Apache + nginx SSL config for csrf token

windkomo

Hello,

I'm running NodeBB v1.4.0 behind an Apache server and a nginx server (I would rather use only nginx, but all incoming trafic must go to the Apache server because of another app I host on the same server).

My Apache server has SSL configured:

  <VirtualHost *:80>
   ServerName myforum.com
   Redirect / https://myforum.com
    RequestHeader set X-Forwarded-Proto "http"
 </VirtualHost>

<VirtualHost *:443>
   ServerName myforum.com
   ProxyPass / http://0.0.0.0:8080/
   ProxyPassReverse / http://0.0.0.0:8080/
   ProxyPreserveHost On
   ProxyRequests Off
   RequestHeader set X-Forwarded-Proto "https"
########## SSL
         SSLEngine on
         SSLCertificateFile /etc/httpd/conf/ssl/myforum.com/server.crt
         SSLCertificateKeyFile /etc/httpd/conf/ssl/myforum.com/server.key
         SSLCertificateChainFile /etc/httpd/conf/ssl/myforum.com/server.ca-bundle
########## FIN SSL
</VirtualHost>

It actually redirect port myforum.com trafic towards a nginx server on port 8080 which redirects to the NodeBB server running on port 4567:

server {
    listen       8080;
    server_name  myforum.com;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;

        proxy_pass http://127.0.0.1:4567/;
        proxy_redirect off;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_headers_hash_bucket_size 128;
     }
}

This gives me the "It looks like your login session is no longer active, or no longer matches with the server. Please refresh this page." Session mismatch error. (invalid csrf token in logs)
Replacing "https://myforum.com" in my config.json by "http://myforum.com" does solve the login issue but smileys are served over http so are not displayed.

I've read many things regarding this issue about adding the X-Forwarded-Proto $scheme. I've added it to both server.
Any suggestion ?

Steven Rafferty

Hello @windkomo ,

I had the same error by any chance did you install nodebb using the online installer?

Thanks
Steven

windkomo

@Steven-Rafferty Hey,

No, I installed it through git !

PitaJ

@windkomo he means, did you install it with ./nodebb setup, or with the webpage setup tool?

windkomo

@PitaJ @Steven-Rafferty Oh sorry, I installed it with the ./nodebb setup command.

Steven Rafferty

@windkomo ahh ok well the last time I installed this I had the same problem but instead of using the web installer I used ./nodebb setup and what database did you use

windkomo

@Steven-Rafferty I'm using mongodb. I set my cookieDomain to "" but this did not solve the issue

Steven Rafferty

@windkomo Mm ok did you follow nodebb tutorial? And if so what steps?

I do not think this is a problem with you having two web server being hosted on the same box I think it's a mongodb issue being as mongo handles logins and registrations

Have you done anything mager with your nodebb forum shock as lots of data because fixing this may mean you need to completely start from fresh

windkomo

@Steven-Rafferty I followed this : https://docs.nodebb.org/en/latest/installing/os/centos.html () CentOS 6.5.
Sadly starting fresh is not an option for me

KevinPan

I have the same problem, I host the NodeBB with IIS (IIS Node)