EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #09568

< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] Redirect loop

CAUTION: This e-mail originated outside the University of Southampton.

Hi again David,

 

I notice that I did not include the mailing list in my last reply, so I’m adding it back.

 

The whole motivation for moving to a docker container is that our security team detected http requests/responses in our eprints installation, and also apparently SSL requests that were not sufficiently secure. So we wanted to move to a platform where HTTP requests are not possible, and where the SSL proxying is managed in one place. Also, the docker swarm is our standard platform for deploying applications and putting them on their own snowflake VMs is deprecated.

 

I made a small change to the docker compose – where instead of the data volume containing all of /opt/eprints3, it just contains /opt/eprints3/archives, because in our case this is all that needs to persist on disk.

 

Anyway, I am really hoping to get eprints running on Docker so I hope I can figure out this redirect loop issue. It does not seem to be directly related to docker. And others (presumably not using docker) are having similar issues. Also I imagine that other people may want to provide their own SSL termination even if they are not running eprints in a container.

 

If you have any suggestions for troubleshooting this, I’ll appreciate it. Maybe I will try looking at the contents of the cookies as discussed in the Shibboleth thread.

 

Thanks again

Dan

 

From: David R Newman <drn@ecs.soton.ac.uk>
Date: Tuesday, January 23, 2024 at 2:12 PM
To: Tenenbaum, Dan <dtenenba@fredhutch.org>
Subject: Re: [EP-tech] Redirect loop

Hi Dan,

That could well be 3.4.5 if you have only just set this up.  I would generally advise against using the Docker container unless you want to spin up a trial instance to demo/test.  As modifying the configuration in the Docker container will be a lot trickier (than installing directly on Linux) as the Docker compose file was really only written with demoing/testing in mind.  The Docker compose file could be improved to make post-install configuration more feasible but I suspect that would take quite a lot of effort.

I am not sufficiently knowledgeable about how Traefik proxy manages cookies.  Although I could believe the issue may be another change in 3.4.5 that only generates the eprints_session or secure_eprints_session cookie depending on whether the request is HTTP or HTTPS.  I suspect that the proxy converting HTTPS requests to HTTP may create a problem with cookies.  Therefore, a further test you could do is just to setup Traefik to be an HTTP to HTTP proxy rather than HTTPS to HTTP.  If this fixes the error message you are seeing in Firefox, then unfortunately I cannot think of any straightforward way to get the Docker container working sat behind a HTTPS to HTTP Traefik proxy.

Regards

David Newman

On 23/01/2024 9:24 pm, Tenenbaum, Dan wrote:

You don't often get email from dtenenba@fredhutch.org. Learn why this is important

CAUTION: This e-mail originated outside the University of Southampton.

Hi David,

 

Thank you for the helpful reply.

 

I downloaded the tarball from https://files.eprints.org/2454/ so I guess I am running 3.4.x. How do I find out the full version number?

 

My installation is a bit of a mishmash – my overall goal is to port an older installation (running on an Ubuntu VM) to a Docker container, as I mentioned, running in our swarm. So I am using a copy of an existing database and I moved config files over from the old installation. So this is not a vanilla installation and I probably introduced some problem given that I am new to eprints.

 

I did try your suggestion and I am running Eprints without the proxy. When I click on Login now, I get the login page without errors.

 

I am not using Shibboleth authentication. I did see that thread though and thought it could be valuable.

 

I should also mention that when I run inside the traefik proxy, Firefox gives this error:

 

“The page isn’t redirecting properly

 

An error occurred during a connection to xxxx.xxx.org.

 

    This problem can sometimes be caused by disabling or refusing to accept cookies.”

 

So this makes me wonder if something is going on with cookies. Do you have any suggestions for troubleshooting this?

 

I am pretty sure that all requests from Traefik come in as HTTP requests. We also have Traefik configured to redirect all HTTP requests to HTTPS requests so it’s not possible to make an HTTP request directly against any containerized app in the swarm. But as I said, the applications in the swarm see all incoming requests as HTTP requests.

 

Given this, do you have any advice on how I should set up my 10_core.pl file? I’ve tried various combinations according to https://wiki.eprints.org/w/Simplified_HTTPS_Configuration and that hasn’t helped.

 

 

Thanks again,

Dan

 

 

 

From: David R Newman <drn@ecs.soton.ac.uk>
Date: Tuesday, January 23, 2024 at 12:56 PM
To: eprints-tech@ecs.soton.ac.uk <eprints-tech@ecs.soton.ac.uk>, Tenenbaum, Dan <dtenenba@fredhutch.org>
Subject: Re: [EP-tech] Redirect loop

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

Hi Dan,

Are you talking about one of the Docker containers discussed in https://wiki.eprints.org/w/Installing_EPrints_using_Docker

Looking at the Docker compose file this is running Apache but only on HTTP.  Therefore there should be no HTTP to HTTPS redirect loop issues.   I would advise configuring your Traefik proxy to rewrite HTTPS requests to HTTP.  If it does that it should all work as all th request sent through to the container should be HTTP and nothing in the container itself to redirect to HTTPS.  However, I have not tested this, so I would advise testing the Docker container image without running it through a proxy and see that you do not get redirect loops with this.  If you do, the issue will be something other that an HTTP to HTTPS redirect issue.

It would also be useful to know which version of EPrints you are running as there have been some recent changes to how cookies work (in EPrints 3.4.5+), which could be the reason behind your issue.  Although you are presumably not using Shibboleth authentication, this thread may be relevant to your redirect issues:

https://www.eprints.org/eptech/msg09544.html

Regards

David Newman

On 23/01/2024 7:24 pm, Tenenbaum, Dan wrote:

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

Hello,

 

I am having what sounds like the identical problem described here:

 

https://www.eprints.org/eptech/msg09475.html

 

And I see there is a solution proposed here:

 

https://www.eprints.org/eptech/msg09476.html

 

(I just subscribed to this list, otherwise I would reply to the relevant emails)

 

But I am not sure the above solution will work for me, as I am not using Apache to handle HTTPS/SSL. I am running Eprints in a Docker Container in a Docker Swarm, and using Traefik  to terminate SSL connections for all apps in the swarm.

 

Any ideas on how I can resolve the seemingly endless redirects (an URL redirecting to itself with a 302 code) whenever I try and go to any URL that starts with /cgi/users ? I can’t move forward with my deployment until this is resolved as users cannot log in.

 

Thanks!

 

Dan Tenenbaum

Cloud/HPC Systems Engineer

Scientific Computing / FHCC IT

Fred Hutchinson Cancer Center

Pronouns: He/him

 

 

*** Options: https://wiki.eprints.org/w/Eprints-tech_Mailing_List
*** Archive: https://www.eprints.org/tech.php/
*** EPrints community wiki: https://wiki.eprints.org/