Can't login by email with using a reverse proxy

ay9010x · October 8, 2024, 9:53am

Hello there!

I have an old codimd, I want to migrate it to HedgeDoc .

My version of HedgeDoc is: <1.10.0> . I installed it by manual.

Then I want to use nginx as the proxy server, so I read this doc.

Here is my config

{
    "test": {
        "db": {
            "dialect": "sqlite",
            "storage": ":memory:"
        },
        "linkifyHeaderStyle": "gfm"
    },
    "development": {
        "loglevel": "debug",
        "db": {
            "dialect": "sqlite",
            "storage": "./db.hedgedoc.sqlite"
        },
        "domain": "dev-hedgedoc.dlll.nccu.edu.tw",
        "urlAddPort": false,
	    "protocolUseSSL": true,
        "UseSSL": false,
        "sessionSecret": "CfALttnLLSmjF3,V",
        "hsts": {
            "enable": false
        }
    },
    "production": {
        "domain": "dev-hedgedoc.dlll.nccu.edu.tw",
	    "urlAddPort": false,
        "UseSSL": false,
	"protocolUseSSL": true,
        "sessionSecret": "CfALttnLLSmjF3,V",
        "loglevel": "info",
        "hsts": {
            "enable": true,
            "maxAgeSeconds": 31536000,
            "includeSubdomains": true,
            "preload": true
        },
        "csp": {
            "enable": true,
            "directives": {
            },
            "upgradeInsecureRequests": "auto",
            "addDefaults": true,
            "addDisqus": true,
            "addGoogleAnalytics": true
        },
        "cookiePolicy": "lax",
        "db": {
            "username": "codimd",
            "password": "La2391!@2391",
            "database": "codimd",
            "host": "127.0.0.1",
            "port": "3306",
            "dialect": "mariadb"
        },
        "email":true,
        "allowEmailRegister":true
    }
}

And here is my nginx config

map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
}
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	root /var/www/html;

	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
                proxy_pass http://localhost:3000;

		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;

                proxy_set_header Host $host; 
                proxy_set_header X-Real-IP $remote_addr; 
                #proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header Upgrade-Insecure-Requests 1;

                add_header 'Access-Control-Allow-Origin' '*';
                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
                add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';

	}

        location /socket.io/ {
		proxy_pass http://localhost:3000;
                proxy_set_header Host $host; 
                proxy_set_header X-Real-IP $remote_addr; 
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
                #proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
        }


	location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
                                add_header Access-Control-Allow-Origin *;
                                proxy_pass http://localhost:3000;
        }
        location ~ .*/ {
                                proxy_pass http://localhost:3000;
        }

}

My HedgeDoc instance works at https://dev-hedgedoc.dlll.nccu.edu.tw/

It seems to work. (It can even show the page migrated from codimd! )

But when I tried to login HedgeDoc, it redirected to home page.
“Register” button also showed same result.

What I expected to happen:

Login or register as normal(with email).

What actually happened:

When I pressed login or register button, it redirected to home page, without any message in browser.

In console, it show following message(login):

2024-10-08T08:06:21.914Z info: 	serializeUser: 03b0aab6-289f-435a-b145-286bf3767f31
2024-10-08T08:06:21.930Z info: 	140.119.61.127 - - [08/Oct/2024:08:06:21 +0000] "POST /login HTTP/1.0" 302 120 "https://dev-hedgedoc.dlll.nccu.edu.tw/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"

2024-10-08T08:06:21.966Z info: 	140.119.61.127 - - [08/Oct/2024:08:06:21 +0000] "GET / HTTP/1.0" 304 - "https://dev-hedgedoc.dlll.nccu.edu.tw/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"

2024-10-08T08:06:22.229Z info: 	140.119.61.127 - - [08/Oct/2024:08:06:22 +0000] "GET /config HTTP/1.0" 304 - "https://dev-hedgedoc.dlll.nccu.edu.tw/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"

2024-10-08T08:06:22.547Z info: 	140.119.61.127 - - [08/Oct/2024:08:06:22 +0000] "GET /me HTTP/1.0" 304 - "https://dev-hedgedoc.dlll.nccu.edu.tw/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"

I already tried:
(As a new user, I can’t turn following title to link.)

doc1 => Cant Login (Email) in this community
According to this page , I set protocolUseSSL as true.
doc2 => Login attempts just redirect to home page in this community
According to this page , I commented out X-Forwarded-For setting in nginx.
But it still doesn’t work, whever I commented out X-Forwarded-For setting or not.)
doc3 => Using nginx as a reverse proxy in this community
But I already set that setting on nginx default file. (Using a Reverse Proxy with HedgeDoc doc)
Use http
I set protocolUseSSL as false, then accessed with http.
It worked as following screenshot(I had already set protocolUseSSL as false after this post).
login with https(login success)

圖片4807×433 117 KB

Notes in this page was migrated from old codimd.

