any way to solve "redirect loop" problem on server side ?

qtwrk

Hi, recently I was reconfiguring something on server but for unknown reason , got problem of "redirect loop" few times.

problem can be easily solved by clear cookies, yes.

but I have very good reason to believe that my viewer are knowing nothing of computer or browser.

so instead of , painfully teach them how to clear cookies , is there any way I can solve this problem on server side ?

maybe something in HTTP header ? something in .htaccess ?

doghouch

Could you elaborate? What software are you running?

WSS

Yes. Rewrite your software to force all cookies removed for next X days, if it doesn't have a timestamp, abusing XmlHttpRequest() to try to do so.

Or, you know, just invalidate everybody until August, and tell them it's due to new security implementation.

Or admit that you fucked up after clearing their cookies.

qtwrk

@doghouch said:
Could you elaborate? What software are you running?

thanks for reply,

I use Nginx + Apache + PHP.

after looking around, I guess it's something to do about HTTP to HTTPS redirection.

so I setup HSTS to force HTTPS now, and turned off redirect HTTP to HTTPS.

right now the only redirect I have right now is from domain.com to www.domain.com , and let HSTS to handle HTTPS.

I think , it should works fine now , well , but time will tell if it works out or not.

But I was thinking , if there is anyway I can resolve this problem in case it is already happening.

qtwrk

@WSS said:
Yes. Rewrite your software to force all cookies removed for next X days, if it doesn't have a timestamp, abusing XmlHttpRequest() to try to do so.

Or, you know, just invalidate everybody until August, and tell them it's due to new security implementation.

Or admit that you fucked up after clearing their cookies.

Yes , I admit, I fucked up something , which I don't even have clue about.

AlyssaD

Usually this is an issue with your nginx config.

If you are using wordpress try this: https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-nginx-on-ubuntu-14-04

qtwrk

@AlyssaD said:
Usually this is an issue with your nginx config.

If you are using wordpress try this: https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-nginx-on-ubuntu-14-04

thanks for the help , but I ain't using WP.

and , never thought , WP can be installed in such ... complicated ways ....

doghouch

@qtwrk Did you get everything to work? You're using HSTS headers to force SSL now it seems?

CConner

Would be helpful if you were to post your Nginx config.

pbgben

@CConner said:
Would be helpful if you were to post your Nginx config.

He could play rouLETte and post his user and ssh key

Clouvider

Redirect loop for only some sessions, unless caused by, well, a redirect in server configuration of .htaccess override, that would usually affect all visitors, would be caused by something code related, so usually not something you can fix server side without fixing your code.

Can't say much more than that - there's not enough details.

qtwrk

server {
    listen xxx.xxx.xxx.xxx:443 ssl http2;

    server_name domain.com;
    server_name www,domain.com;

    ssl_certificate             /cert;
    ssl_certificate_key         /cert;
    ssl_client_certificate      /cert;

    client_max_body_size 128m;

    proxy_read_timeout 120;

    root "/my-www-root";
    access_log "/my-www-root/proxy_access_ssl_log";
    error_log "/my-www-root/proxy_error_log";

    if ($host ~* ^www\.domain\.com$) {
        rewrite ^(.*)$ https://domain.com$1 permanent;
    }

    location / {
        proxy_pass https://xxx.xxx.xxx.xxx:xxxx;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header X-Accel-Internal /internal-nginx-static-location;
        access_log off;
    }

qtwrk

and http header

        add_header X-Frame-Options SAMEORIGIN;
        add_header X-XSS-Protection "1; mode=block";
        add_header Referrer-Policy strict-origin-when-cross-origin;
        add_header Strict-Transport-Security "max-age=15552000;";
        add_header X-Content-Type-Options nosniff;

        add_header Content-Security-Policy "default-src 'self' data:  https://www.google-analytics.com https://ajax.cloudflare.com https://cdnjs.cloudflare.com https://fonts.googleapis.com https://fonts.gstatic.com";

        add_header Public-Key-Pins 'pin-sha256="111";
     pin-sha256="222"; 
    pin-sha256="333"; 
    max-age=2592000';

aboanas93

all i know is : if is evil (https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/)
thus, use return instead of rewrite (https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/)

edit: why do you put the redirect for https with listen 443? it should be with listen 80 in different server block

CConner

pbgben said: He could play rouLETte and post his user and ssh key

xd

doghouch

@aboanas93 said:
all i know is : if is evil (https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/)
thus, use return instead of rewrite (https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/)

edit: why do you put the redirect for https with listen 443? it should be with listen 80 in different server block

Edit: listen to @aboanas93. You put the rewrite in the HTTP (port 80) block.