Incorrect Port After Login and Logout

[0FiRE0]

When using custom ports (e.g. 5200, 6000, 10000 ...etc.).
The application works fine for all URL directions except during the following actions:

• Login: After filling the credentials and clicking on "Login" button
• Logout: After clicking on the "Logout" button

Then, the application redirect the user to a URL without keeping the custom port, and by default it will go to the default port (443 in HTTPS, and 80 in HTTP).
And the user will need to re-enter the port number again and refresh the page in order for them to access the system.

The issue was experienced in the Dockerized image with Nginx proxy server, I did not try it on the direct JAR installation.

Versions where the issue was experienced 7.45 and 7.46. I did not try it on different versions.

[vbarrier]

You need to configure the nginx proxy properly like shown here: https://www.icescrum.com/documentation/reverse-proxy/#proxy_2 (take a look at proxy_set_header lines)

[0FiRE0]

Thank you for your feedback, but Nginx Proxy Configuration is already been set as per the documentation, below are snapshots of the current configurations (Using upstreams in Nginx for multi-node setup) but currently only using one node.

I have even added the proxy_set_header X-Forwarded-Proto https; for the HTTPS support.

I would like to highlight that it is working fine all through the application, except for only the Login and Logout are redirecting to different ports.
Also discovered the same behavior when doing the following:

1. After disabling "Registering User" from the Configuration
2. In the "Login" page, if the pressed on "Register" and the error page appeared for him
3. If he pressed on "Go Home" button, it will also redirect him to the different ports.

Nginx Config:

1. Upstream
   

2. Proxy
   

[0FiRE0]

I discovered that it is related to the ending of the link.
If the link was like https://domain.com:port/icescrum it will do the incorrect behavior of redirecting to port 443 instead of the intended port (in my case 11002), unlike when the link has the forward slash / at the end like https://domain.com:port/icescrum/ where it will behave correctly.

The default application redirection was without the / at the end, for that reason it was not behaving correctly.

Although the config.groovy file was updated to include the / at the end, but still the application is redirecting to the URL without the /, so the problem still exists in Login, Logout and Go Home button in the "Registration Page".

[vbarrier]

Thank you for this detailed feedback. We will take a look ASAP based on your report

[vbarrier]

• Can you confirm that the public port on https is 11002 ?
• What is your root url for iceScrum / or /icescrum ?

[0FiRE0]

HTTPS Port (I am using different ports):
External Port 11002, but Docker is configured to do mapping to Nginx internal Port 443.

Although the following is not related, but just to be in the safe zone to eliminate any doubts if the issue was caused by Nginx. During my experimentation, I made both ports the same for external and Nginx to be 11002. So that Nginx is not listening to any ports other than 11002.
But still did not resolve the issue.

Root URL:
I am using /icescrum
In config.groovy file:
Tried once with /:
icescrum.serverURL="https://subdomain.mydomain.com:11002/icescrum/
Tried once without /:
icescrum.serverURL="https://subdomain.mydomain.com:11002/icescrum

In docker-compose.yml file:
environment:
ICESCRUM_HTTPS_PROXY: "true"
ICESCRUM_CONTEXT: "icescrum"

Also tried also putting:
ICESCRUM_CONTEXT: "icescrum/"

[0FiRE0]

I am wondering if this somehow could be related to the internal Apache Tomcat that is shipped with icescrum.

As I did not change any of its configurations yet.

[noullet]

Hi,

Thank you for all these insights. Sorry for the late reply, we have to prioritize customer support over community support, but we did not forget about you!

We managed to reproduce your issue, here are some observations:

• This issue is not related to Docker at all, as we managed to reproduce it with a standard icescrum.jar and NGINX installation.
• The icescrum.serverURL is not used for redirections, it is just there to provide the correct URL to iceScrum in external content such as emails.
• As you noticed, the problem is the redirection when the "/" is missing at the end of the URL. Thus, no need to login, logout etc., just leaving out the "/" is enough to trigger the issue.
• When the "/" is missing, Tomcat sends a 302 redirect response with a relative redirect URL in the Location header, e.g. /icescrum/. It seems that it is NGINX that rewrites the Location header to make it an absolute URL, e.g. https://myserver/icescrum/. It is this absolute URL that is missing the correct port, so it seems that the fault is not on the internal Tomcat shipped with iceScrum, but rather on NGINX.
• It seems that the Location header is missing the port only with a SSL connection. When using standard HTTP instead, the Location header contains the absolute URL with the correct port.

Thus, it seems that NGINX does the wrong thing when rewriting the Location header of a relative URL with a SSL configuration using a port other than 443. Is it a bug or a misconfiguration, we do not know. If you have the resources to further dig on the NGINX part, we would be glad to know what you find!

Anyway, there are several workaround:

• Use the 443 default port: probably not what you want as you specified another port in the first place.
• Manually rewrite the Location header: probably very error prone.
• Bypass the Tomcat redirect and do it in NGINX, which is probably the easiest and most correct workaround:

location = /icescrum {
     return 302 /icescrum/;
}

[noullet]

Hi,

After further investigations, it is Tomcat that is acting weirdly, as you suspected in the first place! Thus, I corrected my previous answer.

To solve that, we can add a new configuration parameter to docker (and the .jar) to specify the external port when using a https connexion.