Prestashop: Invalid token in BO with Nginx and SSL
Describe the bug
Navigate to Catalog > Product, when I edit a product or create one, I'm redirected to /index.php/security/compromised with invalid token message.
To Reproduce
Steps to reproduce the behavior:
- Go to BO
- Click on Catalog > Product
- Click on a product
- See error
How to resolve
Seems that if I add the line below in admin/index.php it works:
if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
$_SERVER['HTTPS']='on';
}
I think Prestashop doesn't use the HTTP_X_FORWARDED_PROTO and use only HTTPS which isn't sended by nginx.
Screenshots
Additional information
PrestaShop version: 1.7.6.1
PHP version: 5.6.40
Nginx
SSL activated
Edited by Khouloud: Improvement
PS can use multiple systems to check if its under https or not. 90% of the modern setup use a proxy, maybe is a small improvement that can better handle the compatibility of the next release.
GuimDotCom
All 17 comments
Hi @GuimDotCom,
Did you used an example of the Nginx config file following this link: https://github.com/PrestaShop/PrestaShop/blob/develop/docs/server_config/nginx.conf.dist?
Thanks!
khouloudbelguith
on 18 Sep 2019
i've the same problem after update from 1.7.3 to 1.7.6.
ONLY when i click on edit product link on BO i get the security allert
https://drive.google.com/file/d/1T3B7oceBAtdHUQlWyZhfhN1XJGsd508X/view
BTW all function great , my config is simple:
nginx 80 > redirect https
nginx https > proxy apache in http
Both these settings on the nginx config file has no difference
#proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Proto $scheme;
matteolavaggi
on 24 Sep 2019
Hi @GuimDotCom, @matteolavaggi,
I did not manage to reproduce the issue with Ps1.7.6.1.
https://drive.google.com/file/d/1B6bkjW_zS3hpspVYm-_kIhvuJ_f_ub15/view
Here's my server configuration
Here's my default configuration
default.conf.txt
Thanks!
khouloudbelguith
on 24 Sep 2019
The server config you paste is for 1750, maybe is not the one you use for the 1.7.6.1? it has /1750/ path.
I dont tink is a server related issue, because this only happen on product edit, and start after 1.7.6.1 update for me (there is no problem on 1.7.3 and 1.7.4) .
matteolavaggi
on 25 Sep 2019
This is the url link of product edit:
https://www.sixrace.it/admin638mhuhr8/index.php/sell/catalog/products/81807?_token=QNDcdHQ7r_JxGOQJRSyLwncXOq5kKYHTE8x71PQhgpo
And this is the one called:
https://www.sixrace.it/admin638mhuhr8/index.php/security/compromised?uri=http%253A%252F%252Fwww.sixrace.it%252Fadmin638mhuhr8%252Findex.php%252Fsell%252Fcatalog%252Fproducts%252F81807%253F&_token=YS3dBBWony7tcBbDmZhnV7hu9ZPWwBjOdGtImVDEdqg
Why uri= http instead https?
matteolavaggi
on 25 Sep 2019
@matteolavaggi, in your BO => Shop Parameters => General page, the "Enable SSL on all pages" option is enabled?
Thanks!
khouloudbelguith
on 25 Sep 2019
Yes the option is enabled, but the first switch is buggy on my installed version:
https://drive.google.com/file/d/1CEPkeTlZlljiwUwAqgolgPsBsu9F4gIm/view
btw web site is full https
matteolavaggi
on 25 Sep 2019
@matteolavaggi, need to access to this screen record.
Thanks!
khouloudbelguith
on 25 Sep 2019
CLick on the test refresh the page but the swith are not shown. BTW site is full https Front and Back
matteolavaggi
on 25 Sep 2019
@GuimDotCom, so, in your case, in the BO => Shop Parameters => General => this option SSL is not enabled?
https://drive.google.com/file/d/1PNI1ev8Y36Y1pMEPpwtg_UGCi5pHo-jz/view
Thanks!
khouloudbelguith
on 25 Sep 2019
i think i've fixed the problem.
Is related to the way wich prestashop and php check the connection type. I'm not expert but there is many way to check this, many header and many variables.
My nginx reverse proxy setup (nginx > apache) act as a ssl proxy terminator and setup a lot of variable to make all work great, but they are not enough:
To enable the HTTPS variables i need to manual add it and force apache to setup in the .htaccess
SetEnvIf X-Forwarded-Proto "https" HTTPS=on
matteolavaggi
on 25 Sep 2019
@matteolavaggi, Great!
Thanks for your feedback.
@GuimDotCom, any news?
Thanks!
khouloudbelguith
on 25 Sep 2019
This can also be done using mod_rpaf, but seem that there is a bug in the last release that does not accept the config syntax.
matteolavaggi
on 25 Sep 2019
@GuimDotCom, so, in your case, in the BO => Shop Parameters => General => this option SSL is not enabled?
https://drive.google.com/file/d/1PNI1ev8Y36Y1pMEPpwtg_UGCi5pHo-jz/viewThanks!
The option SSL is enabled and there was no problem in https before upgrade.
Conclusion of @matteolavaggi is what I said in my first post, seems that since last upgrade, Prestashop check $_SERVER['https'] but nginx don't use/send this variable, nginx use $_SERVER['HTTP_X_FORWARDED_PROTO'] instead.
GuimDotCom
on 25 Sep 2019
@GuimDotCom, so it is a server issue.
In my case, I tried with PS1.7.6.1 & it is OK.
Thanks!
khouloudbelguith
on 25 Sep 2019
Is not a "server issue", PS can use multiple system to check if its under https or not. 90% of the modern setup use proxy, maybe is a small improvement that can better handle the compatibility of the next release.
matteolavaggi
on 25 Sep 2019
@matteolavaggi, thanks for your feedback.
Is not a "server issue", PS can use multiple system to check if its under https or not. 90% of the modern setup use proxy, maybe is a small improvement that can better handle the compatibility of the next release.
Ping @PrestaShop/prestashop-product-team what do you think? can we add this improvement?
Thanks!
khouloudbelguith
on 25 Sep 2019
Related issues
matks
路
3Comments
esistgut
路
3Comments
Fabuloops
路
3Comments
rGaillard
路
3Comments
matks
路
3Comments
Most helpful comment
Is not a "server issue", PS can use multiple system to check if its under https or not. 90% of the modern setup use proxy, maybe is a small improvement that can better handle the compatibility of the next release.