Limesurvey behind reverse proxy

Plus d'informations
il y a 2 mois 2 semaines #171979 par cadguru
cadguru a créé le sujet : Limesurvey behind reverse proxy
Hi there,

as this is my first posting please be patient :-)

I ran limesurvey 3.6.2 behind a reverse proxy with ssl offload (haproxy). It ran for around 3 months (not really sure, the version would be a good indicator).
I had to modify the SSL certificate on the reverse proxy (I was not able to connect to the json api) and now the system stopped working. I had not touched the limesurvey installation at all as this was only related to the certificate.

Configuration as follows:
Client using SSL -> Router -> reverse proxy (haproxy) terminating the ssl connection and sending 301 to indicate that there is no http any more -> limesurvey server (without ssl)

I do not know why this happens right now but I think that the client connects the reverse proxy, is redirected to https and receives a redirect to http from limesurvey server -> endless loop

In my config.php I have (obscured domain name):
return array(
	'components' => array(
		'db' => ***,
 
		'log' => array(
			'routes' => array(
				'fileError' => array(
					'class' => 'CFileLogRoute',
					'levels' => 'warning, error',
					'except' => 'exception.CHttpException.404',
				),
			),
                ),
 
                // Enforce a certain URL base 
                'request' => array(
                    'hostInfo' => 'https://domain/'  
                ),
 
                // Uncomment the following line if you need table-based sessions
		// 'session' => array (
			// 'class' => 'application.core.web.DbHttpSession',
			// 'connectionID' => 'db',
			// 'sessionTableName' => '{{sessions}}',
    // ),
 
    'urlManager' => array(
      'urlFormat' => 'path',
      'rules' => array(
        // You can add your own rules here
      ),
      'showScriptName' => true,
    ),
 
  ),
  // For security issue : it's better to set runtimePath out of web access
  // Directory must be readable and writable by the webuser
  // 'runtimePath'=>'/var/limesurvey/runtime/'
 
 
  // Use the following config variable to set modified optional settings copied from config-defaults.php
  'config'=>array(
  // debug: Set this to 1 if you are looking for errors. If you still get no errors after enabling this
  // then please check your error-logs - either in your hosting provider admin panel or in some /logs directory
  // on your webspace.
  // LimeSurvey developers: Set this to 2 to additionally display STRICT PHP error messages and get full access to standard templates
    'debug'=>0,
    'debugsql'=>0, // Set this to 1 to enanble sql logging, only active when debug = 2
    'enableLdap'=>true,
 
 
    // Update default LimeSurvey config here
    'sitename' => 'Our LimeSurvey',
    'RPCInterface' => 'json',
    //'publicurl' => 'https://domain/',
    //'homeurl' =>  'https://domain/admin',
 
 
	)
);

I found some issues about this but nothing had helped.

Any help is really appreciated

Kind regards

Sebastian

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 mois 2 semaines #171989 par jelo
jelo a répondu au sujet : Limesurvey behind reverse proxy
1. Can you access LimeSurvey via browser as a user/login and e.g. create a survey.
If not, what is the error message in the browser. Test a few.
2. What webserver is used?
3. What does "modify the certificate" means?

I still try to understand the purpose of the whole setup. You want to take load of the limesurvey server with putting TLS transport encryption on a reverse proxy.

4. Check LimeSurvey setting "Force HTTPS"
This is set by default to "Don't force on/off".
manual.limesurvey.org/Global_settings/de#Security
What setting is currently used?

Are you a student conducting a survey? If yes, tell me why you use LimeSurvey?
www.limesurvey.org/forum/development/116...y-you-use-limesurvey

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 mois 2 semaines #171990 par cadguru
cadguru a répondu au sujet : Limesurvey behind reverse proxy
Hi jelo,

1. no , currently I cannot access LimeSurvey via browser. The message says: "Redirection error - The site redirects the request in a manner that cannot be finished" (translated from german).
2. Apache2 2.4
3. Everything worked with the reverse proxy and ssl but when I tried to access the remote api via the mentioned JSON RPC client I got several error messages which indicates that there is a problem with the certificates (return error value: 21 cannot check first certificate). To resolve the problem I had to integrate the intermediate certificate into the pem file on the reverse proxy. Before this I had a working LimeSurvey where the last modification was to enable the remote API.
The reason for this setup is that I have only one official IP but want to serve several sites and services (Moodle, Mahara, Nextcloud, QueXF, BigBlueButton, ...). Therefore I put them on different servers and set a reverse proxy in front to distribute the traffic. Additionally I can add a new server or service, add it to the reverse proxy and get a tested SSL implementation.
4. Because I cannot access the site at the moment I can only look into the config file and there I see 'neither'.

Thanks in advance

Sebastian

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 mois 2 semaines #171991 par DenisChenu
DenisChenu a répondu au sujet : Limesurvey behind reverse proxy
Try to remove
'request' => array(
                    'hostInfo' => 'https://domain/'  
                ),

LS (Yii) get this hostinfo by current one.


