@courtens opened this Issue on June 3rd 2017

There are three issues I have, and they are all related to the proxy setup problem I am experiencing.

1) ======
On the login page located here https://www.mydomainname.com/piwik/ I get a broken logo image. The logo image is located on the server at http://192.168.1.1:8080/plugins/Morpheus/images/logo.svg. But somehow the proxy (or piwik) responds that the logo.svg file is located here: https://www.mydomainname.com/plugins/Morpheus/images/logo.svg which is wrong, where in fact it should be https://www.mydomainname.com/piwik/plugins/Morpheus/images/logo.svg. Somehow /piwik/ gets dropped.

2) ======
Immediately after logging in I get a redirect to a page that prompts: No input file specified. (or a redirect to https://www.mydomainname.com/ instead of https://www.mydomainname.com/piwik/) It is only after clicking back on the browser that I get redirected to the piwik website. Somehow the piwik code truncates the piwik folder during the redirect right after a successful login (back to the root folder.) This redirect brakes the page.

3) =====
The "All Websites" page is not working (not giving me any data), only the "Dashboard" page works. "Add a new website" goes to https://www.mydomainname.com/?module=SitesManager&action=index&showaddsite=1&period=range&date=previous30&idSite=1 but it should go to https://www.mydomainname.com/piwik/?module=SitesManager&action=index&showaddsite=1&period=range&date=previous30&idSite=1

Same issue as issue 1 and 2, a redirect dropping the working folder I am in.

=== my setup ============
I am running Ubuntu, hosting VM (VirtualBox) Win10 serving:
Piwik 3.0.4 (running on IIS)
Apache 2.4 listening to :80 and :443
Apache proxy from https://www.mydomainname.com/piwik/ to http://192.168.1.1:8080
IIS 10 is hosting Piwik on http://192.168.1.1:8080

relevant parts of my httpd-ssl.conf file

<IfModule mod_proxy.c>    
    ProxyRequests Off   
    ProxyPass       /           http://192.168.1.1:82/
    ProxyPassReverse    /           http://192.168.1.1:82/
    ProxyPass           /piwik/ http://192.168.1.1:8080/
    ProxyPassReverse    /piwik/     http://192.168.1.1:8080/
    RewriteRule ^(.+)$ https://www.mydomainname.com/$1 [P,L]        
</IfModule>
<Proxy "http://192.168.1.1:8080">
    SetOutputFilter proxy-html
    ProxyHTMLEnable  on
    ProxyHTMLExtended on
    ProxyHTMLURLMap  http://192.168.1.1:8080 https://www.mydomainname.com/piwik/
</Proxy>

my piwik global.ini.php file is set to:

force_ssl = 0
assume_secure_protocol = 0
;proxy_host_headers[] = HTTP_X_FORWARDED_HOST ; List of proxy headers for host IP addresses

[proxy]
host =  ; Proxy host
port =  ; Proxy port

I tried host = 192.168.1.1; port = 8080; -- but it did not fix the issue.

@halfer commented on June 16th 2017

I'm Dockerising my Piwik install presently, and am getting the same. I use Apache in the host and in the guest. Here's the Apache config in the host:

Listen 9998
Listen 9999

<VirtualHost *:9998>
        ServerName myserver.example.com

        ProxyPass / http://127.0.0.1:8082/
        ProxyPassReverse / http://127.0.0.1:8082/
</VirtualHost>

<IfModule mod_ssl.c>
    <VirtualHost *:9999>
        ServerName myserver.example.com

        ProxyPass / http://127.0.0.1:8082/
        ProxyPassReverse / http://127.0.0.1:8082/

        SSLCertificateFile /etc/letsencrypt/live/myserver.example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/myserver.example.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
    </VirtualHost>
</IfModule>

This results in a broken logo URL of:

http://172.17.0.4/plugins/Morpheus/images/logo.svg

That IP address is the internal IP of the container, accessible only to the host. I expect I can write a mod_proxy rule to resolve it, but it feels better to fix it at the Piwik end, to make things more "plug and play". What do the core team think?

@halfer commented on June 16th 2017

Could be a duplicate of:

The last one says it is resolved by #9145, but that sounds like a different issue.

@halfer commented on June 16th 2017

I've managed to work around it, by enabling the proxy_html module. On Ubuntu:

a2enmod proxy_html

then add this config to the vhost:

SetOutputFilter proxy-html
ProxyHTMLURLMap http://172.17.0.4/ /
@courtens commented on June 17th 2017

halfer, have you tried calling it over a SSL connection? For me - that is what is breaking (not working). Over a non-SSL connection it works, but I would like to use SSL connection.

@halfer commented on June 18th 2017

@courtens: my configuration presently is: SSL on the host, proxying to the container via plaintext. After adding the two lines above, the logo.svg thing stops causing a mixed content error, and renders the logo fine.

However my work has paused there. My live instance is running v2.17.x but my Piwik Docker build (pointing to the same database) contains 3.x, and as a result I get the database upgrade screen. I think my next step is to do a manual upgrade on live, and then I can play around with the containerised version to see if there are any problems.

What specifically is still not working for you? I've seen reports of several things not working - logo, sparkline graphs, and some other things I think. I've only experienced the logo so far, and I think I've now fixed that.

@courtens commented on June 18th 2017

@halfer I picked to use the "logo not working" as post titles (issue 1 in the first post) because it was simple to document -- other things require more words, but they are all related (see issue 2 and 3 in first post for the other things that are not woring.) I have to note that if I proxy over a non secure connection (proxy server to the world) Piwik works just fine. Piwik is only acting up over a SSL connection (proxy server to the world over SSL) and internal (proxy server to server using port 8080.)

