#4621 SSL redirects to port 80 when SSL proxy server is used

[alanthing]

After reading http://sourceforge.net/p/phpmyadmin/bugs/4120/, I can confirm that I am able to replicate this tracking the stable branch in Git. I'm using Nginx on HTTP only, with Pound providing HTTPS in front of Nginx. Pound sends the "X-Forwarded-For=https" header. I have Nginx sending HTTPS=on (as a fastcgi_param) to PHP-FPM when X-Forwarded-For=https is set. Despite this, upon logging in, I am redirected to https://hostname.domain.tld:80/subfolder/index.php?token=abcdef1234567890. If I turn off Pound and use SSL natively in Nginx, the problem does not occur.

Relevant Nginx config:

map $http_x_forwarded_proto $fastcgi_https {
  default $https;
  http '';
  https on;
}

...

location /dbadmin {
  if ($fastcgi_https != "on") {
    # This redirect will occur before auth_basic kicks in
    return 301 https://$host$request_uri;
  }

  auth_basic "Please enter your ID and password";
  auth_basic_user_file conf.d/htpasswd;

  alias /usr/local/share/phpMyAdmin;
  index index.php;

  location ~ /dbadmin/(.*\.php)$ {
    include fastcgi_params;
    fastcgi_pass php_www;
    # $document_root comes from "alias" above, $1 from the parenthesis above
    fastcgi_param SCRIPT_FILENAME $document_root/$1;
  }
}

My first thought was that I was logging in with https://domain.tld/dbadmin/ and not https://domain.tld/dbadmin/index.php and the fastcgi_param HTTPS $fastcgi_https if_not_empty; value from fastcgi_params was not being sent because of the URI not containing .php, but the problem persists if I log in with /index.php.

Here is the Pound config, sanitized for sharing:

User "pound"
Group "pound"
Control "/var/lib/pound/pound.cfg"

ListenHTTPS
    Address 0.0.0.0
    Port    443

    Cert    "/etc/pki/tls/certs/keyandallcerts.pem"

    HeadRemove "X-Forwarded-Proto"
    AddHeader "X-Forwarded-Proto: https"

    # Apache/Nginx
    Service
        BackEnd
            Address 127.0.0.1
            Port    80
        End
    End
End

As you can see, all it's doing is adding X-Forwarded-Proto. Note that Pound, by default, also sends X-Forwarded-For and some other headers but it shouldn't necessarily be relevant here.

phpMyAdmin's config.inc.php is only modified to use an alternate socket path instead of 127.0.0.1:3306.

PHP definitely sees that HTTPS=on due to the Nginx logic adding it via fastcgi_params, but I suspect this is somehow due to how PMA detects the URL. This is resolved by setting $cfg['PmaAbsoluteUri'] to "https://domain.tld/dbadmin/", but it would be nice if phpMyAdmin could handle X-Forwarded-Proto as it's pretty common for scenarios where HTTPS can't be run on the web server.

[alanthing]

For what it's worth, if I remove the ":80" from the post-login URL, I am able to log in just fine. The session initiates alright and everything, PMA just incorrectly guesses the wrong port number.

Perhaps some logic added to libraries/Config.class.php is the X-Forwarded-Proto=https header/value is found, that would take care of it; something like the following but for setting the port number?:

if ( isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') )
  $_SERVER['HTTPS']='on';