Bugzilla Behind HAProxy With SSL Termination

Facundo Ezequiel Bisso fbisso at frba.utn.edu.ar
Mon May 10 20:18:42 UTC 2021


Hello Thorsten,

We managed to solve the problem by changing the field 'urlbase' with the
complete url using https and leaving 'sslbase' blank.

Thank you very much for your help.

Sincerely,

El vie, 7 may 2021 a las 4:18, Thorsten Schöning (<tschoening at am-soft.de>)
escribió:

> Guten Tag Facundo Ezequiel Bisso,
> am Freitag, 7. Mai 2021 um 00:50 schrieben Sie:
>
> > "The new value for sslbase is invalid: Failed to connect to
> mydomain.com:443
> > (Connection timed out); unable to enable SSL." (see screenshot 1)
>
> I'm somewhat sure that this check is server side only within your
> Apache HTTPd and you only see the output of the result in your
> browser. So if I understand your setup correctly, it's already BEHIND
> your SSL termination and in theory the check is simply correct of :443
> is not available at that place. So check your internal setup starting
> from HTTPd's point of view if :443 is reachable or not.
>
> I doubt that this check can be skipped using the web interface, so you
> might try to change the config directly in the file
> "data/params.json". Just search for "sslbase" in there and see what
> happens.
>
> > although we are actually already using that address with the certificates
> > provided by our haproxy (With ssl termination. The conection between
> > haproxy and apache is made over port 80).
> > Firefox reports that the connection is secure. (See screenshot 2)
>
> Because you are coming from "outside" and are connecting to HAPROXY,
> that's pretty likely a different starting point than what Bugzilla
> does when it checks SSL on its own.
>
> > We are also encountering a weird problem where we need to log in three
> > times before it goes through, and the second time a warning pops up that
> > says: "The information you have entered on this page will be sent over an
> > insecure connection and could be read by a third party." though, again,
> we
> > are using https and valid certificates. (See Screenshot 3)
>
> Check your browser when accessing Bugzilla very careful and have
> especially a look at the development tools about redirects. If you
> start :443, input username and password I guess you are afterwards
> redirected by Bugzilla because of missing SSLBASE to :80. This makes
> your browser warn about unsecured auth credentials in the end.
>
> Even if you don't see those redirects, when your browser warns you,
> check the domain and port of the page! It's very likely :80 instead of
> :443 and the warning of the browser is correct in this case.
>
> Without SSLBSASE, Bugzilla will render all output using URLBASE, so if
> that is :80 in your case, the browser will make unsecured requests in
> the end and warn you about that. When you don't want ANY :80 requests,
> you might try changing URLBASE to HTTPS instead.
>
> > In some PHP-based applications, we use the "X-Forwarded-Proto" header to
> > set the HTTPS environment variable in Apache, so that the application
> works
> > as if it were being accessed through port 443.
> > Will some kind of similar configuration be necessary?
>
> Don't think so, instead you should make sure that Bugzilla can resolve
> DOMAIN:443 properly server side first.
>
> Mit freundlichen Grüßen
>
> Thorsten Schöning
>
> --
> AM-SoFT IT-Service - Bitstore Hameln GmbH i.G.
> Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK
>
> E-Mail: Thorsten.Schoening at AM-SoFT.de
> Web:    http://www.AM-SoFT.de/
>
> Tel:   05151-  9468- 0
> Tel:   05151-  9468-55
> Fax:   05151-  9468-88
> Mobil:  0178-8 9468-04
>
> AM-SoFT IT-Service - Bitstore Hameln GmbH i.G., Brandenburger Str. 7c,
> 31789 Hameln
> AG Hannover HRB neu - Geschäftsführer: Janine Galonska
>
>
> Für Rückfragen stehe ich Ihnen sehr gerne zur Verfügung.
>
> Mit freundlichen Grüßen
>
> Thorsten Schöning
>
>
> Tel: 05151 9468 0
> Fax: 05151 9468 88
> Mobil:
> Webseite: https://www.am-soft.de
>
> AM-Soft IT-Service - Bitstore Hameln GmbH i.G. ist ein Mitglied der
> Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK
>
> AM-Soft IT-Service - Bitstore Hameln GmbH i.G.
> Brandenburger Str. 7c
> 31789 Hameln
> Tel: 05151 9468 0
>
> Bitstore IT-Consulting GmbH
> Zentrale - Berlin Lichtenberg
> Frankfurter Allee 285
> 10317 Berlin
> Tel: 030 453 087 80
>
> CBS IT-Service - Bitstore Kaulsdorf UG
> Tel: 030 453 087 880 1
>
> Büro Dallgow-Döberitz
> Tel: 03322 507 020
>
> Büro Kloster Lehnin
> Tel: 033207 566 530
>
> PCE IT-Service - Bitstore Darmstadt UG
> Darmstadt
> Tel: 06151 392 973 0
>
> Büro Neuruppin
> Tel: 033932 606 090
>
> ACI EDV Systemhaus - Bitstore Dresden GmbH
> Dresden
> Tel: 0351 254 410
>
> Das Systemhaus - Bitstore Magdeburg GmbH
> Magdeburg
> Tel: 0391 636 651 0
>
> Allerdata.IT - Bitstore Wittenberg GmbH
> Wittenberg
> Tel: 03491 876 735 7
>
> Büro Liebenwalde
> Tel: 033054 810 00
>
> HSA - das Büro - Bitstore Altenburg UG
> Altenburg
> Tel: 0344 784 390 97
>
> Bitstore IT – Consulting GmbH
> NL Piesteritz
> Piesteritz
> Tel: 03491 644 868 6
>
> Solltec IT-Services - Bitstore Braunschweig UG
> Braunschweig
> Tel: 0531 206 068 0
>
> MF Computer Service - Bitstore Gütersloh GmbH
> Gütersloh
> Tel: 05245 920 809 3
>
> Firmensitz: AM-Soft IT-Service - Bitstore Hameln GmbH i.G. , Brandenburger
> Str. 7c , 31789 Hameln
> Geschäftsführer Janine Galonska
>
>
>
>
>
>
> _______________________________________________
> support-list mailing list
> support-list at bugzilla.org
> https://lists.bugzilla.org/listinfo/support-list
>


-- 
Facundo Ezequiel Bisso
Coordinador
Administración de Sistemas e Infraestructura
Subsecretaría de Tecnología de la Información y Comunicaciones
Facultad Regional Buenos Aires - Universidad Tecnológica Nacional
Medrano 951 3er Piso (C1179AAQ) Cap. Fed.
Oficina 315 - 4867-7607
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bugzilla.org/pipermail/support-list/attachments/20210510/4949cf7f/attachment.html>


More information about the support-list mailing list