@halfer commented on June 19th 2017

(@courtens: It would be ideal to swap out your hash marks in your comment just now, they link to very old bugs of the same numbers).

@halfer commented on June 19th 2017

I've not been able to replicate item (2).

Item (3) is also a problem for me, it's a JavaScript crash:

"Error: [$compile:tplrt] http://errors.angularjs.org/1.4.10/$compile/tplrt?p0=piwikMultisitesSite&p1=plugins%2FMultiSites%2Fangularjs%2Fsite%2Fsite.directive.html%3Fcb%3D3c01fb1e6eb6de5ed53bf97c40a1bdef
L/<<a class='mention' href='https://github.com/https'>@https</a>://piwik.example.com:9999/index.php?module=Proxy&action=getCoreJs&cb=3c01fb1e6eb6de5ed53bf97c40a1bdef:125:417
Vf/<<a class='mention' href='https://github.com/https'>@https</a>://piwik.example.com:9999/index.php?module=Proxy&action=getCoreJs&cb=3c01fb1e6eb6de5ed53bf97c40a1bdef:187:470
f/<<a class='mention' href='https://github.com/https'>@https</a>://piwik.example.com:9999/index.php?module=Proxy&action=getCoreJs&cb=3c01fb1e6eb6de5ed53bf97c40a1bdef:239:425
$eval<a class='mention' href='https://github.com/https'>@https</a>://piwik.example.com:9999/index.php?module=Proxy&action=getCoreJs&cb=3c01fb1e6eb6de5ed53bf97c40a1bdef:254:132
$digest<a class='mention' href='https://github.com/https'>@https</a>://piwik.example.com:9999/index.php?module=Proxy&action=getCoreJs&cb=3c01fb1e6eb6de5ed53bf97c40a1bdef:251:210
$apply<a class='mention' href='https://github.com/https'>@https</a>://piwik.example.com:9999/index.php?module=Proxy&action=getCoreJs&cb=3c01fb1e6eb6de5ed53bf97c40a1bdef:254:428
g<a class='mention' href='https://github.com/https'>@https</a>://piwik.example.com:9999/index.php?module=Proxy&action=getCoreJs&cb=3c01fb1e6eb6de5ed53bf97c40a1bdef:207:329
S<a class='mention' href='https://github.com/https'>@https</a>://piwik.example.com:9999/index.php?module=Proxy&action=getCoreJs&cb=3c01fb1e6eb6de5ed53bf97c40a1bdef:211:448
ag/</t.onload<a class='mention' href='https://github.com/https'>@https</a>://piwik.example.com:9999/index.php?module=Proxy&action=getCoreJs&cb=3c01fb1e6eb6de5ed53bf97c40a1bdef:212:465
"

See if you get the same, in your browser console? Mine is from latest FF 54/Mint Linux.

Edit: I have removed SetOutputFilter proxy-html from my earlier vhost config, and the problem goes away. Strangely I now don't seem to need the ProxyHTMLURLMap from three days ago - I added some proxy config and SSL forcing to config/config.ini.php, I wonder if either of these fixed it?

For the record they are:

; Uncomment line below if you use a standard proxy
proxy_client_headers[] = HTTP_X_FORWARDED_FOR
proxy_host_headers[] = HTTP_X_FORWARDED_HOST

; Assume TLS
assume_secure_protocol=1
@courtens commented on June 19th 2017

I am getting a long list of JS errors

SyntaxError: test for equality (==) mistyped as assignment (=)?[Learn More]  index.php:4:6159
...

looking at the code it must be due to a /*! jQuery v2.2.3 | (c) jQuery Foundation | jquery.org/license */ library call.

I am still getting the logo error:

GET https://www.mydomain.com/plugins/Morpheus/images/logo.svg [HTTP/1.1 404 Not Found 524ms]

I have Piwik in a sub-directory, and somehow the code is dropping this. Is there a place in the config file where one can specify the sub-directory to prevent this?

My config.ini.php file is set to (and I made sure that global.ini.php is set to the same)

[General]
assume_secure_protocol = 1
proxy_client_headers[] = HTTP_X_FORWARDED_FOR
proxy_host_headers[] = HTTP_X_FORWARDED_HOST
@halfer commented on June 19th 2017

@courtens I don't have any answers over and above my existing detail, as I'm not using subdirs myself. However the detail we have now both supplied may be helpful to devs wanting to repro the problem.

In the meantime, consider using a subdomain instead of a subdir. I appreciate it is not ideal to have to make such a change, but it may get you started again in the short term.

@courtens commented on June 19th 2017

@halfer ..... the problem using sub-domains is that it requires a more expensive SSL certificate. Just using www cost less.

@halfer commented on June 20th 2017

@courtens: you can use Let's Encrypt to get as many certs as you need, free of charge, and automatically renewed, for as long as you want.

@mattab commented on September 14th 2017 Owner

Update regarding this issue: a new pull request was submitted by @user121216 in https://github.com/piwik/piwik/pull/12011 and addresses this issue by 1) requiring the web server to set the header X-Forwarded-Uri with the folder where Piwik resides, and 2) add a new Piwik config setting proxy_uri_header so the forwarded_uri header is used to construct logo URLs.

-> if you could test and leave a comment here or on the PR that would be great? (and maybe also share what the apache config looks like to set this header).

Powered by GitHub Issue Mirror