#StackBounty: #apache #http #redirect Getting logged out immediately after logging into an Apache webapp (OpenClinica)

Bounty: 50

I am running an OpenClinica install on my webserver and experience the following problem on Google Chrome only:

  • I access the landing page
  • I log into the root (or any other) account
  • On the logged in overview, I click any link (eg. list all patients)
  • I get logged out and thrown back to the landing page

This happens only on Google Chrome. Here are the relevant entries from the access.log – can anyone make sense of these? I don’t have any knowledge of HTTP status codes.

[03/Sep/2019:13:29:09 +0200] "POST /OpenClinica/j_spring_security_check HTTP/1.1" 302 328 "http://my-url.com/OpenClinica/pages/login/login;jsessionid=E6A0E2838AA51B1DA9F6AED47C42D5CD" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
[03/Sep/2019:13:29:09 +0200] "GET /OpenClinica/favicon.ico HTTP/1.1" 304 177 "http://my-url.com/OpenClinica/pages/login/login;jsessionid=E6A0E2838AA51B1DA9F6AED47C42D5CD" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
[03/Sep/2019:13:29:09 +0200] "GET /OpenClinica/MainMenu HTTP/1.1" 200 8269 "http://my-url.com/OpenClinica/favicon.ico" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
[03/Sep/2019:13:29:10 +0200] "GET /favicon.ico HTTP/1.1" 302 421 "http://my-url.com/OpenClinica/MainMenu" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
[03/Sep/2019:13:29:10 +0200] "GET /OpenClinica/pages/login/login;jsessionid=EA92FE865CF5345428D7538D18871D99 HTTP/1.1" 200 4770 "http://my-url.com/OpenClinica/MainMenu" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"

Click on List all patients

[03/Sep/2019:13:29:12 +0200] "GET /OpenClinica/ListStudySubjects HTTP/1.1" 302 272 "http://my-url.com/OpenClinica/MainMenu" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
[03/Sep/2019:13:29:12 +0200] "GET /OpenClinica/pages/login/login HTTP/1.1" 200 4770 "http://my-url.com/OpenClinica/MainMenu" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
[03/Sep/2019:13:29:12 +0200] "GET /favicon.ico HTTP/1.1" 302 422 "http://my-url.com/OpenClinica/pages/login/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
[03/Sep/2019:13:29:12 +0200] "GET /OpenClinica/pages/login/login;jsessionid=9625D469100D1871538197FE241DECCB HTTP/1.1" 200 4770 "http://my-url.com/OpenClinica/pages/login/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
[03/Sep/2019:13:29:12 +0200] "GET /OpenClinica/RssReader HTTP/1.1" 200 757 "http://my-url.com/OpenClinica/pages/login/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"

Now I do have some whacky redirect rules, which I think are the root cause of the problem. They were written as a fix to a different problem – when logging in to the system, instead of regularly looking at the favicon, the browser (any browser) would attempt to OPEN the favicon.ico as a picture, leading to, depending on the browser, a 404 page or the favicon being opened as a picture full screen. Here are the redirect rules:

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  ServerName www.my-url.com

  ProxyPreserveHost On

  ProxyPass /OpenClinica/favicon.ico http://localhost:8080/OpenClinica/
  ProxyPassReverse /OpenClinica/favicon.ico http://localhost:8080/OpenClinica/

  ProxyPass /OpenClinica/ http://localhost:8080/OpenClinica/
  ProxyPassReverse /OpenClinica/ http://localhost:8080/OpenClinica/

  ProxyPass / http://localhost:8080/OpenClinica/
  ProxyPassReverse / http://localhost:8080/OpenClinica/
</VirtualHost>


Get this bounty!!!

#StackBounty: #multisite #wp-admin #redirect #nginx Multisite wp-admin redirecting to main wp-admin using NGINX

Bounty: 50

When I try to go to the wp-admin of any multi site, it redirects to the main wp-admin.

So if I go to example.com/multi-site-slug/wp-admin/ it redirects to example.com/wp-admin/

NGINX is being used as a reverse proxy.

I’m using the standard WordPress Multisite Subdirectory rules per the codex: https://wordpress.org/support/article/nginx/

If I take out this line in the conf file rewrite ^(/[^/]+)?(/wp-.*) $2 last;, it prevents the redirect but then media assets don’t serve properly on the multisites.


Get this bounty!!!

#StackBounty: #wp-admin #url-rewriting #redirect #dashboard Prevent /wp-admin/ from redirecting to homepage?