Did you have access to DB ? Since some config are get from db.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 mois 2 semaines #171993 par cadguru
cadguru a répondu au sujet : Limesurvey behind reverse proxy
Hi DenisChenu,

I just removed the 'request' entry but no difference and yes, I have access to DB.

Tia

Sebastian

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 mois 2 semaines #172002 par DenisChenu
DenisChenu a répondu au sujet : Limesurvey behind reverse proxy
OK, search on DB force_ssl and set it to neither.

See if you can log in.

Maybe there are an issue about cookieParams : domain or secure only or something like this. But it's really difficult to help like this, because only the sysadmin know all of this.

Else :

The reason for this setup is that I have only one official IP but want to serve several sites and services (Moodle, Mahara, Nextcloud, QueXF, BigBlueButton, ...)

I have only one IP, and i really don't need proxy …
See en.wikipedia.org/wiki/Server_Name_Indication

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 mois 2 semaines #172012 par cadguru
cadguru a répondu au sujet : Limesurvey behind reverse proxy
Hi DenisChenu,

I changed the setting from off to neither but no difference. I also looked for cookieParams but did not find any reference to it.

Which sysadmin do you mean?

I know about SNI but if you try to run Nextcloud, Limesurvey, Moodle, Mahara, ... for more than 100 users each on only one server you will not be very happy...

Tia

Sebastian

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 mois 2 semaines #172024 par DenisChenu
DenisChenu a répondu au sujet : Limesurvey behind reverse proxy
sysadmin : you maybe ;)

About cookie param : manual.limesurvey.org/Optional_settings#Session_settings
But whole can be set for a specific system.

Here , i don't know what cookieParam you need to keep the session. Only sysadmin can answer to this.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 mois 2 semaines #172026 par cadguru
cadguru a répondu au sujet : Limesurvey behind reverse proxy
Hi DenisChenu,

as I am the administrator of these servers I am afraid that I am the only one for this position :-)
I am not sure if the cookies are the problem at the moment. I have no tool to check the real communication but I think that LimeSurvey get the request as http, forces https, gets the "new" request once again as http...

It would be great if LimeSurvey could just answer the request without modifying the protocol...

tia

Sebastian

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 mois 2 semaines #172031 par DenisChenu
DenisChenu a répondu au sujet : Limesurvey behind reverse proxy

cadguru écrit: It would be great if LimeSurvey could just answer the request without modifying the protocol...

This is the reason i ask you to set neither …

With neither : receive http, send http … receive https : send https.

Maybe your proxy update the protocol …

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 mois 2 semaines #172034 par cadguru
cadguru a répondu au sujet : Limesurvey behind reverse proxy
Hi DenisChenu,

yes, my proxy updates the protocol (that is one of its duties). But LimeSurvey seems to update the protocol once again.

tia

Sebastian

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 mois 2 semaines - il y a 2 mois 2 semaines #172040 par DenisChenu
DenisChenu a répondu au sujet : Limesurvey behind reverse proxy

cadguru écrit: But LimeSurvey seems to update the protocol once again.

With neither : LimeSurvey didn't update the protocol it receive.

BUT :
Mabe you call your proxie with https,
proxy call LS with http
LimeSurvey answer with http …

Maybe try
'session' => array (
            'sessionName' => "LimeSurveyByProxi",
            'cookieParams' => array(
                'secure' => true, // use SSL for cookies
                'httponly' => true // Cookies may not be used by other protocols - experimental
                'domain' => '.example.org',
            ),
        ),
        'request' => array(
            'hostInfo' => 'https://www.example.org/'  
        ),

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .
Dernière édition: il y a 2 mois 2 semaines par DenisChenu.

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 mois 2 semaines - il y a 2 mois 2 semaines #172089 par cadguru
cadguru a répondu au sujet : Limesurvey behind reverse proxy
Hi DenisChenu,

I checked your suggestions but nothing changed. Now I switched off the protocol modification to check if the system is working at all. I found that LimeSurvey do not work at all.

If I open
http://survey.domain.org
I get a response from
https://survey.domain.org
and the response shows "400 Bad request".

Do you have any hints on debugging this?

Kind regards

Sebastian
Dernière édition: il y a 2 mois 2 semaines par cadguru.

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 mois 2 semaines #172096 par DenisChenu
DenisChenu a répondu au sujet : Limesurvey behind reverse proxy
Remove the 'hostInfo' => ' www.example.org/ ' part
And all other specific config.

By default : LimeSurvey work out of the box , but your config need some specific settings.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 mois 1 semaine #172324 par cadguru
cadguru a répondu au sujet : Limesurvey behind reverse proxy
Hi DenisChenu,

I found that there was a problem with the config of the reverse proxy (which triggered the loop only on the reverse proxy). That was the reason why I did not find any hints in the LimeSurvey protocol.

Thanks for your support...

Sebastian

Connexion ou Créer un compte pour participer à la conversation.

Commencez dès maintenant !

Créez simplement un compte et commencez à utiliser LimeSurvey dès aujourd'hui.

Inscrivez-vous maintenant

Inscrivez-vous à notre Newsletter!