Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Limesurvey behind reverse proxy

  • cadguru
  • cadguru's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 7 months ago #171979 by cadguru
Limesurvey behind reverse proxy was created by cadguru
Hi there,

as this is my first posting please be patient :-)

I ran limesurvey 3.6.2 behind a reverse proxy with ssl offload (haproxy). It ran for around 3 months (not really sure, the version would be a good indicator).
I had to modify the SSL certificate on the reverse proxy (I was not able to connect to the json api) and now the system stopped working. I had not touched the limesurvey installation at all as this was only related to the certificate.

Configuration as follows:
Client using SSL -> Router -> reverse proxy (haproxy) terminating the ssl connection and sending 301 to indicate that there is no http any more -> limesurvey server (without ssl)

I do not know why this happens right now but I think that the client connects the reverse proxy, is redirected to https and receives a redirect to http from limesurvey server -> endless loop

In my config.php I have (obscured domain name):
Code:
return array(
  'components' => array(
    'db' => ***,
 
    'log' => array(
      'routes' => array(
        'fileError' => array(
          'class' => 'CFileLogRoute',
          'levels' => 'warning, error',
          'except' => 'exception.CHttpException.404',
        ),
      ),
                ),
 
                // Enforce a certain URL base 
                'request' => array(
                    'hostInfo' => 'https://domain/'  
                ),
 
                // Uncomment the following line if you need table-based sessions
    // 'session' => array (
      // 'class' => 'application.core.web.DbHttpSession',
      // 'connectionID' => 'db',
      // 'sessionTableName' => '{{sessions}}',
    // ),
 
    'urlManager' => array(
      'urlFormat' => 'path',
      'rules' => array(
        // You can add your own rules here
      ),
      'showScriptName' => true,
    ),
 
  ),
  // For security issue : it's better to set runtimePath out of web access
  // Directory must be readable and writable by the webuser
  // 'runtimePath'=>'/var/limesurvey/runtime/'
 
 
  // Use the following config variable to set modified optional settings copied from config-defaults.php
  'config'=>array(
  // debug: Set this to 1 if you are looking for errors. If you still get no errors after enabling this
  // then please check your error-logs - either in your hosting provider admin panel or in some /logs directory
  // on your webspace.
  // LimeSurvey developers: Set this to 2 to additionally display STRICT PHP error messages and get full access to standard templates
    'debug'=>0,
    'debugsql'=>0, // Set this to 1 to enanble sql logging, only active when debug = 2
    'enableLdap'=>true,
 
 
    // Update default LimeSurvey config here
    'sitename' => 'Our LimeSurvey',
    'RPCInterface' => 'json',
    //'publicurl' => 'https://domain/',
    //'homeurl' =>  'https://domain/admin',
 
 
  )
);

I found some issues about this but nothing had helped.

Any help is really appreciated

Kind regards

Sebastian
The topic has been locked.
More
5 years 7 months ago #171989 by jelo
Replied by jelo on topic Limesurvey behind reverse proxy
1. Can you access LimeSurvey via browser as a user/login and e.g. create a survey.
If not, what is the error message in the browser. Test a few.
2. What webserver is used?
3. What does "modify the certificate" means?

I still try to understand the purpose of the whole setup. You want to take load of the limesurvey server with putting TLS transport encryption on a reverse proxy.

4. Check LimeSurvey setting "Force HTTPS"
This is set by default to "Don't force on/off".
manual.limesurvey.org/Global_settings/de#Security
What setting is currently used?

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
  • cadguru
  • cadguru's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 7 months ago #171990 by cadguru
Replied by cadguru on topic Limesurvey behind reverse proxy
Hi jelo,

1. no , currently I cannot access LimeSurvey via browser. The message says: "Redirection error - The site redirects the request in a manner that cannot be finished" (translated from german).
2. Apache2 2.4
3. Everything worked with the reverse proxy and ssl but when I tried to access the remote api via the mentioned JSON RPC client I got several error messages which indicates that there is a problem with the certificates (return error value: 21 cannot check first certificate). To resolve the problem I had to integrate the intermediate certificate into the pem file on the reverse proxy. Before this I had a working LimeSurvey where the last modification was to enable the remote API.
The reason for this setup is that I have only one official IP but want to serve several sites and services (Moodle, Mahara, Nextcloud, QueXF, BigBlueButton, ...). Therefore I put them on different servers and set a reverse proxy in front to distribute the traffic. Additionally I can add a new server or service, add it to the reverse proxy and get a tested SSL implementation.
4. Because I cannot access the site at the moment I can only look into the config file and there I see 'neither'.

