isso: Admin login page does not honor `/isso/` in path during 302 redirect
Affected Versions / Setup
I am using Isso 0.12.2-2 on Debian 10 in the multi-site setup that it comes with. I am also using Sub-URI. Apache 2.4.38-3+deb10u3
Abstract
When entering the admin menu the /isso/
part of the URL is not honored and isso redirects to an URL that does not exist which yields a HTTP code 404.
Reproduce
- I visit https://mydomain.com/isso/blog/admin and I am prompted for the password.
- This form correctly uses
<form method="POST" action="https://mydomain.com/isso/blog/login">
(note:/isso/
is present)
- This form correctly uses
- The POST is successful and is answered by a HTTP code 302 with
location: http://mydomain.com/blog/admin
(note:/isso/
is missing from the path) - my browser following the redirect gets HTTP code 404
So the redirect is location: http://mydomain.com/blog/admin
but should be location: http://mydomain.com/isso/blog/admin
If I manually edit the URL in the browser address bar, I can see the admin menu and also use it. The URL remains “correct” AFAICS.
Configuration Files
/etc/isso.d/enabled/blog.cfg
[general]
dbpath = /var/lib/isso/blog.comments.db
name = blog
host =
http://mydomain.com/
https://mydomain.com/
notify = smtp
[server]
listen = http://localhost:8000/
public-endpoint = https://mydomain.com/isso/blog
[guard]
enabled = true
ratelimit = 2
direct-reply = 3
[smtp]
username = comments@mydomain.com
password = disbethemailpassword
host = mail.mymailserver.de
port = 587
security = starttls
to = me@mymailserver.de
from = comments@mydomain.com
timeout = 10
[admin]
enabled = true
password = disbeasecret
/etc/apache2/sites-enables/blog.conf:
<VirtualHost *:443>
ServerName mydomain.com
DocumentRoot /var/www/blog
<Directory "/var/www/blog">
AllowOverride none
Options none
SetHandler default-handler
</Directory>
<Location "/isso">
ProxyPass "http://localhost:8000"
ProxyPassReverse "http://localhost:8000"
</Location>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
Protocols h2 http/1.1
Header always set Strict-Transport-Security "max-age=63072000"
ErrorLog ${APACHE_LOG_DIR}/mydomain.com.log
ErrorDocument 404 /404.html
</VirtualHost>
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 2
- Comments: 15 (6 by maintainers)
With this, I can reproduce the issue (redirect):
With this instead, the issue no longer pops up:
With
ProxyPreserveHost
turned off, the issue disappears.Now for the Apache Docs:
So, by setting
ProxyPass /isso/
and then also settingProxyPreserveHost On
, you’re directly contradicting yourself.Phew, that was an annoying one to track down!