Forums › Forums › OroCRM › OroCRM – Installation/Technical Issues or Problems › setup using a HTTPS reverse proxy
This topic contains 15 replies, has 5 voices, and was last updated by cljk 6 years, 7 months ago.
Starting from March 1, 2020 the forum has been switched to the read-only mode. Please head to StackOverflow for support.
- CreatorTopic
- May 12, 2016 at 2:12 am #27134
Hi,
I’m trying to run orocrm behind a TLS reverse proxy.
“Almost” everything is fine except two things :- whatever locale I’m using, it tries to access <locale>.js over http, resulting in Firefox blocking the display. The only workaround is to “disable protection” so all calls load. After the file is retrieved once, other calls are made over https
- I have absolutely no clue of the websocket settings, according the following setup :
– reverse proxy is listening on <public_ip>:443
– internal apache server is listening to 127.0.0.1:8080
Any help appreciated (especially for the websocket thing).
Regards,
IG - CreatorTopic
- AuthorReplies
- May 13, 2016 at 1:16 pm #27135
For the <locale>.js, same thing happens with Safari (latest, 9.1).
JS developper log says :[Warning] [blocked] The page at https://orocrm.redacted.com/ was not allowed to run insecure content from http://orocrm.redacted.com/js/translation/en.js?version=bf6c70fe. (require.js, line 1900)
I tried to change routing.yml to
YAML1234oro_auto_routing:resource: .type: oro_autoschemes: [https]but it did not helped.
May 16, 2016 at 7:57 am #27136Could you please provide us with the version of Apache and reverse-proxy server,
And if it’s possible – the parts of the configuration files of these services.
Additional information is required to investigate this issue.
ThanksMay 16, 2016 at 9:20 am #27137Here it is.
Apache is running 2.2.22 on a Debian 7.
Reverse-proxy SSL offloading is made by haproxy 1.6.4.Apache virtual host is pretty classic :
Apache1234567891011121314151617<VirtualHost *:8080>ServerName orocrm.example.comDirectoryIndex app.phpDocumentRoot /opt/orocrm/web<Directory /opt/orocrm/web># enable the .htaccess rewritesAllowOverride AllOrder allow,denyAllow from All</Directory>ErrorLog /var/log/apache2/orocrm_error.logSetEnvIf X-Forwarded-For ".*" fwdCustomLog /var/log/apache2/orocrm_access.log combined env=!fwdCustomLog /var/log/apache2/orocrm_access.log forwarded env=fwd</VirtualHost>haproxy settings are classic to :
12345678910111213141516frontend ft-securebind *:443 name web-tls ssl crt redacted.crtreqadd X-Forwarded-Proto:\ httpshttp-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;acl secured_cookie res.hdr(Set-Cookie),lower -m sub securerspirep ^(Set-Cookie:.*) \1;\ Secure unless secured_cookieacl sni_host-orocrm ssl_fc_sni orocrm.example.comuse_backend bck-localapache if sni_host-orocrmbackend bck-localapacheserver apache 127.0.0.1:8080 checkAn X-Forwarded-For header is added to the request from haproxy to apache.
Thanks for your help,
IGMay 18, 2016 at 7:30 am #27138Please see our part of the haproxy config below (it’s default one without any customization):
1234567891011121314151617181920212223242526272829303132frontend securedmode httpmaxconn 10240rate-limit sessions 10240bind *:443 ssl crt /{{ $PATH }}/server.pemreqadd X-Forwarded-Proto:\ httpsoption httpcloseoption forwardfordefault_backend www_backendbackend www_backendmode httpbalance roundrobinserver server1 {{ $IP }}:80 weight 1 maxconn 10240 check----frontend websocketmode httpmaxconn 10240rate-limit sessions 10240bind *:8081 ssl crt /{{ $PATH }}/server.pemreqadd X-Forwarded-Proto:\ httpsoption httpcloseoption forwardfordefault_backend websocket_backendbackend websocket_backendmode httpbalance roundrobinserver websocket_proxy_1 {{ $IP }}:8081 weight 1 maxconn 4096timeout tunnel 84600000—-
Please re-check the “option forwardfor” is configured on haptoxy side. You mentioned about it, however I cannot see it in your part of the configuration file
Also please make sure that “timeout tunnel” option is set to some high value.May 18, 2016 at 8:39 am #27139Thanks for your feedback.
