_redirect http:// https://;
proxy_read_timeout 90;
}
}
*) restart services
Code: Select all
sudo service madsonic restart
sudo service nginx restart
*) try to access Madsonic local
*) try to access Madsonic over nginx
Hope this help you to check your config!
PS: i send you a PM with a newer Madsonic build with several bug fixes.
Best regards
Re: Madsonic+nginx+https = broken buttons
Posted: 16 Jun 2016, 14:58
by StalkerNOVA
Steps to reproduce:
- disable redirect from 80 to 443
- allow proxy from 80 to madsonic 4040
- open madsonic with admin user
- right click at settings and open in new tab
You'll get the following:
- For short time link https /settings.view will be opened
- Instantly you'll be redirected to http /adminSettings.view
With redirect enabled you'll get one more step and will be instantly redirected to https.
May be it would not be a problem without option for nginx (but it's the best practice if you don't ban frames completely):
Code: Select all
add_header X-Frame-Options SAMEORIGIN;
Re: Madsonic+nginx+https = broken buttons
Posted: 21 Jun 2016, 06:54
by StalkerNOVA
There are lots of links directly to http... They got visible if you make separate logs for http and https at nginx...
Making Madsonic https behind nginx isn't a good idea because https overhead gets even bigger (Madsonic encode traffic to https, nginx decode it and encode it again to transfer to end user).
At 80 and 443 ports I've many other services so can't dedicate them to Madsonic directly. Other ports are not always available from corporate networks.
Re: Madsonic+nginx+https = broken buttons
Posted: 11 Oct 2016, 20:54
by PurellAdvanced
I've also been bitten by this issue. The workaround for Nginx (using proxy_redirect) doesn't work for me since I use Caddy server to reverse proxy to Madsonic, and it doesn't have an equivalent method to rewrite the Location header going back to the client. I'd hate to have to migrate back to Nginx or Apache just because of this, so a bug fix would be really appreciated.
Looks like Subsonic also has this problem and it even has an outstanding patch to fix it, maybe that could come in handy? (Patch #23 on Sourceforce, sorry I can't link it).
Re: Madsonic+nginx+https = broken buttons
Posted: 15 Oct 2016, 05:25
by Madsonic
Hi there,
i will include that fix in the next 6.2 branch.
Re: Madsonic+nginx+https = broken buttons
Posted: 26 Oct 2016, 19:56
by PurellAdvanced
Thanks so much Madevil!
Re: Madsonic+nginx+https = broken buttons
Posted: 19 Nov 2016, 12:19
by StalkerNOVA
BTW "Settings" button do not work. "Userprofile" has no problem.
When you rate smth stars do not show new rating until you refresh page (or go somewhere else and than return back to the page).