But I still want to use https to access my HedgeDoc.
Is any thing I can do?
Thanks in advance!

aikelb · October 10, 2024, 8:55am

Hey! I had the same issue and I found this issue in github.

github.com/hedgedoc/hedgedoc

SSL and reverse proxy breaks authentication

opened 10:08PM - 02 Dec 20 UTC

closed 02:40PM - 14 Dec 20 UTC

titulebolide

type: documentation priority: 1. high

**Description** I you uses hedgedoc behind a reverse-proxy with SSL, the auth d…on't work **To Reproduce** - Run hedgedoc on localhost:3000, set protocolUseSSL to true and domain to example.com - setup a reverse-proxy with ssl between https://example.com and localhost:3000 - Ho no! Authentication on hedgedoc don't work **Additional context** Some experiments to conduct: From the "to reproduce": - Stop the server - Disable ssl in config.js and in your reverse proxy conf - Wow authentication works back! - Stop the server - Re enable the ssl in config.json and in your reverse proxy - Wow authentication works again! Now try: - open another browser, and try again, authentication don't work - but copy the cookie `connect.sid` from the working browser to this new one : authentication works back! you can disconnect, and connect back! Try also on the working browser: - Disconnect on the working browser, you can still connnect back - Delete the `connect.sid` cookie. Authentication is broken. **Conclusion** `connect.sid` and SSL are sus **Config** Reverse-proxy with Apache2: ```apache <VirtualHost *:80> Redirect permanent / https://example.com/ ServerName example.com </VirtualHost> <VirtualHost *:443> ServerName example.com ProxyPass / http://127.0.0.1:3000/ ProxyPassReverse / http://127.0.0.1:3000/ ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> ``` Thanks for hedgedock! :hedgehog:

Setting the CMD_PROTOCOL_USESSL=true and that nginx config (including the map section for the upgrade) made it work for me!

ay9010x · October 11, 2024, 7:59am

Thank for your reply!

I had tried this way.
Unfortunately it isn’t work on my case.

CMD_PROTOCOL_USESSL
Because I installed HedgeDoc by manual, the env CMD_PROTOCOL_USESSL corresponds to the parameter protocolUseSSL. But I had set it as true.
nginx config

Fixed as following:

map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
}
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	root /var/www/html;

	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
                proxy_pass http://localhost:3000;
                proxy_set_header Host $host;
                proxy_pass_header Server;
                proxy_buffering off;

                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;

                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
                add_header X-Frame-Options 'ALLOW-FROM *';
                proxy_set_header Referer "";

	}
        location /socket.io/ {
		proxy_pass http://localhost:3000;
                proxy_set_header Host $host; 
                proxy_set_header X-Real-IP $remote_addr; 
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
        }
	location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
                                add_header Access-Control-Allow-Origin *;
                                proxy_pass http://localhost:3000;
        }
        location ~ .*/ {
                                proxy_pass http://localhost:3000;
        }
}

Still doesn’t work😭.

But I got something interesting.

Set protocolUseSSL as false
Login with http
Exit HedgeDoc service
Set protocolUseSSL as true
Access HedgeDoc with https
HedgeDoc keeps my login status, and it can be used as normal. (edit/create/publish note)
But it still break after logout

Is there any hit in this situation?

Thanks!

aikelb · October 11, 2024, 9:15am

I’d say you need to set protocolUseSSL to true and also listen port 443 on nginx. I think you’re only listening port 80, right?

ay9010x · October 14, 2024, 2:57am

Yes.
But, the situation may like this post.

Login does nothing; guest note: invalid cookie

Although I don’t use cloudflare for my HedgeDoc, but it seems like Flexible ssl.
Sorry I am not really sure. That DNS server was built by my predecessor.

For other sites in my DNS server, I don’t need to :

apply ssl certificate for url
set ssl certificate or port 443 listing in http server config of site

Then user can use https to access those sites.
It may be some difference … but I think that is something like Flexible ssl.

Does that curse this problem?
Thanks!

aikelb · October 14, 2024, 1:09pm

Oh, I see. Then I don’t know how to solve it. I’ve never used it, but you may be right!
Sorry!

ay9010x · October 15, 2024, 3:32am

Never mind!
Still, thank for your help!