Subtle changes, bugs and feedback

Am i going to get this message each time i post?

"Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

Are you sure you want to continue sending this information?"

Using firefox

You are accessing on https:// yet the page has some items (probably images, maybe video) that comes from non-https:// sites.

This is standard behaviour for a browser. Though some browsers can be configured to not display the warning. Google is your friend.

^^ Will try that, been on the iPad all afternoon - the reappeared logins just started suddenly mid afternoon, nothing else changed in my browsing. (just been logged out again - 4th attempt to post!)

Nope, cleared cookies, still happening.

I had that logging out thing about an hour ago on Safari private browsing or whatever it's called. Also on my phone now and it just asked me if I wanted to continue to this page (was on page before) as the site may not be secure. Fuck, I've forgotten what it said. But I've never seen it before and do most forum-browsing on this phone.

Website may not be trusted, do you want to continue? think that was it.

OK, I know what the problem is with people logging out.

Looking at this map again:

You can now directly connect to LFGSS from all of those cities (without going over the public internet).

The issue is that vBulletin (which powers this site) uses the IP address of the connection as the hash for the session cookie.

So if, as a result of network conditions, the route of the traffic somehow switches to another city... then the IP address will appear different and it will invalidate the session cookie, thereby logging you out.

I'm investigating right now how to solve it.

yep getting binned out at every page refresh - ie8

Me too.....every new page, or new action.

Chrome on Vista.

Ok, just realised that the site I was using was the https version, but it went to that for the first time ever, because the bookmark is for the regular http version. I changed the version back to normal, and am no longer being kicked off. Checked the bookmark, and it was definitely for the http version. Edited it and saved it again as the http version. No problems now.

I think I've got a fix on two of the web servers to deal with this... but I've still got 2 to do and I won't be able to test it until just after all of the servers have the fix.

It's a load of C code :)

If in doubt... write an Apache module.

I've installed the fix on all of the web servers now.

You may still be logged out, but once you've logged back in it should be fine.

I am doing a little testing now to prove this.

A question to those being logged out.

Does this only happen at the root of the site? i.e. on the homepage?

I truly believe that this is now fixed.

And for my own future reference:
[code]
sudo wget http://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz
sudo tar -xzf mod_rpaf-0.6.tar.gz
cd mod_rpaf-0.6
sudo apxs2 -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
cd /etc/apache2
sudo vim mods-available/rpaf.load

    LoadModule rpaf_module /usr/lib/apache2/modules/mod_rpaf-2.0.so

sudo a2enmod rpaf
sudo vim sites-enabled/lfgss.com

    RPAFenable On
    RPAFsethostname On
    RPAFproxy_ips 192.168.154.159 127.0.0.1 10.0.0.1
    RPAFheader X-Forwarded-For

sudo service apache2 restart
[/code]

So that's 1 custom module, and 1 old publically available module... both to make Apache and vBulletin understand it's OK to be running behind a proxy.

YOU MAY NEED TO LOGIN ONE LAST TIME FOR IT TO WORK.

Alright... I see it, there's still an issue.

Sometimes, it thinks some of you are on 127.0.0.1, which you really aren't.

my guess would be that those people haven't got the new dns yet so they're going direct and don't have an X-Forwarded-For

I'd accept that, except I'm seeing it too.

In the access logs some accesses come from 127.0.0.1:
[code]
127.0.0.1 - - [22/Jul/2012:19:53:21 +0000] "GET /thread50817-67.html HTTP/1.0" 200 34183 "https://www.lfgss.com/usercp.php" "Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3"
[/code]

All other requests show the right IP address of the client.

Something like 1 in 50 requests shows 127.0.0.1.

There is no pattern about which requests... they seem random.

The 127.0.0.1 address that Apache means that the cookie session is wrong, so PHP and vBulletin then think you're logged out.

do the offending requests all have https referers ?

Nope:
[code]
127.0.0.1 - - [22/Jul/2012:20:02:25 +0000] "GET /thread13962-225.html HTTP/1.0" 200 22472 "http://www.lfgss.com/subscription.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:12.0) Gecko/20100101 Firefox/12.0"
[/code]

Astonishing... Apache is right.

Varnish is seeing that address too:
[code]
12 SessionOpen c 127.0.0.1 58147 :80
12 ReqStart c 127.0.0.1 58147 1324153307
[/code]

Now I'm deep into the WTF!?

At this point I would double check with something like "iptables -I input -s 127.0.0.1 -d 127.0.0.1 -p tcp -m tcp --dport 80 -j LOG"

or tcpdump

I did nothing to my browser but now the messages are no longer showing in firefox or safari

Did you change something?

I think I've fixed it Earthloop.

The problem is the X-Forwarded-For header, there's an assumption somewhere in either vBulletin, PHP or one of the Apache modules that the client IP address is in that header.

Not a bad assumption, but it assumes that the value is a single IP address and not a list. When it's a comma delimited list the standard is that the first IP is the client and subsequent ones are proxies, but I believe that some piece of code is just truncating the list to the last value and using that.

So that the last value on the list is being used, the local proxy.

I've switched a lot of my config to use http.X-Real-IP instead, and explicitly set that at the edge of the network.

I believe... that it is now working.

I still broked.