Session problem with https

Paweł

I have https which is a certificate from Cloudflare.

My Nginx server has the configurations from the documentation.
When I have enabled: “url: “http://forum.example.com” - login works.

When I set in config.json
“url: “https://forum.example.com” - error

Error message:

Login failed.
Login failed, probably due to session expiration. Try again.

In the URL, there is an error: "https://forum.example.com/login?error=csrf-invalid"

It needs https because, without it, the Google SSO plugin doesn't work for me

my nginx:

server {
         listen 80;
         server_name example.com;
         return 301 https://forum.example.com;
}


server {
    listen 80;

    server_name forum.example.com www.forum.example.com;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;

        proxy_pass http://127.0.0.1:4567;
        proxy_redirect off;

        client_max_body_size 10M;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

FrankM

Where is your 443 server block?

 server {
     listen               443 ssl http2;

Paweł

I have SSL from the Cloudflare proxy - do I still need SSL on the Nginx?

julian

I am not sure whether that might cause issues. You can test and let us know.

I know that for this site we have CloudFlare SSL (set to Full Strict), and also deploy our own certificate with nginx.

Paweł

After a few tweaks, everything works.
The config from docs didn't work properly and is probably a bit outdated, (tls version, spdy...).

First:
CloudFlare SSL: Flexible to Full

Second:
New nginx setup:

server {
    listen 80;

    server_name forum.example.com;

    return 302 https://$host$request_uri;
}

server {
    listen 443 ssl http2;

    server_name forum.example.com;

    ssl_certificate /home/ubuntu/nodebb/ssl/forum.crt;
    ssl_certificate_key /home/ubuntu/nodebb/ssl/forum.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    ssl_ciphers 'AES128+EECDH:AES128+EDH';
    ssl_prefer_server_ciphers on;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;

        proxy_pass http://127.0.0.1:4567;  # no trailing slash
        proxy_redirect off;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}