Redirect loop or SSL error

Babbles · July 26, 2018, 1:19am

If I enter all the URL address (http://mysite.com:8065) of my Mattermost site directly, I can use Mattermost normally. I want to make HTTPS connection but I can not use it.

First of all, I ignored Mattermost and confirmed the HTTPS connection at index.html on the site. Neither problem.
http://mysite.com/index.html -> OK
https://mysite.com/index.html -> OK
*Of course, redirect from http to https is also OK.

Next using Mattermost. Direct input URL.
https://mysite.com:8065

Firefox:

An error occurred while connecting to mysite.com:8065. SSL received a record that exceeded the maximum permissible length. error code: SSL_ERROR_RX_RECORD_TOO_LONG

Because we could not verify the authenticity of the received data, we could not display this page.
Please contact the website administrator for this issue.

Chrome:

ERR_SSL_PROTOCOL_ERROR

Next I set proxy_pass at the location of nginx.

location {
...
   proxy_pass http://localhost:8065;
}

In this case, it falls into a (redirect) loop.

location {
...
   proxy_pass https://localhost:8065;
}

In this case, the above SSL error.

I run ‘sudo -u mattermost /opt/mattermost/bin/mattermost’ and it seems that no errors are displayed even if I look at the situation.

my config.json:

“ServiceSettings”: {
“SiteURL”: “http://mysite:com”,
“WebsocketURL”: “”,
“LicenseFileLocation”: “”,
“ListenAddress”: “:8065”,
“ConnectionSecurity”: “”,
“TLSCertFile”: “”,
“TLSKeyFile”: “”,
“UseLetsEncrypt”: false,
“LetsEncryptCertificateCacheFile”: “./config/letsencrypt.cache”,
“Forward80To443”: false,
“ReadTimeout”: 300,
“WriteTimeout”: 300,
“MaximumLoginAttempts”: 10,
“GoroutineHealthThreshold”: -1,
“GoogleDeveloperKey”: “”,
“EnableOAuthServiceProvider”: false,
“EnableIncomingWebhooks”: true,
“EnableOutgoingWebhooks”: true,
“EnableCommands”: true,
“EnableOnlyAdminIntegrations”: true,
“EnablePostUsernameOverride”: false,
“EnablePostIconOverride”: false,
“EnableLinkPreviews”: false,
“EnableTesting”: false,
“EnableDeveloper”: false,
“EnableSecurityFixAlert”: true,
“EnableInsecureOutgoingConnections”: false,
“AllowedUntrustedInternalConnections”: “”,
“EnableMultifactorAuthentication”: false,
“EnforceMultifactorAuthentication”: false,
“EnableUserAccessTokens”: false,
“AllowCorsFrom”: “”,
“AllowCookiesForSubdomains”: false,
“SessionLengthWebInDays”: 30,
“SessionLengthMobileInDays”: 30,
“SessionLengthSSOInDays”: 30,
“SessionCacheInMinutes”: 10,
“SessionIdleTimeoutInMinutes”: 0,
“WebsocketSecurePort”: 443,
“WebsocketPort”: 80,
“WebserverMode”: “gzip”,
“EnableCustomEmoji”: false,
“EnableEmojiPicker”: true,
“EnableGifPicker”: false,
“GfycatApiKey”: “2_KtH_W5”,
“GfycatApiSecret”: “3wLVZPiswc3DnaiaFoLkDvB4X0IV6CpMkj4tf2inJRsBY6-FnkT08zGmppWFgeof”,
“RestrictCustomEmojiCreation”: “all”,
“RestrictPostDelete”: “all”,
“AllowEditPost”: “always”,
“PostEditTimeLimit”: -1,
“TimeBetweenUserTypingUpdatesMilliseconds”: 5000,
“EnablePostSearch”: true,
“EnableUserTypingMessages”: true,
“EnableChannelViewedMessages”: true,
“EnableUserStatuses”: true,
“ExperimentalEnableAuthenticationTransfer”: true,
“ClusterLogTimeoutMilliseconds”: 2000,
“CloseUnusedDirectMessages”: false,
“EnablePreviewFeatures”: true,
“EnableTutorial”: true,
“ExperimentalEnableDefaultChannelLeaveJoinMessages”: true,
“ExperimentalGroupUnreadChannels”: “disabled”,
“ImageProxyType”: “”,
“ImageProxyURL”: “”,
“ImageProxyOptions”: “”,
“EnableAPITeamDeletion”: false,
“ExperimentalEnableHardenedMode”: false,
“ExperimentalLimitClientConfig”: false,
“EnableEmailInvitations”: true }

I want to connect HTTPS by direct input at least. Please tell me how to make HTTPS connection with Mattermost.

Please help.

Mattermost: 5.1.0 / CentOS 7.5 / Nginx: 1.13.8 / PHP 7.1.20 / MariaDB 10.3.8

amy.blais · July 26, 2018, 12:53pm

Hi @Babbles!

Can you help take a look at this doc if the instructions there help: https://docs.mattermost.com/install/config-tls-mattermost.html.

Babbles · July 26, 2018, 2:49pm

When I set enable Let’s Encrypt, I get an error “should enable Forward80To443”.
Next, I also enable Forward80To443. “Cannot forward port 80 to port 443 while listening on port 8065: disable Forward80To443 if using a proxy server.” displayed.
These are the permanent loop states. This is the same even if Let’s Encrypt is disable, and Forward80To443 is enabled.

How can I escape from this permanent loop?

amy.blais · July 26, 2018, 11:21pm

Hi @Babbles Update: I have been doing research on this but at this point it looks like I will need to ping our devs to take a look at this.

jesse · July 27, 2018, 1:44pm

@Babbles, your SiteURL looks suspect:

“SiteURL”: “http://mysite:com”,

Was this a copy and paste error? It should be:

“SiteURL”: “https://mysite.com”,

If you have Nginx fronting Mattermost, you won’t need to configure SSL inside Mattermost at all. Your proxy_pass directive should point directly at the :8065 port over http.

Babbles · July 27, 2018, 4:33pm

I understood the cause. It seems that permission of the certificate has not been adapted. I set all Mattermost related files to root:root (not mattermost:mattermost). I can connect HTTPS by directly entering URL(https://mysite.com:8065).

There is one other problem I remain. It is a proxy_pass redirection loop problem.

	client_max_body_size 50M;

	proxy_buffers 256 16k;
	proxy_buffer_size 16k;
	proxy_read_timeout 600s;

	proxy_set_header Connection "";
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto https;
	proxy_set_header X-Frame-Options SAMEORIGIN;

	proxy_cache mattermost_cache;
	proxy_cache_revalidate on;
	proxy_cache_min_uses 2;
	proxy_cache_use_stale timeout;
	proxy_cache_lock on;
	proxy_http_version 1.1;
	proxy_pass https://backend;

upstream backend {
server MY-IP_ADDRESS:8065;
keepalive 32;
}

I change the above proxy_pass to http://backend, ERR_INVALID_RESPONSE error(The webpage may be temporarily suspended or may have moved to a new web address).

How to prevent multiple redirects?

Babbles · July 27, 2018, 4:40pm

Thank you for reply.

I seem to have “SiteURL” set to ‘https://mysite.com:8065’ only. If I solve the proxy_pass problem, I think I will be able to remove “:8065” from SiteURL.

Babbles · July 30, 2018, 5:43am

I managed to find a solution. Thank you to those who checked this post.