Nginx erroneously redirecting to https

aris · October 4, 2012, 12:08pm

I am running nginx+php-fpm on localhost for testing some stuff sites
before
uploading to a live server (which I have done with nginx in the past),
and
have run into the first issue which Google can’t seem to help me with:

I have decided to try three different forum softwares. They are
installed
under separate subdirectories within my web root (e.g.
/srv/www/localhost/html/{forum1,forum2,forum3}). On two of the forums,
however, whenver I try to use anything that requires a password, it
switches
from http to https, and on one of the forums, attempts to continue using
port 80. On the forum that it attempts to use port 80, I get the
following
error message:

----------code snippet----------
Secure Connection Failed

      An error occurred during a connection to localhost:80.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

The page you are trying to view cannot be shown because the
authenticity
of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Alternatively, use the command found in the help menu to report this
broken
site.
----------end code snippet----------

I do not have https or ssl configured within nginx or the vhost, nor any
ssl
certs.

Here is the vhost config file:
----------code snippet----------
server {
server_name localhost;
listen 80;
root /srv/www/localhost/html;
index index.php index.html index.htm;
ssi on;

    location ~ \.php$ {
            include /etc/nginx/fastcgi_params;
            fastcgi_index index.php;
            fastcgi_pass 127.0.0.1:9000;
    }

}
----------end code snippet----------

This very same configuration has worked fine on a live (online) server
(save
for the fact that I had to use a different server_name and root, for
obvious
reasons), and has never before produced any issues with ssl or switching
to
https, and I have used it with several other forums without it producing
this strange behavior.

In case it matters, the two forum softwares I am having issues with are
punbb and usebb. Punbb is the one that attempts https on port 80 and
produces the error. Usebb doesn’t attempt port 80 (it allows the browser
to
attempt port 443 as is default for https), which causes my browser to
not be
able to connect to the server since it’s not even configured for port
443.

The third forum I have installed (Vanilla) doesn’t attempt to use 443.
However, since 2/3 of the forum softwares are doing this, I have to
assume
that the issue is nginx, but I am a bit too stupid in the area of
servers to
be able to troubleshoot the issue on my own, and Google seems to think
that
I’m trying to use https instead of trying to avoid https (the latter is
the
case).

I would much appreciate some help.

(I apologize for being a bit sloppy with posting the code snippets, but
it
seems that bbcode is disabled (at least the code tage is), which I guess
I
should’ve expect when this is joined with a mailing list)

Posted at Nginx Forum:

casper_the_ghost · October 4, 2012, 1:00pm

Just coming back to post more specific info on my config (I’m usually
much
better about that):

OS: Debian 6.0 “Squeeze” with dotdeb repository (http://www.dotdeb.org/)
nginx: 1.2.4
PHP & php-fpm: 5.4.7

nginx.conf:
user www-data;
worker_processes 4;
pid /var/run/nginx.pid;

events {
worker_connections 768;
# multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json

application/x-javascript text/xml application/xml application/xml+rss
text/javascript;

    ##
    # nginx-naxsi config
    ##
    # Uncomment it if you installed nginx-naxsi
    ##

    #include /etc/nginx/naxsi_core.rules;

    ##
    # nginx-passenger config
    ##
    # Uncomment it if you installed nginx-passenger
    ##

    #passenger_root /usr;
    #passenger_ruby /usr/bin/ruby;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

}

php-fpm.conf:
;;;;;;;;;;;;;;;;;;;;;
; FPM Configuration ;
;;;;;;;;;;;;;;;;;;;;;

; All relative paths in this configuration file are relative to PHP’s
install
; prefix (/usr). This prefix can be dynamicaly changed by using the
; ‘-p’ argument from the command line.

; Include one or more files. If glob(3) exists, it is used to include a
bunch of
; files from a glob(3) pattern. This directive can be used everywhere in
the
; file.
; Relative path can also be used. They will be prefixed by:
; - the global prefix if it’s been set (-p arguement)
; - /usr otherwise
;include=/etc/php5/fpm/*.conf

;;;;;;;;;;;;;;;;;;
; Global Options ;
;;;;;;;;;;;;;;;;;;

[global]
; Pid file
; Note: the default prefix is /var
; Default Value: none
pid = /var/run/php5-fpm.pid

; Error log file
; If it’s set to “syslog”, log is sent to syslogd instead of being
written
; in a local file.
; Note: the default prefix is /var
; Default Value: log/php-fpm.log
error_log = /var/log/php5-fpm.log

; syslog_facility is used to specify what type of program is logging the
; message. This lets syslogd specify that messages from different
facilities
; will be handled differently.
; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
; Default Value: daemon
;syslog.facility = daemon