Bounty: 50

I have copied a wordpress instance from production to my local. After getting the public side of the site up – public homepage, pages, and blog posts -, I cannot access /wp-admin/ because that url always redirects to the / homepage. I have tried:

  • Updating the siteurl and home to “tk.local” (homepage and posts work fine)
  • Implementing a local self-signed ssl cert (in case it was an https problem.)
  • Switching themes (switched fine, problem still persists)
  • Setting debug constants in wp-config.php
  • Removing debug constants in wp-config.php

Here is a curl of wp-admin:

curl -Ik https://tk.local/wp-admin/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.16.0
Date: Wed, 24 Jul 2019 17:27:39 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.40
X-Redirect-By: WordPress
Location: https://tk.local/
Last-Modified: Wed, 24 Jul 2019 17:27:39 GMT
Expires: Wed, 24 Jul 2019 18:27:39 GMT
Pragma: public
Cache-Control: max-age=3600, public
ETag: "d41d8cd98f00b204e9800998ecf8427e"
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-uri: /wp-admin/

Obviously on the production copy the wp-admin url works. Throughout it all, it 301 redirects from https://tk.local/wp-admin to https://tk.local/
How can I prevent it from redirecting?


Get this bounty!!!

#StackBounty: #customization #multisite #redirect Turn off redirect to canonical domain (or host website on any hostname)

Bounty: 50

I want to have various development (say dev.example.com) and staging environments of a WordPress multisite (example.com). For this it would be great if WordPress wouldn’t redirect to what it considers the canonical domain name.

I’m running into trouble with this in my wp-config.php:

define('DOMAIN_CURRENT_SITE', gethostname());

It redirects to example.com or gives me database errors.

This is after wp search-replace example.com dev.example.com.

Is it possible to turn off this redirection? If so, how?


Get this bounty!!!

#StackBounty: #redirect #customization Turn off redirect to canonical domain (or host website on any hostname)

Bounty: 50

I want to have various development (say dev.example.com) and staging environments of a WordPress multisite (example.com). For this it would be great if WordPress wouldn’t redirect to what it considers the canonical domain name.

I’m running into trouble with this in my wp-config.php:

define('DOMAIN_CURRENT_SITE', gethostname());

It redirects to example.com or gives me database errors.

This is after wp search-replace example.com dev.example.com.

Is it possible to turn off this redirection? If so, how?


Get this bounty!!!

#StackBounty: #nginx #redirect #url-rewriting Nginx redirect rule has no affect

Bounty: 50

Trying to do a simple redirect:

rewrite https://url.example.com(.*) https://example.com/plugins/url permanent;

Anytime url.example.com is hit, I want it to redirect to that specific path.

EDIT:

Will try to explain this better, as I’m trying to redirect to a specific domain from another.

server {
    server_name example.com plugin.example.com;
    root /home/www/example.com/public;
}

I see the location used for redirects such as:

location / {
    try_files $uri $uri/ /index.php?$query_string;
}

But not sure how to use it in my case, which is to change plugin.example.com to example.com/plugin.

For example:

http://plugin.example.com
https://plugin.example.com
https://plugin.example.com/blah
https://plugin.example.com/blah/more

All of these should redirect to:

https://example.com/plugin


Get this bounty!!!

#StackBounty: #redirect #reverse-proxy #api-gateway Is redirection a valid strategy for an API Gateway?

Bounty: 50

I read this article about the API Gateway pattern. I realize that API Gateways typically serve as reverse proxies, but this forces a bottleneck situation. If all requests to an application’s public services go through a single gateway, or even a single load balancer across multiple replicas of a gateway (perhaps a hardware load balancer which can handle large amounts of bandwidth more easily than an API gateway), then that single access point is the bottleneck.

I also understand that it is a wide bottleneck, as it simply has to deliver messages in proxy, as the gateways and load balancers themselves are not responsible for any processing or querying. However, imagining a very large application with many users, one would require extremely powerful hardware to not notice the massive bandwidth traveling over the gateway or load balancer, given that every request to every microservice exposed by the gateway travels through that single access point.

If the API gateway instead simply redirected the client to publicly exposed microservices (sort of like a custom DNS lookup), the hardware requirements would be much lower. This is because the messages traveling to and from the API Gateway would be very small, the requests consisting only of a microservice name, and the responses consisting only of the associated public IP address.

I recognize that this pattern would involve greater latency due to increased external requests. It would also be more difficult to secure, as every microservice is publicly exposed, rather than providing authentication at a single entrypoint. However, it would allow for bandwidth to be distributed much more evenly, and provide a much wider bottleneck, thus making the application much more scalable. Is this a valid strategy?


Get this bounty!!!

#StackBounty: #redirect #apache Exclude a path from WordPress using .htaccess redirects (Apache)

Bounty: 50

I’d like to exclude a path that matches a rule from booting WordPress. The normal way I’d approach this is using the last flag [L] in a rule before all the others.

To keep things simple in this example, I’ll just pretend I want to match a simple path /foo/.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^foo/?$ - [L]
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

However, this does not work.
A few other options are suggested in this older Stack Overflow post, but none of them work (neither for myself nor anyone in the comments of that post).

I did try this rewrite condition instead of the rule:

RewriteCond %{REQUEST_URI} ^/?(foo/.*)$

As well as adding ErrorDocument 401 default to the end of the .htaccess document.


Get this bounty!!!