The forwardfor option is set in the default section123456defaultslog globalmode httpoption httplogoption dontlognulloption forwardforFor the web socket settings, it means that it cannot be configured so the WS traffic is redirected from the HTTPS frontend to the WS backend ?
Could you send your relevant part of the parameters.yml for the websocket ?YAML123456websocket_bind_address: 0.0.0.0websocket_bind_port: 8080websocket_frontend_host: '*'websocket_frontend_port: 8080websocket_backend_host: '*'websocket_backend_port: 8080Also there is still an issue with the loading of the localization JS : it does try to retrieve <local>.js over HTTP which the browser blocks as HSTS is enabled.
[Warning] [blocked] The page at https://orocrm.example.com/ was not allowed to run insecure content from http://orocrm.example.com/js/translation/en.js?version=7cab5566. (oro.min.js, line 1061)
Is there a way to solve this ?
Thanks,
IGMay 18, 2016 at 8:47 am #27140From Chrome error message :
1234567891011121314151617181920212223242526272829oro.min.js?version=7cab5566:1061Mixed Content: The page at 'https://orocrm.example.com/' was loaded over HTTPS,but requested an insecure script 'http://orocrm.example.com/js/translation/en.js?version=7cab5566'.This request has been blocked; the content must be served over HTTPS.req.load @ oro.min.js?version=7cab5566:1061_.load @ oro.min.js?version=7cab5566:1061b.load @ oro.min.js?version=7cab5566:1061(anonymous function) @ oro.min.js?version=7cab5566:1061(anonymous function) @ oro.min.js?version=7cab5566:1061_.execCb @ oro.min.js?version=7cab5566:1061b.check @ oro.min.js?version=7cab5566:1061b.enable @ oro.min.js?version=7cab5566:1061b.init @ oro.min.js?version=7cab5566:1061(anonymous function) @ oro.min.js?version=7cab5566:1061oro.min.js?version=7cab5566:1061 Uncaught Error: Script error for: oro/translationshttp://requirejs.org/docs/errors.html#scripterrormakeError @ oro.min.js?version=7cab5566:1061_.onScriptError @ oro.min.js?version=7cab5566:1061req.load @ oro.min.js?version=7cab5566:1061_.load @ oro.min.js?version=7cab5566:1061b.load @ oro.min.js?version=7cab5566:1061(anonymous function) @ oro.min.js?version=7cab5566:1061(anonymous function) @ oro.min.js?version=7cab5566:1061_.execCb @ oro.min.js?version=7cab5566:1061b.check @ oro.min.js?version=7cab5566:1061b.enable @ oro.min.js?version=7cab5566:1061b.init @ oro.min.js?version=7cab5566:1061(anonymous function) @ oro.min.js?version=7cab5566:1061May 19, 2016 at 1:56 am #27141OK. No more issues with the <locale>.js after modifying routing.yml this way :
YAML1234oro_expose:resource: .type: oro_exposeschemes: [https]However, I’d like to know if websocket bind/frontend/backend settings could allow all traffic to be diverted by the reverse proxy without opening another port.
May 19, 2016 at 2:56 am #27142We’re glad to hear that you solved the issue with the <locale>.js
You would like to proxy all the traffic e.g. http and websocket via only one port 443, right ?
Seems it’s not possible to perform it correctly. The application is designed to have two ports one for http traffic and another for websocket.May 19, 2016 at 3:52 am #27143OK.
For my knowledge, what are those 3 websocket settings then ?May 19, 2016 at 5:41 am #27144> For my knowledge, what are those 3 websocket settings then ?
Could you clarify your question?Usually we configure only the parameters below for websocket and leave default values for others :
12websocket_host: IP/domaine-namewebsocket_port: 8081May 19, 2016 at 11:43 pm #27145I am wondering what is the use of the 3 pairs of settings from parameters.yml
YAML123456websocket_bind_address: 0.0.0.0websocket_bind_port: 8080websocket_frontend_host: '*'websocket_frontend_port: 8080websocket_backend_host: '*'websocket_backend_port: 8080The haproxy and the apache web server are running on the same machine thus haproxy cannot bind to the same port as the websocket server. That’s why I guess I should use websocket_bind on an used port and declare frontend_host and frontend_port to what the enduser sees. I don’t know what backend port could be made for.