; syslog_ident is prepended to every message. If you have multiple FPM
; instances running on the same server, you can change the default value
; which must suit common needs.
; Default Value: php-fpm
;syslog.ident = php-fpm

; Log level
; Possible Values: alert, error, warning, notice, debug
; Default Value: notice
;log_level = notice

; If this number of child processes exit with SIGSEGV or SIGBUS within
the
time
; interval set by emergency_restart_interval then FPM will restart. A
value
; of ‘0’ means ‘Off’.
; Default Value: 0
;emergency_restart_threshold = 0

; Interval of time used by emergency_restart_interval to determine when
; a graceful restart will be initiated. This can be useful to work
around
; accidental corruptions in an accelerator’s shared memory.
; Available Units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
;emergency_restart_interval = 0

; Time limit for child processes to wait for a reaction on signals from
master.
; Available units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
;process_control_timeout = 0

; The maximum number of processes FPM will fork. This has been design to
control
; the global number of processes when using dynamic PM within a lot of
pools.
; Use it with caution.
; Note: A value of 0 indicates no limit
; Default Value: 0
process.max = 4

; Specify the nice(2) priority to apply to the master process (only if
set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as
root
; - The pool process will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19

; Send FPM to background. Set to ‘no’ to keep FPM in foreground for
debugging.
; Default Value: yes
daemonize = yes

; Set open file descriptor rlimit for the master process.
; Default Value: system defined value
;rlimit_files = 1024

; Set max core size rlimit for the master process.
; Possible Values: ‘unlimited’ or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0

; Specify the event mechanism FPM will use. The following is available:
; - select (any POSIX os)
; - poll (any POSIX os)
; - epoll (linux >= 2.5.44)
; - kqueue (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0)
; - /dev/poll (Solaris >= 7)
; - port (Solaris >= 10)
; Default Value: not set (auto detection)
; events.mechanism = epoll

;;;;;;;;;;;;;;;;;;;;
; Pool Definitions ;
;;;;;;;;;;;;;;;;;;;;

; Multiple pools of child processes may be started with different
listening
; ports and different management options. The name of the pool will be
; used in logs and stats. There is no limitation on the number of pools
which
; FPM can handle. Your system will tell you anyway

; To configure the pools it is recommended to have one .conf file per
; pool in the following directory:
include=/etc/php5/fpm/pool.d/*.conf

Posted at Nginx Forum:

casper_the_ghost · December 21, 2012, 5:06pm

Hi,

Sorry I reactivated old topic.
I’m facing the same issue like you.

My CMS base URL us set to HTTPS by default. With Apache the base URL is
HTTP
not HTTPS.

I’ve been struggling for this several days.

Please kindly help me.
I’m using CMS Made Simple.

Thanks

Posted at Nginx Forum:

casper_the_ghost · October 7, 2012, 3:43pm

Piki Wrote:

continue using port 80. On the forum that it attempts to use port 80,

Here is the vhost config file:
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
}
}
----------end code snippet----------

This issue seems to have fixed itself after I added the “ssl off;”
directive
(without quotes) to the above server block. After I restarted nginx, I
cleared out and reinstalled the affected forum software, and the issue
hasn’t reappeared yet, not even after clearing my browser cache,
rebooting
the computer, then revisiting the forums.

I though “ssl off;” was supposed to be the default if the ssl setting
isn’t
specified?

Posted at Nginx Forum:

casper_the_ghost · December 22, 2012, 6:00pm

Hi,

Thank you for your response.

Here is my Nginx conf:
user www-data;
pid /var/run/nginx.pid;

events {
multi_accept on;
worker_connections 1024;
}

http {
access_log off;
default_type application/octet-stream;
server_names_hash_bucket_size 64;
server_tokens off;
}

server {
listen 80;
server_name domain.tld;
access_log off;
error_log /home/userdirectory/http/logs/beta.crunchy.tk.log;
index index.html index.php;
root /home/userdirectory/http/hosts/beta.crunchy.tk;
}

Here is the output of curl -i http://domain.tld:
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Sat, 22 Dec 2012 16:57:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: CMSSESSIDddd38826=ce5tkr97o1gm2vj7kkumuevur5; path=/
Expires: Sat, 22 Dec 2012 19:57:20 GMT
Cache-Control: public, max-age=10800
Last-Modified: Sat, 10 Nov 2012 16:14:56 GMT
Location: https://domain.tld

As you can see the location is using https already.

What can you see from these information?

Thank you

Posted at Nginx Forum:

casper_the_ghost · December 21, 2012, 8:21pm

On Fri, Dec 21, 2012 at 11:05:54AM -0500, Gulaholic wrote:

Hi there,

My CMS base URL us set to HTTPS by default. With Apache the base URL is HTTP
not HTTPS.