Thanks in advance

Sebastian
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 7 months ago #171991 by DenisChenu
Replied by DenisChenu on topic Limesurvey behind reverse proxy
Try to remove
Code:
'request' => array(
                    'hostInfo' => 'https://domain/'  
                ),

LS (Yii) get this hostinfo by current one.


Did you have access to DB ? Since some config are get from db.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
  • cadguru
  • cadguru's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 7 months ago #171993 by cadguru
Replied by cadguru on topic Limesurvey behind reverse proxy
Hi DenisChenu,

I just removed the 'request' entry but no difference and yes, I have access to DB.

Tia

Sebastian
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 7 months ago #172002 by DenisChenu
Replied by DenisChenu on topic Limesurvey behind reverse proxy
OK, search on DB force_ssl and set it to neither.

See if you can log in.

Maybe there are an issue about cookieParams : domain or secure only or something like this. But it's really difficult to help like this, because only the sysadmin know all of this.

Else :

The reason for this setup is that I have only one official IP but want to serve several sites and services (Moodle, Mahara, Nextcloud, QueXF, BigBlueButton, ...)

I have only one IP, and i really don't need proxy …
See en.wikipedia.org/wiki/Server_Name_Indication

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
  • cadguru
  • cadguru's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 7 months ago #172012 by cadguru
Replied by cadguru on topic Limesurvey behind reverse proxy
Hi DenisChenu,

I changed the setting from off to neither but no difference. I also looked for cookieParams but did not find any reference to it.

Which sysadmin do you mean?

I know about SNI but if you try to run Nextcloud, Limesurvey, Moodle, Mahara, ... for more than 100 users each on only one server you will not be very happy...

Tia

Sebastian
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 7 months ago #172024 by DenisChenu
Replied by DenisChenu on topic Limesurvey behind reverse proxy
sysadmin : you maybe ;)

About cookie param : manual.limesurvey.org/Optional_settings#Session_settings
But whole can be set for a specific system.

Here , i don't know what cookieParam you need to keep the session. Only sysadmin can answer to this.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
  • cadguru
  • cadguru's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 7 months ago #172026 by cadguru
Replied by cadguru on topic Limesurvey behind reverse proxy
Hi DenisChenu,

as I am the administrator of these servers I am afraid that I am the only one for this position :-)
I am not sure if the cookies are the problem at the moment. I have no tool to check the real communication but I think that LimeSurvey get the request as http, forces https, gets the "new" request once again as http...

It would be great if LimeSurvey could just answer the request without modifying the protocol...

tia

Sebastian
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 7 months ago #172031 by DenisChenu
Replied by DenisChenu on topic Limesurvey behind reverse proxy

cadguru wrote: It would be great if LimeSurvey could just answer the request without modifying the protocol...

This is the reason i ask you to set neither …

With neither : receive http, send http … receive https : send https.

Maybe your proxy update the protocol …

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
  • cadguru
  • cadguru's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 7 months ago #172034 by cadguru
Replied by cadguru on topic Limesurvey behind reverse proxy
Hi DenisChenu,

yes, my proxy updates the protocol (that is one of its duties). But LimeSurvey seems to update the protocol once again.

tia

Sebastian
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 7 months ago - 5 years 7 months ago #172040 by DenisChenu
Replied by DenisChenu on topic Limesurvey behind reverse proxy

cadguru wrote: But LimeSurvey seems to update the protocol once again.

With neither : LimeSurvey didn't update the protocol it receive.

BUT :
Mabe you call your proxie with https,
proxy call LS with http
LimeSurvey answer with http …

Maybe try
Code:
'session' => array (
            'sessionName' => "LimeSurveyByProxi",
            'cookieParams' => array(
                'secure' => true, // use SSL for cookies
                'httponly' => true // Cookies may not be used by other protocols - experimental
                'domain' => '.example.org',
            ),
        ),
        'request' => array(
            'hostInfo' => 'https://www.example.org/'  
        ),

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Last edit: 5 years 7 months ago by DenisChenu.
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose