How to get SMF working properly behind a reverse proxy server over https?

thenakedscientists · January 15, 2018, 07:30:48 AM

Dear all

My forum is a sub-site within a main site powered by drupal. The forum is customised to look like the drupal site but is actually running independently of it. I did initially experiment with a drupal SMF bridge but it was a bit of a nightmare for various reasons and keptm ejecting users, so I divorced the two again.

SMF runs very happily over https://

However, as part of the main site development I am now trying to install varnish in front of drupal to speed it up. Because we're using SSL I also need a proxy in front of varnish because varnish doesn't support https://

So, on my dev server, containing a clone of the live site, I have the following stack:

Pound (listening on https and also redirecting any non-https (port 80 traffic) to https) <=> Varnish5.1 <=> Apache2.4

I have config'd varnish to pass through any forum traffic, because the forum is fast anyway so I don't need that additionally cached, and the cookie for the login as well as the header settings for SMF prevent caching anyway.

Under this config, the drupal site works fine.

For anonymous users, the SMF forum is fine.

But I cannot log in. It keeps chucking session expired errors for my user, even on a cookie-cleared, cache-cleaned machine.

Has anyone else successfully set up a stack similar to this and made it work with SMF? if so, can anyone guide me on how to investigate this and chase down the cause of my problem?

Yours gratefully,

Chris

Illori · January 15, 2018, 07:58:59 AM

SMF and varnish dont work well together. i would not recommend using them together.

thenakedscientists · January 15, 2018, 08:04:20 AM

I'm bypassing varnish by adding an exception in vcl-recv that passes through any forum url; as such, it should not be a problem.

I know this because if I run varnish as the front end (ie using port the varnish port to access the site and the forum) then it works fine and I can log in no problem.

It's when I add SSL / pound on the front that I get this headache, so there's something else happening here I think.

Jailer · January 15, 2018, 08:51:58 AM

It has to be something in your Pound configuration. I run my forum behind a nginx reverse proxy with SSL and it works great.

thenakedscientists · January 15, 2018, 09:06:15 AM

Thanks Jailer.

What do you use as the config for board url in Settings.php, and the links to your themes etc directories? Absolute, or relative urls, with, or without https://?

Cheers
Chris

thenakedscientists · January 15, 2018, 09:34:24 AM

A further update:

To make troubleshooting easier I have removed varnish from the equation by temporarily pointing Pound straight at apache. (So pound listens on https:// port and fwds to the apache2.4 listening port).

This confirms that varnish is not the cause of the problem because I am still getting session expired errors when trying to log in.

But, if I access the forum via the apache port (so go to localhost:81 - which is the port apache is listening to) and access the forum not over https, then I can log in no problem. If I then revert back to https:// i.e. go via Pound - then I am logged in and using the forum no problem.

Can someone please explain what must be going on to cause this?

Cheers

thenakedscientists · January 15, 2018, 06:13:42 PM

I've now rigged up nginx as the reverse proxy ahead of apache serving the forum.

I have nginx listening on port 443 (https://) and the forum being server by apache; nginx is set to redirect all port 80 requests to 443, picking up and fixing any dodgy links within the forum.

I can browse the forum as an anonymous user no problem, but as soon as I try to log in I get a session expired error when it does the session verification (login2). The wording is:

An Error Has Occurred!
Your session timed out while posting. Please go back and try again.

I'd really appreciate some advice on this please from someone who can tell me what might be causing this. Is it something as mundane as the fact that I'm doing this over a self-signed certificate created just for testing? Or is there some silly gotcha that I am overlooking.

Is it a cookie problem that's triggering this?

Cheers

drewactual · January 15, 2018, 08:21:26 PM

Add a sessions check to the login form in the theme you're using.

thenakedscientists · January 16, 2018, 02:42:20 AM

Thank you, @drewactual - but I'm using the core theme for testing, so I would have thought this was intrinsic to that already?

Illori · January 16, 2018, 05:07:05 AM

i dont think the core theme has the sessions added to it, double check on your install.

thenakedscientists · January 16, 2018, 06:33:31 AM

Thanks Illori; so can you please advise me a) what to check for and b) if I find I need to add session checking, how I do that?

Thanks

Chris

Aleksi "Lex" Kilpinen · January 16, 2018, 10:38:26 AM

I believe Illori was referring to this https://wiki.simplemachines.org/smf/Login_error_2.0.14

News:

How to get SMF working properly behind a reverse proxy server over https?