What is your nginx.conf, at least the location{} block that handles the
request that does not act as you wish?

What is the output of “curl -i” of that problem request?

What output do you want to have for that request?

I’ve been struggling for this several days.

There are possibly many parts involved. Answers to the above questions
may give a hint as to what should be changed to make everything work as
you wish.

f

Francis D. [email protected]

casper_the_ghost · December 22, 2012, 6:05pm

On Sun, Dec 23, 2012 at 12:00 AM, Gulaholic [email protected]
wrote:

    worker_connections 1024;
server {
HTTP/1.1 302 Moved Temporarily

As you can see the location is using https already.

What can you see from these information?

Your php application caused this. You can trick it into thinking it’s
https by sending relevant headers or just check the application.

And I think you cut too much information from your config.

casper_the_ghost · December 22, 2012, 10:44pm

Hello.

You may try:

    SetEnv HTTPS on
    SetEnv Port 443

somewhere in your httpd.conf, if you are using apache backend, or:

    fastcgi_param HTTPS $https if_not_empty;

for fastcgi.

2012/12/22 Gulaholic [email protected]

casper_the_ghost · December 23, 2012, 12:10pm

On Sat, Dec 22, 2012 at 12:00:10PM -0500, Gulaholic wrote:

Hi there,

Here is my Nginx conf:

This isn’t complete, but there’s nothing there that indicates that nginx
is creating the https redirect.

It looks like the application wants to use https for some requests,
and you do not want to use https at all.

The cleanest way to achieve that, once you understand that you are
breaking the application’s security model, is to configure the
application
never to use https.

How to do that is a question for the application documentation, but
something like setting config[root_url] and config[ssl_url] to the same
string which starts http:// might be worth investigating.

f

Francis D. [email protected]

casper_the_ghost · December 27, 2012, 5:28pm

I’m starting to figure these all out.
I think there are problems with these files: function.cms_stylesheet.php
and
function.metadata.php. They are probably conflict with Nginx
configuration.

Does it has something to do with these:

if ($showbase)
{
$base = $config[‘root_url’];
if (isset($_SERVER[‘HTTPS’]) && strtolower($_SERVER[‘HTTPS’]) != ‘off’)
{
$base = $config[‘ssl_url’];
}

$result .= “\n<base href="”.$base.“/" />\n”;
}

if( $auto_https ) {
if (isset($_SERVER[‘HTTPS’]) && strtolower($_SERVER[‘HTTPS’]) != ‘off’)
{
$use_https = 1;
}
}

Why the script thinks Nginx configuration ($_SERVER['HTTPS) is on?
This is my big curiosity.

Posted at Nginx Forum:

casper_the_ghost · December 27, 2012, 5:32pm

Hi,

Where should I put this line?
fastcgi_param HTTPS $https if_not_empty;

Thank you
G

Posted at Nginx Forum:

casper_the_ghost · December 29, 2012, 3:27pm

On Thu, Dec 27, 2012 at 11:27:43AM -0500, Gulaholic wrote:

Hi there,

I’m starting to figure these all out.
I think there are problems with these files: function.cms_stylesheet.php and
function.metadata.php. They are probably conflict with Nginx configuration.

There’s not much nginx-specific here. It is pretty much all down to the
application, and how you want to deploy it.

The application seems to be built assuming that some pages will only
be accessed over https. You seem to want to run it without using https
at all.

This apparent conflict must be resolved by you.

If you decide that you want to run with https, then you configure things
one way. If you decide that you want to run the application without
https,
then you configure things another way.

The main difference from the nginx side is when you choose to send
“HTTPS on” to the application – if you choose to run without https,
then you probably want to lie to the application and always say “HTTPS
on”. Otherwise, you only send “HTTPS on” when you actually have an
ssl-enabled connection to the browser.

(Note: lying to the application about this strongly suggests that any
security problems that arise are your fault, not the application’s.)

Why the script thinks Nginx configuration ($_SERVER['HTTPS) is on?

In this case, it doesn’t. You’ve not read the correct part of the
application code correctly.

If you can describe what you want nginx to do, someone here may be able
to help you with the nginx configuration.

f

Francis D. [email protected]

Piki Wrote:

f

f

Does it has something to do with these:

$result .= “\n<base href="”.$base.“/" />\n”; }

if( $auto_https ) { if (isset($_SERVER[‘HTTPS’]) && strtolower($_SERVER[‘HTTPS’]) != ‘off’) { $use_https = 1; } }

f

$result .= “\n<base href="”.$base.“/" />\n”;
}

if( $auto_https ) {
if (isset($_SERVER[‘HTTPS’]) && strtolower($_SERVER[‘HTTPS’]) != ‘off’)
{
$use_https = 1;
}
}