Apache + nginx SSL config for csrf token



  • Hello,

    I'm running NodeBB v1.4.0 behind an Apache server and a nginx server (I would rather use only nginx, but all incoming trafic must go to the Apache server because of another app I host on the same server).

    My Apache server has SSL configured:

      <VirtualHost *:80>
       ServerName myforum.com
       Redirect / https://myforum.com
        RequestHeader set X-Forwarded-Proto "http"
     </VirtualHost>
    
    <VirtualHost *:443>
       ServerName myforum.com
       ProxyPass / http://0.0.0.0:8080/
       ProxyPassReverse / http://0.0.0.0:8080/
       ProxyPreserveHost On
       ProxyRequests Off
       RequestHeader set X-Forwarded-Proto "https"
    ########## SSL
             SSLEngine on
             SSLCertificateFile /etc/httpd/conf/ssl/myforum.com/server.crt
             SSLCertificateKeyFile /etc/httpd/conf/ssl/myforum.com/server.key
             SSLCertificateChainFile /etc/httpd/conf/ssl/myforum.com/server.ca-bundle
    ########## FIN SSL
    </VirtualHost>
    

    It actually redirect port myforum.com trafic towards a nginx server on port 8080 which redirects to the NodeBB server running on port 4567:

    server {
        listen       8080;
        server_name  myforum.com;
    
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
    
            proxy_pass http://127.0.0.1:4567/;
            proxy_redirect off;
    
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_headers_hash_bucket_size 128;
         }
    }
    

    This gives me the "It looks like your login session is no longer active, or no longer matches with the server. Please refresh this page." Session mismatch error. (invalid csrf token in logs)
    Replacing "https://myforum.com" in my config.json by "http://myforum.com" does solve the login issue but smileys are served over http so are not displayed.

    I've read many things regarding this issue about adding the X-Forwarded-Proto $scheme. I've added it to both server.
    Any suggestion ?


  • Gamers

    Hello @windkomo ,

    I had the same error by any chance did you install nodebb using the online installer?

    Thanks
    Steven



  • @Steven-Rafferty Hey,

    No, I installed it through git !


  • Global Moderator

    @windkomo he means, did you install it with ./nodebb setup, or with the webpage setup tool?



  • @PitaJ @Steven-Rafferty Oh sorry, I installed it with the ./nodebb setup command.


  • Gamers

    @windkomo ahh ok well the last time I installed this I had the same problem but instead of using the web installer I used ./nodebb setup and what database did you use



  • @Steven-Rafferty I'm using mongodb. I set my cookieDomain to "" but this did not solve the issue :(


  • Gamers

    @windkomo Mm ok did you follow nodebb tutorial? And if so what steps?

    I do not think this is a problem with you having two web server being hosted on the same box I think it's a mongodb issue being as mongo handles logins and registrations

    Have you done anything mager with your nodebb forum shock as lots of data because fixing this may mean you need to completely start from fresh



  • @Steven-Rafferty I followed this : https://docs.nodebb.org/en/latest/installing/os/centos.html () CentOS 6.5.
    Sadly starting fresh is not an option for me :(


Log in to reply
 

Looks like your connection to NodeBB was lost, please wait while we try to reconnect.