July 28, 2016 at 5:12 pm #27146Sort of works with the change to routing.yml but when I use non-standard port (8443) the problem returns with the port number missing for the en.js file. Also get issues with redirects to and from the login page portnumber is there but wrong scheme (http)….
Looking at the page source I see the base url config of requireJS picks up the port but not the https scheme:
<script type="text/javascript">
var require = (function(){
var r=function(c){m(r.c,c)};r.c={};function m(a,b){
for (var i in b)b[i]!=null&&b[i].toString()==='[object Object]'?m(a[i]||(a[i]={}),b[i]):a[i]=b[i]}
return r;
}());
require({
baseUrl: "\/bundles",
urlArgs: 'version=ee4ee2b6'
});
require({
config: {
'oroui/js/app': {
baseUrl: "http:\/\/127.0.0.1:8443",
headerId: "x-oro-hash-navigation",
Code for this is in UIBundle/Resources/views/requirejs.config.js.twig
baseUrl: {{ app.request.getSchemeAndHttpHost()|json_encode|raw }},
and the translation picks up the scheme but not the port….
require({
shim: { 'oro/translations': {
deps: ['orotranslation/js/translator', 'translator'],
init: function(__) {
return __;}}},
map: { '*': { 'orotranslation/js/translator': 'oro/translations'},
'oro/translations': {
'orotranslation/js/translator': 'orotranslation/js/translator' }},
paths: {
'oro/translations': 'https\x3A\x2F\x2F127.0.0.1\x2Fjs\x2Ftranslation\x2Fen'
},
config: {
'orotranslation/js/translator': {
'debugTranslator': false
}}});
Source in TranslationBundle/Resources/views/requirejs.config.js.twig
paths: {
'oro/translations': '{{ url('oro_translation_jstranslation')[0:-3] }}'
}
Any suggestion on how to convince both instances to create https://127.0.0.1:8443 ?
Cheers,
August 1, 2016 at 4:47 am #27147Ahh… in nginx setup don’t use
fastcgi_param HTTPS off;
but turn it on…..
September 7, 2016 at 9:25 pm #27148This was a helpful thread. We wanted to post another solution for a very similar setup.
Our system setup was Cloud Flare HTTPS reverse proxy back over HTTP connections to OROCrm server.1. Symphony’s getSchemeAndHttpHost is based upon trusted proxy list. It only matches if the connection to it was HTTP or not (which it will not be). See Symphony Code.
2. We are unable to set the routing.yml ‘s schemes: [https]. This setting does not work because the Cloud Flare to OroCRM Server is HTTP and forcing to HTTPS will cause an infinite redirect.Solution here was to enable trusted proxies in app/config/config.yml as in here Symphony Load balancer Document here. This way getSchemeAndHttpHost picks the forwarded Scheme and host.
August 31, 2017 at 1:14 am #27149I had a similar issue….
https://github.com/oroinc/crm/issues/285I installed OroCRM on an internal Apache behind a public reverse proxy. Several forms were rendered with wrong absolute URLs (why that?) and my proxy could not intercept/rewrite them all correctly – especially the AJAX-loaded forms and generated java scripts were problematic.
I solved it by modifying app.php – inserted…
123456Request::setTrustedHeaderName(Request::HEADER_FORWARDED, null);Request::setTrustedProxies(['192.168.10.0/24']);$request = Request::createFromGlobals();where 192.168.10.0 is obviously my private net.
This should be the correct config for Symphony 2.8 (< 3.x).Also the communication schema between reverse proxy and OroCRM-Server was changed from HTTP to HTTPS because several bundles even relied on “app.request.uri” and “app.request.schema”.
A BIG improvement would be to NOT generate references to absolute pathes or to only use BASE_URL and not schema and server name OR to rely on the specified “application_url” config value… because else what is this for?!
- AuthorReplies
The forum ‘OroCRM – Installation/Technical Issues or Problems’ is closed to new topics and replies.