#StackBounty: #nginx #redirect #proxypass #drupal Drupal / nginx redirect domain without changing URL with proxy_pass

Bounty: 50

We have a Drupal 8 website which runs about 18 languages, but only the Chinese one has a separate domain. We want this domain, which for testing purposes is testchinese.com to redirect in the background to drupalwebsite.com/zh-hans, where zh-hans is the language code for the Chinese version.

This is what we tried, it redirects, but the URL changes as well:

server {
    listen 80;
    listen [::]:80;
    #listen 443 ssl;
    #listen [::]:443 ssl;

    server_name testchinese.com;

    location /core/assets {
        alias /var/www/production/core/assets;
        try_files $uri $uri/;
    }

    location /zh-hans {
        rewrite ^/zh-hans(.*)$ $1 redirect;
    }

    location / {
            proxy_pass https://127.0.0.1/zh-hans$request_uri;
            proxy_set_header Host drupalwebsite.com;
    }
}

server {
    listen 80;
    listen [::]:80;

    server_name drupalwebsite.com;

    return 301 https://drupalwebsite.com$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name drupalwebsite;

    ssl on;
        ssl_certificate /etc/letsencrypt/live/drupalwebsite.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/drupalwebsite/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    root /var/www/production;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html index.php;

    location /pMA {
        alias     /var/www/production/pMA;
        index index.php index.html;
    }

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location ~ ..*/.*.php$ {
        return 403;
    }

    location ~ ^/sites/.*/private/ {
        return 403;
    }

    # Block access to scripts in site files directory
    location ~ ^/sites/[^/]+/files/.*.php$ {
        deny all;
    }

    # Allow "Well-Known URIs" as per RFC 5785
    location ~* ^/.well-known/ {
        allow all;
    }

    # Block access to "hidden" files and directories whose names begin with a
    # period. This includes directories used by version control systems such
    # as Subversion or Git to store control files.
    location ~ (^|/). {
        return 403;
    }

    location / {
        try_files $uri /index.php?$query_string;
    }

    location @rewrite {
        rewrite ^/(.*)$ /index.php?q=$1;
    }

    # Don't allow direct access to PHP files in the vendor directory.
    location ~ /vendor/.*.php$ {
        deny all;
        return 404;
    }

    # In Drupal 8, we must also match new paths where the '.php' appears in
    # the middle, such as update.php/selection. The rule we use is strict,
    # and only allows this pattern with the update.php front controller.
    # This allows legacy path aliases in the form of
    # blog/index.php/legacy-path to continue to route to Drupal nodes. If
    # you do not have any paths like that, then you might prefer to use a
    # laxer rule, such as:
    # location ~ .php(/|$) {
    # The laxer rule will continue to work if Drupal uses this new URL
    # pattern with front controllers other than update.php in a future
    # release.
    location ~ '.php$|^/update.php' {
        fastcgi_split_path_info ^(.+?.php)(|/.*)$;
        include fastcgi_params;
        fastcgi_param HTTP_PROXY "";
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param QUERY_STRING $query_string;
        fastcgi_intercept_errors on;
        #include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
    }

    # Fighting with Styles? This little gem is amazing.
    # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
    location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
        try_files $uri @rewrite;
    }

    # Handle private files through Drupal. Private file's path can come
    # with a language prefix.
    location ~ ^(/[a-z-]+)?/system/files/ { # For Drupal >= 7
        try_files $uri /index.php?$query_string;
    }

    location ~* .(js|css|png|jpg|jpeg|gif|ico|svg)$ {
        try_files $uri @rewrite;
        expires max;
        log_not_found off;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /.ht {
        deny all;
    }

}

Any help is much appreciated!


Get this bounty!!!

#StackBounty: #ssl #tomcat #redirect #apache2 #lets-encrypt modern installation of Tomcat with SSL on port 443

Bounty: 50

In the computer course I’m writing I’m using Tomcat for the server. (Students learn how to set up CentOS and everything from scratch. Currently the course has them using Tomcat running on port 8080.) I’m going back to write the section on security. I want students to learn to set up their web server to use SSL/TLS on port 443, with HTTP port 80 redirecting to HTTPS port 443. This should be a very basic, fundamental configuration, no?

The last time I did this myself was about 10 or 15 years ago, when I compiled Apache myself and put it in front of Tomcat using whatever connectors (I’ll have to go look at my configuration from back then), purchasing outrageously priced SSL certificates and installing them manually. How I’m sure things are greatly improved. Recently I’ve set up Apache (I didn’t have to compile it) hosting static pages directly, and using Let’s Encrypt (once I figured out what I should be doing) for SSL was a breeze. It’s working nicely. So I assume I’d want to use Let’s Encrypt in whatever solution I prescribe to the students.

So what is the best practice, straightforward, and simple setup for Tomcat with SSL on port 443 (preferably using Let’s Encrypt) with HTTP port 80 forwarding to HTTPS port 443? Do I still need to stick Apache (or Nginx?) in front of it? (The last I checked, letting Tomcat use lower port numbers was a pain, and nobody seemed to know an easy, straightforward way to do it.)


Get this bounty!!!