Advertisement:

Author Topic: How to get SMF working properly behind a reverse proxy server over https?  (Read 2067 times)

Offline thenakedscientists

  • Semi-Newbie
  • *
  • Posts: 25
Dear all

My forum is a sub-site within a main site powered by drupal. The forum is customised to look like the drupal site but is actually running independently of it. I did initially experiment with a drupal SMF bridge but it was a bit of a nightmare for various reasons and keptm ejecting users, so I divorced the two again.

SMF runs very happily over https://

However, as part of the main site development I am now trying to install varnish in front of drupal to speed it up. Because we're using SSL I also need a proxy in front of varnish because varnish doesn't support https://

So, on my dev server, containing a clone of the live site, I have the following stack:

Pound (listening on https and also redirecting any non-https (port 80 traffic) to https) <=> Varnish5.1 <=> Apache2.4

I have config'd varnish to pass through any forum traffic, because the forum is fast anyway so I don't need that additionally cached, and the cookie for the login as well as the header settings for SMF prevent caching anyway.

Under this config, the drupal site works fine.

For anonymous users, the SMF forum is fine.

But I cannot log in. It keeps chucking session expired errors for my user, even on a cookie-cleared, cache-cleaned machine.

Has anyone else successfully set up a stack similar to this and made it work with SMF? if so, can anyone guide me on how to investigate this and chase down the cause of my problem?

Yours gratefully,

Chris

Offline Illori

  • Project Manager
  • SMF Legend
  • *
  • Posts: 51,136
SMF and varnish dont work well together. i would not recommend using them together.

Offline thenakedscientists

  • Semi-Newbie
  • *
  • Posts: 25
I'm bypassing varnish by adding an exception in vcl-recv that passes through any forum url; as such, it should not be a problem.

I know this because if I run varnish as the front end (ie using port the varnish port to access the site and the forum) then it works fine and I can log in no problem.

It's when I add SSL / pound on the front that I get this headache, so there's something else happening here I think.

Offline Jailer

  • Jr. Member
  • **
  • Posts: 142
  • Gender: Male
    • Bored Guy Blog
It has to be something in your Pound configuration. I run my forum behind a nginx reverse proxy with SSL and it works great.

Offline thenakedscientists

  • Semi-Newbie
  • *
  • Posts: 25
Thanks Jailer.

What do you use as the config for board url in Settings.php, and the links to your themes etc directories? Absolute, or relative urls, with, or without https://?

Cheers
Chris

Offline thenakedscientists

  • Semi-Newbie
  • *
  • Posts: 25
A further update:

To make troubleshooting easier I have removed varnish from the equation by temporarily pointing Pound straight at apache. (So pound listens on https:// port and fwds to the apache2.4 listening port).

This confirms that varnish is not the cause of the problem because I am still getting session expired errors when trying to log in.

But, if I access the forum via the apache port (so go to localhost:81 - which is the port apache is listening to) and access the forum not over https, then I can log in no problem. If I then revert back to https:// i.e. go via Pound - then I am logged in and using the forum no problem.

Can someone please explain what must be going on to cause this?

Cheers

Offline thenakedscientists

  • Semi-Newbie
  • *
  • Posts: 25
I've now rigged up nginx as the reverse proxy ahead of apache serving the forum.

I have nginx listening on port 443 (https://) and the forum being server by apache; nginx is set to redirect all port 80 requests to 443, picking up and fixing any dodgy links within the forum.

I can browse the forum as an anonymous user no problem, but as soon as I try to log in I get a session expired error when it does the session verification (login2). The wording is:

An Error Has Occurred!
Your session timed out while posting. Please go back and try again.

I'd really appreciate some advice on this please from someone who can tell me what might be causing this. Is it something as mundane as the fact that I'm doing this over a self-signed certificate created just for testing? Or is there some silly gotcha that I am overlooking.

Is it a cookie problem that's triggering this?

Cheers
« Last Edit: January 15, 2018, 06:51:12 PM by thenakedscientists »

Offline drewactual

  • Full Member
  • ***
  • Posts: 672
    • College Football Fan Site CFB51
Add a sessions check to the login form in the theme you're using.

Offline thenakedscientists

  • Semi-Newbie
  • *
  • Posts: 25
Thank you, @drewactual - but I'm using the core theme for testing, so I would have thought this was intrinsic to that already?

Offline Illori

  • Project Manager
  • SMF Legend
  • *
  • Posts: 51,136
i dont think the core theme has the sessions added to it, double check on your install.

Offline thenakedscientists

  • Semi-Newbie
  • *
  • Posts: 25
Re: How to get SMF working properly behind a reverse proxy server over https?
« Reply #10 on: January 16, 2018, 06:33:31 AM »
Thanks Illori; so can you please advise me a) what to check for and b) if I find I need to add session checking, how I do that?

Thanks

Chris

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,541
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: How to get SMF working properly behind a reverse proxy server over https?
« Reply #11 on: January 16, 2018, 10:38:26 AM »
I believe Illori was referring to this https://wiki.simplemachines.org/smf/Login_error_2.0.14
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas