Problems setting up managed HTTPS on AWS


(Freddie Haddad) #1

From the admin area of Discourse, I enabled https. After I did that, I’m no longer able to log in. Is there a way to disable https again?

I tried to run ./discourse-setup and ./launcher rebuild app – Neither one worked.


Using Cloudflare for HTTPS, empty preview pane in edit page
(Kane York) #2

To turn it off, you can do this:

./launcher enter app
rails c
SiteSetting.force_https = false

If you set up https correctly, it should just work without touching that setting.


(Freddie Haddad) #3

OMG, thank you!! That worked perfect…

Now regarding this part… I’m hosting the site on AWS using an EC2 instance. I registered the domain name w/ Route 53 (Amazon), and am using CloudFront for HTTPS. It’s all working so long as I DON’T enable HTTPS inside the Discourse settings.

The reason I went down this path is because previews are not working when the user is creating a post.


(Joshua Rosenfeld) #4

Keep in mind that not forcing HTTPS in Discourse settings has been the cause of issues in the past. A quick search should find some of those discussions. I’d encourage you to dig into the issue (HTTPS failing if forced in Discourse) further to save yourself from potential issues later.


(Kane York) #5

Make sure the proxy is providing X-Forwarded-Proto: https so Discourse knows the site is supposed to be HTTPS.


(Freddie Haddad) #6

Would you mind elaborating on this? Is this a Discourse setting or something on AWS side?


(Kane York) #7

So I’m going to guess the problem with login is a redirect loop or similar due to mismatched ideas of what’s HTTPS.

Rails recognizes the header and takes it as a signal to generate https links to the site.

Check your ELB CloudFront? settings to see if you can have them add that header to the requests.


(Freddie Haddad) #8

Originally posted in Using Cloudflare for HTTPS, empty preview pane in edit page


@pokapow I’m having this problem also. Using

  • Amazon EC2 host
  • Domain registered with Route 53
  • CloudFront for HTTPS
    • Behavior set to: Redirect HTTP to HTTPS

Everything seems to be working using SSL so long as I don’t enable force https inside Discourse. Previews not working when typing messages.


(Freddie Haddad) #9

Thanks for the help so far, I went into CloudFront and added the following…

…but that didn’t work. I also tried adding Forwarded: proto=https per


and
https://tools.ietf.org/html/rfc7239


(Kane York) #10

Can you post a link to your site?


(Freddie Haddad) #11

Sure: www.sunrisepoint.org. Happy to send you an invite if you would like to poke around.


(Kane York) #12

Do you have a devtools log of what happens when you try to log in with force_https enabled?


(Freddie Haddad) #13

I turned force https back on and opened a private Firefox browser session. When logging in, I see:

JavaScript console does not display any error messages. The only error message I see is the mixed-active one from the browser that’s blocking the markdown addon and the URL shows http://www.sunrisepoint… instead of https.

In /var/discourse/shared/standalone/log/var-log/nginx/access.log:

...
[19/Sep/2017:00:10:22 +0000] "www.sunrisepoint.org" 205.251.202.70 "GET /assets/fontawesome-webfont-2adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe.woff2?http://www.sunrisepoint.org&2&v=4.7.0 HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" 200 77524 "https://www.sunrisepoint.org/login" - 0.000 "-"
[19/Sep/2017:00:10:22 +0000] "www.sunrisepoint.org" 205.251.202.70 "GET /login.html?_=1505779821749 HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "static/show" 200 667 "https://www.sunrisepoint.org/login" 0.018 0.018 "-"
[19/Sep/2017:00:10:22 +0000] "www.sunrisepoint.org" 205.251.202.70 "GET /uploads/default/original/1X/fe02fcc17ea5d559b5943be895025ae76ec12fe2.png HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" 200 12106 "-" - 0.000 "-"
[19/Sep/2017:00:10:26 +0000] "www.sunrisepoint.org" 205.251.202.70 "POST /message-bus/a9b3e95e570044a888f4096f9bd5d502/poll HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" 200 510 "https://www.sunrisepoint.org/admin/site_settings/category/security" 25.006 25.006 "-"
[19/Sep/2017:00:10:27 +0000] "www.sunrisepoint.org" 205.251.202.70 "GET /session/csrf?_=1505779821750 HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "session/csrf" 200 610 "https://www.sunrisepoint.org/login" 0.006 0.006 "-"
[19/Sep/2017:00:10:27 +0000] "www.sunrisepoint.org" 205.251.202.70 "POST /session HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" 403 361 "https://www.sunrisepoint.org/login" 0.006 0.006 "-"
[19/Sep/2017:00:10:47 +0000] "www.sunrisepoint.org" 205.251.202.70 "POST /message-bus/2c3388849d96426f9c64dc33637d9ef7/poll HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" 200 710 "https://www.sunrisepoint.org/login" 25.002 25.002 "-"
[19/Sep/2017:00:10:51 +0000] "www.sunrisepoint.org" 205.251.202.70 "POST /message-bus/a9b3e95e570044a888f4096f9bd5d502/poll HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" 200 510 "https://www.sunrisepoint.org/admin/site_settings/category/security" 25.010 25.010 "-"
[19/Sep/2017:00:11:12 +0000] "www.sunrisepoint.org" 205.251.202.70 "POST /message-bus/2c3388849d96426f9c64dc33637d9ef7/poll HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" 200 505 "https://www.sunrisepoint.org/login" 25.002 25.002 "-"
[19/Sep/2017:00:11:16 +0000] "www.sunrisepoint.org" 205.251.202.70 "POST /message-bus/a9b3e95e570044a888f4096f9bd5d502/poll HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" 200 510 "https://www.sunrisepoint.org/admin/site_settings/category/security" 25.006 25.006 "-"
[19/Sep/2017:00:11:21 +0000] "www.sunrisepoint.org" 205.251.214.103 "POST /message-bus/68d0f6a5f7c94810bda5d2b19d85af2f/poll?dlp=t HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.18 Safari/537.36" "-" 200 484 "https://www.sunrisepoint.org/login" 0.002 0.002 "-"
[19/Sep/2017:00:11:38 +0000] "www.sunrisepoint.org" 205.251.202.70 "POST /message-bus/2c3388849d96426f9c64dc33637d9ef7/poll HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" 200 505 "https://www.sunrisepoint.org/login" 25.002 25.002 "-"
[19/Sep/2017:00:12:03 +0000] "www.sunrisepoint.org" 205.251.202.70 "POST /message-bus/2c3388849d96426f9c64dc33637d9ef7/poll HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" 200 505 "https://www.sunrisepoint.org/login" 25.002 25.002 "-"
[19/Sep/2017:00:12:07 +0000] "www.sunrisepoint.org" 205.251.202.70 "POST /message-bus/a9b3e95e570044a888f4096f9bd5d502/poll HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" 200 510 "https://www.sunrisepoint.org/admin/site_settings/category/security" 25.017 25.017 "-"
[19/Sep/2017:00:12:22 +0000] "www.sunrisepoint.org" 205.251.214.103 "POST /message-bus/68d0f6a5f7c94810bda5d2b19d85af2f/poll?dlp=t HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.18 Safari/537.36" "-" 200 484 "https://www.sunrisepoint.org/login" 0.002 0.002 "-"
[19/Sep/2017:00:12:28 +0000] "www.sunrisepoint.org" 205.251.202.70 "POST /message-bus/2c3388849d96426f9c64dc33637d9ef7/poll HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" 200 510 "https://www.sunrisepoint.org/login" 25.002 25.002 "-"
[19/Sep/2017:00:12:42 +0000] "www.sunrisepoint.org" 205.251.202.70 "POST /message-bus/a9b3e95e570044a888f4096f9bd5d502/poll?dlp=t HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" 200 484 "https://www.sunrisepoint.org/admin/site_settings/category/security" 0.017 0.017 "-"
[19/Sep/2017:00:12:53 +0000] "www.sunrisepoint.org" 205.251.202.70 "POST /message-bus/2c3388849d96426f9c64dc33637d9ef7/poll HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" 200 505 "https://www.sunrisepoint.org/login" 25.002 25.002 "-"
...

