Tickets :: Comment on [#14621] Horde's XMLHttpRequests behind SSL offload proxy

* Your Email Address
* Spam protection	Enter the letters below: .__..__ . .. .. \| \|[__)\|_/ \|\/\|\| \|__\\| \\| \\| \|\|___
Comment	> Hi, > given is the following setup: > > - Apache 2.4 (plain HTTP) + PHP-FPM 7.0 serving Horde > - Nginx as reverse proxy (doing SSL offload) > > Accessing Horde isn't a problem, though both in IMP and Kronolith, > XMLHttpRequests fail and render the "Cannot contact server" message. > Firebug on the client reports (in Network -> XHR) and 0 byte POST > request on .../horde/services/ajax.php/imp/dynamicInit. > > Horde itself runs on an internal non-routable IP so Horde can't > contact anything outside it's own home network nor anyone from the > outside can contact the Apache webserver directly. > Apache servers only HTTP and Nginx as reverse proxy is doing the SSL > offload, enabling "Assume we're using HTTPS" in Horde works and all > links are rendered correctly. > Other applications e.g. SquirrelMail, Drupal, Joomla, Wordpress, > Rainloop, Roundcube, Pydio, Nextcloud work fine with this setup and > without any problems at all. > The corresponding Nginx (1.10.3) setup looks like: > > http { > sendfile on; > tcp_nodelay on; > tcp_nopush on; > keepalive_timeout 65; > proxy_buffer_size 128k; > proxy_buffers 16 64k; > proxy_connect_timeout 90; > proxy_read_timeout 90; > proxy_redirect off; > proxy_send_timeout 90; > proxy_cache_valid 200 301 1d; > proxy_cache_valid 404 1m; > proxy_cache_use_stale error timeout invalid_header updating http_500 > http_502 http_503 http_504; > ignore_invalid_headers on; > server_name_in_redirect off; > server_tokens off; > client_body_buffer_size 128k; > client_header_buffer_size 64k; > client_max_body_size 10m; > > server { > listen 3128 ssl; > listen [::]:3128 ssl; > server_name fbi.nsa.gov; > access_log /var/log/nginx/files_access.log; > error_log /var/log/nginx/files_error.log; > > ssl on; > ssl_certificate /usr/local/etc/nginx/certs/nsa_gov_chain.crt; > ssl_certificate_key /usr/local/etc/nginx/certs/nsa_gov.key; > > ssl_protocols TLSv1.2 TLSv1.1 TLSv1; > ssl_ciphers > EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EEC > DH+aRSA+SHA256:EECDH:EDH-aRSA:DHE+RSA+AES256+SHA256:RSA+AES:!ECDH+3DES:!DH+3DES:!RSA+3DES:!aNULL:!eNULL:!LOW: > !MD5:!EXP:!RC4:!PSK:!SRP:!DSS; > ssl_prefer_server_ciphers on; > ssl_session_cache shared:SSL:10m; > ssl_session_timeout 10m; > ssl_dhparam /usr/local/etc/nginx/certs/dhparam.pem; > keepalive_timeout 60; > > add_header Cache-Control private; > add_header X-Content-Type-Options "nosniff"; > add_header X-Frame-Options SAMEORIGIN; > add_header X-XSS-Protection "1; mode=block"; > add_header Strict-Transport-Security "max-age=15552000"; > > location / { > proxy_hide_header Server; > proxy_hide_header Expires; > proxy_hide_header Last-Modified; > proxy_pass http://172.16.0.2:80; > proxy_set_header Host $host; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto https; > proxy_set_header X-Real-IP $remote_addr; > proxy_redirect off; > proxy_ssl_session_reuse off; > proxy_http_version 1.1; > proxy_buffering off; > } > }
Attachment
Watch this ticket

Saved Queries