Madsonic+nginx+https = broken buttons

Post your Server Bug Report

Madsonic+nginx+https = broken buttons

Unread postby StalkerNOVA » 15 Jun 2016, 08:31

If you place Madsonic as HTTP backend for nginx with HTTPS frontend you get broken button "Settings" in the left tab. But "Profile" has no problem.

This bug came from Subsonic.

Chrome DevConsole:
Mixed Content: The page at 'https:...' was loaded over HTTPS, but requested an insecure resource 'http:...'. This request has been blocked; the content must be served over HTTPS.
Last edited by StalkerNOVA on 16 Jun 2016, 00:58, edited 1 time in total.
StalkerNOVA
Contributor
Contributor
 
Posts: 19
Joined: 15 Jun 2016, 08:24
Has thanked: 0 time
Been thanked: 5 times

Re: Madsonic+nginx+https = broken settings button

Unread postby StalkerNOVA » 16 Jun 2016, 00:57

Same for ranking and recommendations.
StalkerNOVA
Contributor
Contributor
 
Posts: 19
Joined: 15 Jun 2016, 08:24
Has thanked: 0 time
Been thanked: 5 times

Re: Madsonic+nginx+https = broken buttons

Unread postby Madevil » 16 Jun 2016, 11:07

Hi there,

i setup a example enviroment as follow:


*) install Madsonic server with default settings

*) install or update nginx

*) create selfsign cert

Code: Select all
cd /etc/nginx

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt


*) edit nginx config

Code: Select all
sudo nano /etc/nginx/sites-enabled/default


*) replace nginx config

Code: Select all
server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {
    listen 443;
    server_name localhost; # Replace localhost with your.domain.com

    ssl_certificate           /etc/nginx/cert.crt;
    ssl_certificate_key       /etc/nginx/cert.key;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log            /var/log/nginx/madsonic.access.log;
    error_log             /var/log/nginx/madsonic.error.log;

    location / {

      proxy_set_header Host              $host;
      proxy_set_header X-Real-IP         $remote_addr;
      proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      # Fix the “It appears that your reverse proxy set up is broken" error.
     
      proxy_pass          http://localhost:4040;
      proxy_redirect      http:// https://;
      proxy_read_timeout  90;
    }
  }


*) restart services

Code: Select all
sudo service madsonic restart
sudo service nginx restart


*) try to access Madsonic local

Code: Select all
http://localhost:4040


*) try to access Madsonic over nginx

Code: Select all
http://localhost


Hope this help you to check your config!

PS: i send you a PM with a newer Madsonic build with several bug fixes.

Best regards
User avatar
Madevil
Administrator
Administrator
 
Posts: 881
Joined: 07 Dec 2012, 03:58
Has thanked: 1281 times
Been thanked: 947 times

Re: Madsonic+nginx+https = broken buttons

Unread postby StalkerNOVA » 16 Jun 2016, 14:58

Steps to reproduce:
  1. disable redirect from 80 to 443
  2. allow proxy from 80 to madsonic 4040
  3. open madsonic with admin user
  4. right click at settings and open in new tab

You'll get the following:
  1. For short time link https /settings.view will be opened
  2. Instantly you'll be redirected to http /adminSettings.view

With redirect enabled you'll get one more step and will be instantly redirected to https.

May be it would not be a problem without option for nginx (but it's the best practice if you don't ban frames completely):
Code: Select all
add_header X-Frame-Options SAMEORIGIN;
StalkerNOVA
Contributor
Contributor
 
Posts: 19
Joined: 15 Jun 2016, 08:24
Has thanked: 0 time
Been thanked: 5 times

Re: Madsonic+nginx+https = broken buttons

Unread postby StalkerNOVA » 21 Jun 2016, 06:54

There are lots of links directly to http... They got visible if you make separate logs for http and https at nginx...

Making Madsonic https behind nginx isn't a good idea because https overhead gets even bigger (Madsonic encode traffic to https, nginx decode it and encode it again to transfer to end user).

At 80 and 443 ports I've many other services so can't dedicate them to Madsonic directly. Other ports are not always available from corporate networks.
StalkerNOVA
Contributor
Contributor
 
Posts: 19
Joined: 15 Jun 2016, 08:24
Has thanked: 0 time
Been thanked: 5 times

Re: Madsonic+nginx+https = broken buttons

Unread postby PurellAdvanced » 11 Oct 2016, 20:54

I've also been bitten by this issue. The workaround for Nginx (using proxy_redirect) doesn't work for me since I use Caddy server to reverse proxy to Madsonic, and it doesn't have an equivalent method to rewrite the Location header going back to the client. I'd hate to have to migrate back to Nginx or Apache just because of this, so a bug fix would be really appreciated.

Looks like Subsonic also has this problem and it even has an outstanding patch to fix it, maybe that could come in handy? (Patch #23 on Sourceforce, sorry I can't link it).
PurellAdvanced
 
Posts: 2
Joined: 11 Oct 2016, 20:40
Has thanked: 0 time
Been thanked: 1 time

Re: Madsonic+nginx+https = broken buttons

Unread postby Madevil » 15 Oct 2016, 05:25

Hi there,

i will include that fix in the next 6.2 branch. :thumbsup:
User avatar
Madevil
Administrator
Administrator
 
Posts: 881
Joined: 07 Dec 2012, 03:58
Has thanked: 1281 times
Been thanked: 947 times

Re: Madsonic+nginx+https = broken buttons

Unread postby PurellAdvanced » 26 Oct 2016, 19:56

Thanks so much Madevil!
PurellAdvanced
 
Posts: 2
Joined: 11 Oct 2016, 20:40
Has thanked: 0 time
Been thanked: 1 time

Re: Madsonic+nginx+https = broken buttons

Unread postby StalkerNOVA » 19 Nov 2016, 12:19

BTW "Settings" button do not work. "Userprofile" has no problem.

When you rate smth stars do not show new rating until you refresh page (or go somewhere else and than return back to the page).
StalkerNOVA
Contributor
Contributor
 
Posts: 19
Joined: 15 Jun 2016, 08:24
Has thanked: 0 time
Been thanked: 5 times


Return to Bug Reports 6.x

Who is online

Users browsing this forum: No registered users and 2 guests