(Kane York) #14

That’s odd - the POST /session replied to with a 403? When I input garbage (user ab pass cd) I got a 200 with {error: "Invalid username or password."}. The only 403s I see in the code are a SSO failure and CSRF failure.

But I wanted the browser Developer Tools, because that captures the response.

Edit: I’m still getting 200+error for garbage credentials. Are you sure the account’s allowed to log in?


(Freddie Haddad) #15

Yes, I was logged in w/ that account when I turned on force https.

I’m not sure if this is what you’re referring to:

reflow: 0.26ms function ie.event.fix, ember_jquery-a8dcbd325e04410f036f2a791d66d8316c48c5387acdd914de99a5dd6afb3cd3.js line 2
GET XHR Sunrise Point [HTTP/2.0 200 OK 79ms]
POST XHR Sunrise Point [HTTP/2.0 403 Forbidden 64ms] reflow: 0.27ms
POST XHR https://www.sunrisepoint.org/message-bus/2c3388849d96426f9c64dc33637d9ef7/poll [HTTP/2.0 200 OK]

This is the output after attempting to log in. I can expand the details, but it pastes really messy.


(Kane York) #16

Specifically, the headers and response body for the 403.


(Freddie Haddad) #17

With force https enabled and attempting to log in w/ the admin account, here is part of the 403. Not sure if there’s a cleaner way to provide that output.

I marked in bold two lines that stand out to me.

POST XHR Sunrise Point [HTTP/2.0 403 Forbidden 75ms]

Response Headers
Content-Type: text/plain; charset=utf-8
Date: Tue, 19 Sep 2017 00:34:24 GMT
Server: nginx
Via: 1.1 e07e2d5f2d026d31ffb267fe09e7913e.cloudfront.net (CloudFront)
X-Amz-Cf-Id: moXXXXXXXXXXXrz-uhXXXXXXXXXX3w==
X-Cache: Error from cloudfront
X-Content-Type-Options: nosniff
X-Firefox-Spdy: h2
X-XSS-Protection: 1; mode=block
x-frame-options: SAMEORIGIN
x-request-id: 92b391ff-1294-4292-b34d-aaba221a7ed8
x-runtime: 0.005356

Accept: /
Accept-Encodingg: zip, deflate, br
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Content-Length: 78
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: destination_url=http%3A%2F%2Fwww.sunrisepoint.org%2F
DNT: 1
Discourse-Visible: true
Host: www.sunrisepoint.org
Referer: Sunrise Point
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
X-CSRF-Token: XXXXXXXXXXXXXX==
X-Requested-With: XMLHttpRequest

Response
JSON
0: “BAD CSRF”


(Kane York) #18

Okay, I’m stumped as to why setting force_https would cause a CSRF error. I’m going to need help from someone else solving this.


(Freddie Haddad) #19

HA! Imagine me. I had to look up CSRF. I understand what it is, but have no clue what’s causing that to take place. I’m almost wondering if it’s better to use Digital Ocean and just buy an SSL certificate.

Anyway, I learned a lot just walking through this process with you, so thank you for that! :slight_smile:


(Rafael dos Santos Silva) #20

Why you don’t use the supported Let’s Encrypt setup, which is free?