phpsaml
phpsaml copied to clipboard
derricksmith
Plugin doesn't work behind reverse proxy
Hello,
We encountered an issue where SAML responses were rejected with:
The response was received at http://domain:8080/plugins/phpsaml/front/acs.php instead of https://domain/plugins/phpsaml/front/acs.php
This is because the app is hosted on Kubernetes and thus behind a reverse proxy. The upstream php-saml lib has a few ways to work around that, c.f. its README; in our case it was enough to enable the setProxyVars parameter.
Ideally this parameters and/or other workarounds should be exposed in the settings UI; sorry that I don't have the time to create a proper patch and pull request for this.
Thanks, Arthur
Hello @alesuiss, I think I have a similar issue (redirect doesn't work because it tries to redirect to http instead of https). How can I enable this parameter? Which file do I need to edit?
Hello @Izanagi52
Here is my very crude patch:
diff --git a/lib/php-saml/src/Saml2/Utils.php b/lib/php-saml/src/Saml2/Utils.php
index c6e912c..75a92d1 100644
--- a/lib/php-saml/src/Saml2/Utils.php
+++ b/lib/php-saml/src/Saml2/Utils.php
@@ -39,7 +39,7 @@ class Utils
/**
* @var bool Control if the `Forwarded-For-*` headers are used
*/
- private static $_proxyVars = false;
+ private static $_proxyVars = true;
/**
* @var string|null
Thanks for the tips! (In my case, my problem must be somewhere else, the RelaySate url is still in http)
@Izanagi52 you may need to make sure your proxy actually does set the X-Forwarded-* headers. Example for nginx:
proxy_set_header X-Forwarded-For $remote_addr ;
proxy_set_header X-Forwarded-Host $host ;
proxy_set_header X-Forwarded-Proto $scheme ;
proxy_set_header X-Forwarded-Port $server_port ;
... or in the same Utils.php file there are other params to force these ($_host, $_protocol and $_port).
Thanks again, but it doesn't change anything for me...
X-Forwarded headers are set (I can see it in GLPI debug mode), and setting on line 52
private static $_protocol = "https";
or
private static $_protocol = "https://";
doesn't work...
I have GLPI 10.0.5 and phpsaml 1.2.1.
I run GLPI with apache (http) and Nging Proxy Manager as reverse proxy (https).
I don't really understand why, but I think it's not the same problem as you, maybe a problem with my apache config.
@Izanagi52 Something that helped me was changing this line to something like $returnTo = (((isset($_GET['redirect']) ? $_GET['redirect'] : isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) ? $_SERVER['HTTP_X_FORWARDED_PROTO'] : isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? "https" : "http" . "://" . $realhost . $_SERVER['REQUEST_URI']);
After I changed that and set $_proxyVars=true, my RelayState used https.
Adding to https://github.com/derricksmith/phpsaml/issues/120#issuecomment-1437592158 as it did not work for me.
This should be changed to:
$returnTo = ((((isset($_GET['redirect']) ? $_GET['redirect'] : isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) ? $_SERVER['HTTP_X_FORWARDED_PROTO'] : isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? "https" : "http") . "://" . $realhost . $_SERVER['REQUEST_URI']);
and additionally doing this solved the problem in my instance, which is Apache running behind nginx reverse proxy.
@Izanagi52 you may need to make sure your proxy actually does set the X-Forwarded-* headers. Example for nginx:
proxy_set_header X-Forwarded-For $remote_addr ; proxy_set_header X-Forwarded-Host $host ; proxy_set_header X-Forwarded-Proto $scheme ; proxy_set_header X-Forwarded-Port $server_port ;... or in the same Utils.php file there are other params to force these (
$_host,$_protocoland$_port).
For apache, the syntax is like that, if it helps:
<Location /glpi/>
Proxypass /glpi/ https://10.20.30.40/glpi/
ProxyPassReverse /glpi/ https://10.20.30.40/glpi/
ProxyPreserveHost On
RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s
RequestHeader set X-Forwarded-Host %{HTTP_HOST}s
RequestHeader set X-Forwarded-Proto %{REQUEST_SCHEME}s
RequestHeader set X-Forwarded-Port %{SERVER_PORT}s
</Location>
