[Tickets #14621] Horde's XMLHttpRequests behind SSL offload proxy

noreply at bugs.horde.org noreply at bugs.horde.org
Thu Apr 20 11:57:11 UTC 2017 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: https://bugs.horde.org/ticket/14621
------------------------------------------------------------------------------
  Ticket             | 14621
  Created By         | net at arrishq.net
  Summary            | Horde's XMLHttpRequests behind SSL offload proxy
  Queue              | Horde Base
  Version            | 5.2.14
  Type               | Bug
  State              | Unconfirmed
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


net at arrishq.net (2017-04-20 11:57) wrote:

Hi,
given is the following setup:

- Apache 2.4 (plain HTTP) + PHP-FPM 7.0 serving Horde
- Nginx as reverse proxy (doing SSL offload)

Accessing Horde isn't a problem, though both in IMP and Kronolith,  
XMLHttpRequests fail and render the "Cannot contact server" message.
Firebug on the client reports (in Network -> XHR) and 0 byte POST  
request on .../horde/services/ajax.php/imp/dynamicInit.

Horde itself runs on an internal non-routable IP so Horde can't  
contact anything outside it's own home network nor anyone from the  
outside can contact the Apache webserver directly.
Apache servers only HTTP and Nginx as reverse proxy is doing the SSL  
offload, enabling "Assume we're using HTTPS" in Horde works and all  
links are rendered correctly.
Other applications e.g. SquirrelMail, Drupal, Joomla, Wordpress,  
Rainloop, Roundcube, Pydio, Nextcloud work fine with this setup and  
without any problems at all.
The corresponding Nginx (1.10.3) setup looks like:

http {
  sendfile on;
  tcp_nodelay on;
  tcp_nopush on;
  keepalive_timeout 65;
  proxy_buffer_size 128k;
  proxy_buffers 16 64k;
  proxy_connect_timeout 90;
  proxy_read_timeout 90;
  proxy_redirect off;
  proxy_send_timeout 90;
  proxy_cache_valid 200 301 1d;
  proxy_cache_valid 404 1m;
  proxy_cache_use_stale error timeout invalid_header updating http_500  
http_502 http_503 http_504;
  ignore_invalid_headers on;
  server_name_in_redirect off;
  server_tokens off;
  client_body_buffer_size 128k;
  client_header_buffer_size 64k;
  client_max_body_size 10m;

server {
  listen 3128 ssl;
  listen [::]:3128 ssl;
  server_name fbi.nsa.gov;
  access_log /var/log/nginx/files_access.log;
  error_log /var/log/nginx/files_error.log;

  ssl on;
  ssl_certificate /usr/local/etc/nginx/certs/nsa_gov_chain.crt;
  ssl_certificate_key /usr/local/etc/nginx/certs/nsa_gov.key;

  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  ssl_ciphers  
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EEC
DH+aRSA+SHA256:EECDH:EDH-aRSA:DHE+RSA+AES256+SHA256:RSA+AES:!ECDH+3DES:!DH+3DES:!RSA+3DES:!aNULL:!eNULL:!LOW:
!MD5:!EXP:!RC4:!PSK:!SRP:!DSS;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;
  ssl_dhparam /usr/local/etc/nginx/certs/dhparam.pem;
  keepalive_timeout 60;

  add_header Cache-Control private;
  add_header X-Content-Type-Options "nosniff";
  add_header X-Frame-Options SAMEORIGIN;
  add_header X-XSS-Protection "1; mode=block";
  add_header Strict-Transport-Security "max-age=15552000";

  location / {
   proxy_hide_header Server;
   proxy_hide_header Expires;
   proxy_hide_header Last-Modified;
   proxy_pass http://172.16.0.2:80;
   proxy_set_header Host $host;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto https;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_redirect off;
   proxy_ssl_session_reuse off;
   proxy_http_version 1.1;
   proxy_buffering off;
  }
}

More information about the bugs mailing list