Bugzilla Behind HAProxy With SSL Termination

Thorsten Schöning tschoening at am-soft.de
Fri May 7 07:17:41 UTC 2021 

Guten Tag Facundo Ezequiel Bisso,
am Freitag, 7. Mai 2021 um 00:50 schrieben Sie:

> "The new value for sslbase is invalid: Failed to connect to mydomain.com:443
> (Connection timed out); unable to enable SSL." (see screenshot 1)

I'm somewhat sure that this check is server side only within your
Apache HTTPd and you only see the output of the result in your
browser. So if I understand your setup correctly, it's already BEHIND
your SSL termination and in theory the check is simply correct of :443
is not available at that place. So check your internal setup starting
from HTTPd's point of view if :443 is reachable or not.

I doubt that this check can be skipped using the web interface, so you
might try to change the config directly in the file
"data/params.json". Just search for "sslbase" in there and see what
happens.

> although we are actually already using that address with the certificates
> provided by our haproxy (With ssl termination. The conection between
> haproxy and apache is made over port 80).
> Firefox reports that the connection is secure. (See screenshot 2)

Because you are coming from "outside" and are connecting to HAPROXY,
that's pretty likely a different starting point than what Bugzilla
does when it checks SSL on its own.

> We are also encountering a weird problem where we need to log in three
> times before it goes through, and the second time a warning pops up that
> says: "The information you have entered on this page will be sent over an
> insecure connection and could be read by a third party." though, again, we
> are using https and valid certificates. (See Screenshot 3)

Check your browser when accessing Bugzilla very careful and have
especially a look at the development tools about redirects. If you
start :443, input username and password I guess you are afterwards
redirected by Bugzilla because of missing SSLBASE to :80. This makes
your browser warn about unsecured auth credentials in the end.

Even if you don't see those redirects, when your browser warns you,
check the domain and port of the page! It's very likely :80 instead of
:443 and the warning of the browser is correct in this case.

Without SSLBSASE, Bugzilla will render all output using URLBASE, so if
that is :80 in your case, the browser will make unsecured requests in
the end and warn you about that. When you don't want ANY :80 requests,
you might try changing URLBASE to HTTPS instead.

> In some PHP-based applications, we use the "X-Forwarded-Proto" header to
> set the HTTPS environment variable in Apache, so that the application works
> as if it were being accessed through port 443.
> Will some kind of similar configuration be necessary?

Don't think so, instead you should make sure that Bugzilla can resolve
DOMAIN:443 properly server side first.

Mit freundlichen Grüßen

Thorsten Schöning

-- 
AM-SoFT IT-Service - Bitstore Hameln GmbH i.G.
Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK

E-Mail: Thorsten.Schoening at AM-SoFT.de
Web:    http://www.AM-SoFT.de/

Tel:   05151-  9468- 0
Tel:   05151-  9468-55
Fax:   05151-  9468-88
Mobil:  0178-8 9468-04

AM-SoFT IT-Service - Bitstore Hameln GmbH i.G., Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB neu - Geschäftsführer: Janine Galonska


Für Rückfragen stehe ich Ihnen sehr gerne zur Verfügung.

Mit freundlichen Grüßen

Thorsten Schöning


Tel: 05151 9468 0
Fax: 05151 9468 88
Mobil: 
Webseite: https://www.am-soft.de 

AM-Soft IT-Service - Bitstore Hameln GmbH i.G. ist ein Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK

AM-Soft IT-Service - Bitstore Hameln GmbH i.G.
Brandenburger Str. 7c
31789 Hameln
Tel: 05151 9468 0

Bitstore IT-Consulting GmbH
Zentrale - Berlin Lichtenberg
Frankfurter Allee 285
10317 Berlin
Tel: 030 453 087 80

CBS IT-Service - Bitstore Kaulsdorf UG
Tel: 030 453 087 880 1

Büro Dallgow-Döberitz
Tel: 03322 507 020

Büro Kloster Lehnin
Tel: 033207 566 530

PCE IT-Service - Bitstore Darmstadt UG
Darmstadt
Tel: 06151 392 973 0

Büro Neuruppin
Tel: 033932 606 090

ACI EDV Systemhaus - Bitstore Dresden GmbH
Dresden
Tel: 0351 254 410

Das Systemhaus - Bitstore Magdeburg GmbH
Magdeburg
Tel: 0391 636 651 0

Allerdata.IT - Bitstore Wittenberg GmbH
Wittenberg
Tel: 03491 876 735 7

Büro Liebenwalde
Tel: 033054 810 00

HSA - das Büro - Bitstore Altenburg UG
Altenburg
Tel: 0344 784 390 97

Bitstore IT – Consulting GmbH
NL Piesteritz 
Piesteritz
Tel: 03491 644 868 6

Solltec IT-Services - Bitstore Braunschweig UG
Braunschweig
Tel: 0531 206 068 0

MF Computer Service - Bitstore Gütersloh GmbH
Gütersloh
Tel: 05245 920 809 3

Firmensitz: AM-Soft IT-Service - Bitstore Hameln GmbH i.G. , Brandenburger Str. 7c , 31789 Hameln
Geschäftsführer Janine Galonska

More information about the support-list mailing list