Booksonic-Air icon indicating copy to clipboard operation
Booksonic-Air copied to clipboard

Published 20 hours ago verified publisher icon popeen

Redirecting all HTTPS URL requests to HTTP

Open Jepod opened this issue 4 years ago • 5 comments

Problem description

BookSonic is redirecting all HTTPS requests to HTTP when accessed through an HTTPS reverse proxy.

I'm hosting this using a docker image behind a reverse proxy server. I am trying to keep it secure behind an HTTPS reverse proxy but if I go to the URL using HTTPS, it redirects it to HTTP. I'm using a subdomain that points to my reverse proxy. Lets assume I am using "audiobooks.example.com" as the subdomain. If I go to "https://audiobooks.example.com/", I get redirected to "http://audiobooks.example.com/". I would prefer it stay with https instead of http.

I couldn't get it to work at all until I created a 2nd reverse proxy for the HTTP request. Though now its almost exclusively using http, not https.

Steps to reproduce

This is done on a Synology DS918+ running DSM 6.2.3-25426 Update 3

  1. Create a docker of Booksonic, with port 9002 accessible via localhost
  2. Create reverse 2 proxies: a. HTTPS proxy: - Source Protocol: HTTPS - Source Hostname: audiobooks.example.com - Source Port: 443 - Source options: Enable HTTP/2 - Destination Protocol: HTTP - Destination Hostname: localhost - Destination Port: 9002 b. HTTP proxy: - Source Protocol: HTTP - Source Hostname: audiobooks.example.com - Source Port: 80 - Source options: Enable HTTP/2 - Destination Protocol: HTTP - Destination Hostname: localhost - Destination Port: 9002
  3. Attempt to browse to "https://audiobooks.example.com" and the browser is auto-redirected to "http://audiobooks.example.com"

System information

Booksonic Version: 1.2 - January 11, 2020 (I assume this is what is meant by 'Airsonic'?) About Booksonic - Server: jetty/9.4.24.v20191120, java 1.8.0_275, Linux (91.8 MB / 118.1 MB) Operating System: Synology DS918+ running DSM 6.2.3-25426 Update 3 Proxy Server: built-in reverse proxy system of Synology, I believe its nginx based. Client: Microsoft Edge - Chromium 87.0.664.75 Language: English

Additional notes

I don't necessarily need BookSonic to have its own SSL / HTTPS system built-in, I just don't want it to re-write / re-direct the URL to HTTP if its coming from HTTPS.

Jepod avatar Jan 14 '21 18:01 Jepod

This appears to be the root cause of https://github.com/popeen/Booksonic-Air/issues/28 . The interesting thing is that it only happens sometimes -- most of the links in the tab bar seem to work with an ordinary reverse proxy, only some of them change the link to HTTP. Unfortunately the "Home" link is one of those, so this is probably forcing your first access to http.

wtanksleyjr avatar Jan 14 '21 18:01 wtanksleyjr

I have semi worked around the issue using a variation on the HTTP proxy I described in my original post.

I made the HTTP reverse proxy point to a super basic virtual host that simply redirects any HTTP request back to HTTPS using an .htaccess file. There is an ever so tiny delay when you load pages on booksonic's website as it redirects to https but at least users are doing input into HTTPS pages from now on.

My HTTP to HTTPS redirect virtual host is hosted using Apache 2.4; I have no idea if nginx is the same or not. Here is the .htaccess for it: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Jepod avatar Jan 20 '21 22:01 Jepod

For me the SSL communication works as described above model a). as long as I do not call the settings or use the web player.

Setting: As soon as I call the settings it tries to reload parts via http: (Mixed Content: The page at 'https://audiobooks.example.com' was loaded over HTTPS, but requested an insecure resource 'http://audiobooks.example.com/musicFolderSettings'. This request has been blocked; the content must be served over HTTPS.)

Webplayer: Mixed Content: The page at 'https://audiobooks.example.com/playQueue.view?' was loaded over HTTPS, but requested an insecure element 'https://audiobooks.example.com/stream?player=2&id=51506'. This request was automatically upgraded to HTTPS, For more information see https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html j @ mediaelement-and-player.min.js:12 m.mediaElement. @ mediaelement-and-player.min.js:12 onStart @ playQueue.view:383 onclick @ playQueue.view:97 playQueue.view:1 Mixed Content: The page at 'https://audiobooks.example.com' was loaded over HTTPS, but requested an insecure audio file 'https://audiobooks.example.com/stream?player=2&id=51506'. This content should also be served over HTTPS.

DS 918+ Docker

Maximilian85 avatar Jan 21 '21 16:01 Maximilian85

I struggled with this problem too, but found that the Airsonic media server have a setting for this according to their documentation https://airsonic.github.io/docs/proxy/prerequisites/#reverse-proxy-configuration. So I appended the airsonic.properties in config folder with "server.use-forward-headers=true" and specified my reversed proxy to forward X-Forwarded-Proto with "https". This made it possible to access Home and Settings tab through the web interface.

Karamba91 avatar Apr 10 '22 09:04 Karamba91

YES! THANK YOU. I was going crazy with nginx trying to use sub_filter to modify the content to change http over to https, I tried all sorts of headers on both the frontend and backend, etc. and I could not get around that Mixed Content error message in Chrome. @Karamba91 's suggestion of changing airsonic.properties and adding 'server.use-forward-headers=true' worked perfectly. Now I can click around all the various links and everything is https, everything works. Thank you.

glitchsys avatar Aug 25 '22 01:08 glitchsys