• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue Varnish SSL Redirect Loops

Scott.Mc

New Pleskian
I was looking into a problem with redirect loops when using varnish inside a docker instance and "enabling Permanent SEO-safe 301 redirect from HTTP to HTTPS"

The problem is as varnish cannot communicate over https it routes back over the http port (7080) which simply has redirect rules and nothing more. In an effort to fix this I created,

/usr/local/psa/admin/conf/templates/custom/domain/domainVirtualHost.php

To remove the ${HTTPS} off lines and also the return; so it still generates the vhost as there isn't really a need for this to be in apache anyway given nginx also handles the SSL redirect so it should never reach this. This works relatively well with the only problem being it cannot detect when it's over SSL (as the SERVER_PORT isn't set). Our mod_rpaf fork (GitHub - gnif/mod_rpaf: reverse proxy add forward module for Apache) which is the offical active one now adays contains several fixes for this and will convert the SERVER_PORT based on the X_FOWARDED_PORT so is a solution around this.

The problem is when this is enabled as Plesk auto generates a config for mod_rpaf using the old config syntax (The original developer of mod_rpaf requested we used underscores in the config names to separate) this will cause apache syntax errors. So I created,

/usr/local/psa/admin/conf/templates/custom/server/rpaf.php with the following setup,

Code:
<IfModule <?php echo $OPT['mod'] ?>>
    RPAF_Enable            On
    RPAF_SetHostName        On
    RPAF_SetHTTPS        On
    RPAF_SetPort        On
    RPAF_ForbidIfNotProxy    Off
<?php for ($ipAddresses = $VAR->server->ipAddresses->all, $ipAddress = reset($ipAddresses); $ipAddress; $ipAddress = next($ipAddresses)): ?>
    RPAF_ProxyIPs <?php echo $ipAddress->escapedAddress ?><?php for ($n = 1; $n < $VAR->server->webserver->apache->vhostIpCapacity && $ipAddress = next($ipAddresses); $n++) { echo " {$ipAddress->escapedAddress}"; } ?>

<?php endfor; ?>

</IfModule>

So all is good and working well. It will convert the port if X_FORWARDED_PORT is set and in turn detect HTTPS is available.

The final issue is with the docker extension this generates the entries in the nginx config where we can't seem to be able to set the following X-Forwarded-Port headers.

As far as I can see this is done in domain/nginxDomainVirtualHost.php with "$VAR->domain->physicalHosting->nginxExtensionsConfigs" which produces,

Code:
location ~ ^/.* {
        proxy_pass http://0.0.0.0:65280;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
    }

We need to add the following 2 headers,

Code:
proxy_set_header        X-Forwarded-Port   443;
proxy_set_header        X-Forwarded-Proto  https;


So my questions are,

1) Do you know where we can adjust the template for the docker generated line above that nginxExtensionsConfigs produces. As far as I can see it's going to be in /usr/local/psa/admin/plib/modules/docker/ but these are encoded. Do these use templates somewhere that could be created/modified ?

If this isn't template based and cannot be modified any suggestions to hook this? Could preg_replace in the template but this isn't really ideal as it will also match other extensions that add nginx configs (such as wp toolkit).

2) In relation to mod_rpaf creating the template is fine but is there a way to make sure this version gets compiled/built on updates? Does plesk simply use the os package (RPM in this case ) if so what is the package name or does it compile/expect admin to compile. Just want to make sure this version is not removed during upgrades.

2.1) Would it be possible to look into getting plesk configs replaced to use the new mod_rpaf syntax as the version I linked to is the new official one.

4) For the rpaf template it generates the IP's however it doesn't add the IP of the docker0 interface (172.17.x.x). Is there a setting currently for this in the API (We have it hard coded for testing just now). Since it's not contained in: server->ipAddresses->all , ironically when I was looking up on this I actually seen an article on the plesk.com blog ( Varnish HTTP Cache plugin for Wordpress in a Docker container ) that mentions not to use the https redirect as it will redirect loop.
 
we have resorted to editing nginx.conf manually



location / {
proxy_pass https://78.129.161.190:7081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto: https;

access_log off;
}

and

location ~ ^/.* {
proxy_pass http://0.0.0.0:32768;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto: https;
}

AND add

SetEnvIf X-Forwarded-Proto https HTTPS=on


to .htaccess

You will then need to lock nginx.conf to stop plesk from nuking it the next time anything is saved.

It is a real pain.

Now all we need to crack is forcing traffic to https rather http as it still seems to server traffic on both.
 
Why isn't this fixed already?? @IgorG please just add proxy_set_header X-Forwarded-Proto $scheme; to the nginx config that the docker extension generates! It would fix issues with a lot of docker hosted projects (GitLab, OpenProject etc.)


in the meantime for anybody else that is struggling with this:
copy
/opt/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
to
/opt/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php

and change line 77 to: (the line breaks are important)
PHP:
<?php echo str_replace("}

#extension docker end",'proxy_set_header X-Forwarded-Proto $scheme; } #extension docker end', $VAR->domain->physicalHosting->nginxExtensionsConfigs); ?>

yes I know its a dirty work around and it potentially can break stuff if other extensions add nginx directives
 
Last edited:
Why isn't this fixed already?? @IgorG please just add proxy_set_header X-Forwarded-Proto $scheme; to the nginx config that the docker extension generates! It would fix issues with a lot of docker hosted projects (GitLab, OpenProject etc.)
Please submit a detailed report here Reports and I will forward it to developers for investigation.
 
Thank you Very MUCH for sharing this @TobiasP !

Ubuntu


Copy

- opt/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php

to

- /opt/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php

CentOS

Copy

- /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php

to

- /usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php

and edit "~/custom/domain/nginxDomainVirtualHost.php" as explained above.

Please note ~/conf/templates/custom/domain/ directory may not exist in your server. Then you will have to create the path. Files within this directory will override the default template files.

Eg -

~/conf/templates/default/domain/nginxDomainVirtualHost.php

Will be override by

~/conf/templates/custom/domain/nginxDomainVirtualHost.php

EDIT - If you are using Plesk "IP Address Banning" and "Web Application Firewall" add 172.17.0.1/16 as Trusted IPs in "IP Address Banning"
 
Last edited:
This customization may not required anymore.

It seems Plesk Team have fixed this in,

Plesk Onyx 17.8.11 Update #58

having this customization will take you back to 'Redirect Loops'.

In that case, please delete the file (Depending on your OS),

/opt/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php

or

- /usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php

and reconfigure your domain.
 
Back
Top