Noob question/issue - Login with https/ssl error about leafpub HOT 10 CLOSED

I don't agree.
I'm pretty sure that setting REQUEST_SCHEME to http and SERVER_PORT to 80 while using a completely valid HTTPS connection is at best a PHP-CGI misconfiguration on their part. In a worst case scenario they're just plain incompetent.

Anyway, this can't be fixed in code, because neither Slim nor Leafpub should handle broken environments like this. If you're willing to use that fix I provided before it'll work, but certainly doesn't belong in the repo. It's possible updates will break it too.

from leafpub.

Hi @BryanHeijmans
sorry for the late reply.
Which server do you use? Apache? Nginx? Would you mind posting your config?

from leafpub.

Hi @karsasmus,

Here is the information about my hosting, http://info.newwebhosting.nl/

from leafpub.

On nginx I'm able to do a clean install 1.1.9 over HTTPS and log in/out successfully (the usual PHP redirects to index.php).

Looks like an issue with HTTPS configuration on your hosting. From what I see in phpinfo(), even Apache is running as root - this is a serious security issue. Did you configure that machine yourself or are you using a shared hosting?

If the former, join Leafpub's gitter, I can help with that. In case you're using a shared web hosting, contact their support, server admins there should be able to resolve these issues.

from leafpub.

Hi @micalm, thansk for the testing. I'm on a shared hosting. Did you also tried to login on www.domain.com/admin? Because when I login on www.domain.com/admin/login I wont get an error. When i pres logout it redirectd to www.domain.com/admin/login. So it only happends on /admin.

But I forwarded ur message to my hosting and I will let you know what they replyed. Thansk for the help! Greetings, bryan

from leafpub.

Yes, I did, both methods work correctly (with GET redirect and without). It would help if you didn't redact the real domain, then I could debug directly on the troublesome Leafpub instance.
If you don't want to disclose this publicly, again, I'm on gitter.

from leafpub.

After some time debugging with @BryanHeijmans we've figured out that it's an issue in Middleware::requireAuth(), where Slim's $request->getUri() returns the URI with :80 appended and thus, Leafpub generates an invalid redirect URL which won't (hopefully) ever work on HTTPS.
This will require further investigation if it's an issue to be solved upstream in Slim or an incorrectly configured environment.

A quick & very ugly hack is to add $uri = str_replace(':80', '', $uri); right after $uri = $request->getUri(); in sources/classes/Middleware.php for those experiencing the (exact) same problem, until it is resolved here.

from leafpub.

Hi @micalm ,
thanks for your time to help @BryanHeijmans
I've looked into Slim's source code to find out if it's a bug or a feature to add the port to the url.
It's a feature, Slim follows PSR-7 spec.
If you read the comment above the method getPort() @ https://github.com/slimphp/Slim/blob/3.x/Slim/Http/Uri.php#L424 you'll see that something with your server config seems to be wrong as Slim only returns port 80 if it's the wrong port for actual scheme (https).

from leafpub.

Hi @karsasmus,

Thanks for the reply and yes again , thanks @micalm! I will send this information to my hosting company as well. I will let you know what they have to say about this. Greetings Bryan

from leafpub.

Hi @karsasmus, @micalm,

The hosting responded,

We arrange the permissions via apparmor (so, "root" has no or limited rights in this case). The security is so alright: This is consciously set!

As for the port: This is an error in the code that determines the redirect, which one accepts the wrong port. Port 80 is not determined by our system, this seems to be a default value that the code accepts when it does not get the expected response.

If you guys think the problem is with my hosting, please say so im willing to Switch hosting. If its a problem within the code , I hope you can spend some more time on it to fix it.

Please let me know. Greetings Bryan

from leafpub.