isso: Admin login page does not honor `/isso/` in path during 302 redirect

Affected Versions / Setup

I am using Isso 0.12.2-2 on Debian 10 in the multi-site setup that it comes with. I am also using Sub-URI. Apache 2.4.38-3+deb10u3

Abstract

When entering the admin menu the /isso/ part of the URL is not honored and isso redirects to an URL that does not exist which yields a HTTP code 404.

Reproduce

  1. I visit https://mydomain.com/isso/blog/admin and I am prompted for the password.
    • This form correctly uses <form method="POST" action="https://mydomain.com/isso/blog/login"> (note: /isso/ is present)
  2. The POST is successful and is answered by a HTTP code 302 with location: http://mydomain.com/blog/admin(note: /isso/is missing from the path)
  3. my browser following the redirect gets HTTP code 404

So the redirect is location: http://mydomain.com/blog/admin
but should be location: http://mydomain.com/isso/blog/admin

If I manually edit the URL in the browser address bar, I can see the admin menu and also use it. The URL remains “correct” AFAICS.

Configuration Files

/etc/isso.d/enabled/blog.cfg

[general]
dbpath = /var/lib/isso/blog.comments.db
name = blog 
host =
    http://mydomain.com/ 
    https://mydomain.com/
notify = smtp

[server]
listen = http://localhost:8000/
public-endpoint = https://mydomain.com/isso/blog

[guard]
enabled = true
ratelimit = 2
direct-reply = 3

[smtp]
username = comments@mydomain.com
password = disbethemailpassword
host = mail.mymailserver.de
port = 587
security = starttls
to = me@mymailserver.de
from = comments@mydomain.com
timeout = 10


[admin]
enabled = true
password = disbeasecret

/etc/apache2/sites-enables/blog.conf:

<VirtualHost *:443>
    ServerName mydomain.com

    DocumentRoot /var/www/blog

    <Directory "/var/www/blog">
        AllowOverride none
        Options none
        SetHandler default-handler
    </Directory>

   <Location "/isso">
       ProxyPass "http://localhost:8000"
       ProxyPassReverse "http://localhost:8000"
   </Location>

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem

    Protocols h2 http/1.1

    Header always set Strict-Transport-Security "max-age=63072000"

    ErrorLog  ${APACHE_LOG_DIR}/mydomain.com.log

    ErrorDocument 404 /404.html
</VirtualHost>

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 2
  • Comments: 15 (6 by maintainers)

Most upvoted comments

With this, I can reproduce the issue (redirect):

   ProxyPreserveHost On
   ProxyPass /isso/ http://localhost:8080/
   ProxyPassReverse /isso/ http://localhost:8080/

With this instead, the issue no longer pops up:

   <Location "/isso">
       ProxyPass "http://localhost:8080"
       ProxyPassReverse "http://localhost:8080"
   </Location>

With ProxyPreserveHost turned off, the issue disappears.

Now for the Apache Docs:

When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the hostname specified in the ProxyPass module=“mod_proxy” line. This option should normally be turned Off. It is mostly useful in special configurations like proxied mass name-based virtual hosting, where the original Host header needs to be evaluated by the backend server.

So, by setting ProxyPass /isso/ and then also setting ProxyPreserveHost On, you’re directly contradicting yourself.

Phew, that was an annoying one to track down!