This question about Configuration, Authentication or Authorisation: Answered

unsafe redirect as AdminUser (https site)

Wiki is configured and seems to work, but after having logged in as AdminUser, when attempting to access the topic 'AdminUser Main activities' I get the error message 'Rename completed but unsafe redirect to 'http://mydomain.name/Wiki/bin.... The requested host does not match htps://mydomain.name, and is not in {PermittedRedirectHostUrls}'

i.e. an https is mapped to an http, and I haven't allowed the http site prefix for redirects. I am a little reluctant just to allow this, are there seurity implications for passwords and/or the upload/download of attachments? I don't need to mix https and http, I would like everything for the wiki to go through https. It is perhaps worth noting that I am on a shared host, so can only use .htaccess.

My problem has some similarity to http://foswiki.org/Support/Question1213 where the ScriptURL path was apparently expanded incorrectly, but it is not clear to me exactly what the problem there was, and as the solution involved changing tha Apache virtualHost configuration I don't think it is possible for me.

-- JamesWhitby - 27 Dec 2012

Is there any chance that the web server is behind a SSL Accelerator appliance or a proxy of some sort?

There is a feature planned for 1.2, that will force Foswiki to use the DefaultUrlHost for all links, regardless of what URL is entered by the user. This issue comes about if the user's "https://" request is converted to "http://" by a proxy or accelerator appliance. Foswiki will use whatever URL it detects the user entered so that links are consistent with the user's request.

The patch on Foswiki.pm is rather simple: http://trac.foswiki.org/changeset/14907/trunk/core/lib/Foswiki.pm and also requires the addition of $Foswiki::cfg{ForceDefaultUrlHost} = 1; to the LocalSite.cfg file to enable the override.

The "fix" reported in Question1213 would be consistent with this type of configuration. Apache documents the ServerName parameter here: https://httpd.apache.org/docs/2.2/mod/core.html#servername and states
Sometimes, the server runs behind a device that processes SSL, such as a reverse proxy, load balancer or SSL offload appliance. When this is the case, specify the https:// scheme and the port number to which the clients connect in the ServerName directive to make sure that the server generates the correct self-referential URLs.

The 1.2 feature IntroduceForceDefaultUrlHostToggle serves the same purpose.

-- GeorgeClark - 27 Dec 2012

Thanks. I didn't think that there was a proxy because Wordpress works fine (I seem to recall that there was a test for a proxy during installation, but that was admittedly before adding the SSL certificate). My hosting service is not very forthcoming with information. I don't think what the user enters matters here as the error was entirely generated by Foswiki (i.e. having started with an https prefix, some action of foswiki as described above caused a change to http). Actually, despite the apparent error, everything seems to work fine if I just choose 'OK' to continue. I'll try the ServerName in the top-level .htaccess file and see if that changes anything.

-- JamesWhitby - 27 Dec 2012

ServerName is not valid in .htaccess files. If you look at the Documentation link I provided above, the key information is Context:   server config, virtual host. It would say .htaccess if it was legal there.

I think your best bet is to patch the Foswiki.pm file.

-- GeorgeClark - 28 Dec 2012
 

QuestionForm edit

Subject Configuration, Authentication or Authorisation
Extension
Version Foswiki 1.1.6
Status Answered
Related Topics IntroduceForceDefaultUrlHostToggle
Topic revision: r4 - 28 Dec 2012, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy