I got some time at work, so I was working on getting our dev instance of RT working on Nginx in stead of apache. So far it works fine and the performance also seems to be better, I just got one issue where I’m not able to track it down:
If I open the login page via https and login, I get redirected to the main RT page with http and port 443. If I correct this manually, everything afterwards seems to work fine again.
After doing a TCPDump between nginx and the fcgi-server I belive that the issue is the RT itself. here the interesting part:
I already checked the configuration table in the database, its empty. and for the RT_SiteConfig, I also noticed no error here. I have already tried around here a little (of course with clearing the cache and restarting the fcgi-server and nginx every time), but for now it wasnt working.
Even setting $WebPort to some nonsense like 4433 doesnt result in a change.
Any Ideas how to track the problem down?
/edit: fixed the formatting for the tcpdump snippet
Nginx listens on 443. Also if I manually fix the problem in the browser manually, I can continue working via https just fine.
The configuration shows port 4433 like set in the RT_SiteConfig.pm. I just changed the port from 443 to this for testing, but the returned port is the same.
/edit: of course RT_SiteConfig.pm in stead of RT_Site_Config.pm
Just checked again, RT_SiteConfig.pm. the Site_Config was just a typo.
/edit: Just noticed that the System Configuration has shown me WebURL as “http://rt-dev.marcant.loc:4433”, but since that was not what is delivered after login, it doesnt seem to be the issue. Also changing this via RT_SiteConfig.pm to “https://rt-dev.marcant.loc” made no difference.
I’ve done the tcpdump on localhost port 9000, so I only sniffed the communication between fcgi and nginx. Thats the reason why I was assuming that nginx isnt the problem here.
Hi, I believe we are seeing the same (or related at least) issue. We’re using RT 4.4.4 and this week ‘all of a sudden’ we are getting browser security errors when submitting any kind of form (comments/replies, advanced search, login), with the responses from RT after a POST pointing to http instead of https. The POSTs themselves appear to correctly be https, and it’s possible the error is a recent behavioral change in Chrome that didn’t exist prior to last week. My coworkers have confirmed they don’t get the security error using Firefox, however this behaviour from RT appears to be incorrect anyway if it’s trying to redirect to HTTP after a POST.
Our WebBaseURL is pointing to https.
Let me know if you need more info, or if you think I should submit this as a new separate issue.
Just tested with an older build of chromium and do not see the error there,
Version 83.0.4103.116 (Developer Build) built on Debian 10.4, running on Debian 10.6 (64-bit)
Hmm… If you have root access to the RT-Server, you could make a tcpdump in order to see what the RT sends to the browser.
Right now I see two possible problems here:
The new Chrome does something strange or has a bug
The RT gives out wrong data and the new Chrome version “just” lacks the auto correction for this in the new version.
Just tried. Sounds useful for https only, but sadly hasnt solved the problem.
If you want to test nginx on a new server, this is the tcpdump command I used to sniff the traffic between Nginx and FCGI, including the transmitted html commands: tcpdump -i lo -A 'port 9000'
I think it’s actually a third option, or at last a modification of the second - RT is returning the wrong data, sending a 301 to HTTP despite the base url being HTTPS and the current client protocol also being HTTPS, but this being an error is only a very recent behaviour change in Chrome, so they’re both causing this together but what Chrome is doing isn’t actually wrong. The correct fix would be to find out why RT is changing protocols contrary to explicit config and client request and change its behaviour so it uses the right protocol at all times.
Side note - getting the Chrome team to consider this a bug and backtrack on the change is going to be beyond impossible this is no doubt a very intentional and deliberate security hardening change
We’re using apache on the RT host and nginx to proxy to it, we are also passing the x-forwarded-for and x-forwarded-proto headers to apache+rt from nginx