Too many redirection with force https


#1

Hi,

Today I try to force piwik to use https, so after buy and install certificat, I try this :


[General]
force_ssl=1

But after that, i am unable to connect on piwik cause of too many redirections.
Piwik works on http and https, this only appear when force_ssl=1 is set.
What’s going on ?

Here is my nginx config file :


server {
        listen 80;
        listen 443 ssl;
        server_name sub.domain.fr;
        root  /var/www;
        index  index.php;
        ssl_certificate /etc/ssl/ssl/monssl.crt;
        ssl_certificate_key /etc/ssl/makey.key;
        ## Block common exploits
        set $block_common_exploits 0;
        if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
                set $block_common_exploits 1;
        }
        if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
                set $block_common_exploits 1;
        }
        if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
                set $block_common_exploits 1;
        }
        if ($query_string ~ "proc/self/environ") {
                set $block_common_exploits 1;
        }
        if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
                set $block_common_exploits 1;
        }
        if ($query_string ~ "base64_(en|de)code\(.*\)") {
                set $block_common_exploits 1;
        }
        if ($block_common_exploits = 1) {
                return 403;
        }
        fastcgi_buffer_size 8192;
        ## Try all locations and relay to index.php as a fallback.
        location / {
                ## Disallow any usage of piwik assets if referer is non valid.
                location ~* ^.+\.(?:css|gif|jpe?g|js|png|swf)$ {
                        ## Defining the valid referers.
                        #valid_referers none blocked *.mysite.com othersite.com;
                        #if ($invalid_referer) {
                        #    return 444;
                        #}
                        expires max;
                        access_log off;
                        log_not_found off;
                }
                ## Redirect to the root if attempting to access a txt file.
                location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ {
                    return 404;
                }
                ## Disallow access to several helper files.
                #location ~* \.(?:bat|html?|git|ini|sh|svn[^.]*|txt|tpl|xml)$ {
                #    return 404;
                #}
                ## Supression de html dans la condition du a un soucis de chargement des vues.
                location ~* \.(?:bat|git|ini|sh|svn[^.]*|txt|tpl|xml)$ {
                    return 404;
                }
                try_files $uri /index.php?$query_string;
        }
        ## Support for favicon. Return a 1x1 transparent GIF it it doesn't
        ## exist. doesn't exist.
        location = /favicon.ico {
                try_files /favicon.ico @empty;
        }
        location @empty {
                empty_gif;
        }
        ## Relay all index.php requests to fastcgi.
        location = /index.php {
                fastcgi_cache nginx;
                fastcgi_cache_key $host$request_uri;
                fastcgi_cache_valid 200 301 5m;
                fastcgi_cache_valid 302 3m;
                fastcgi_cache_valid 404 1m;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                include fastcgi_params;
                fastcgi_param GEOIP_ADDR $remote_addr;
                fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
                fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
                fastcgi_param GEOIP_REGION $geoip_region;
                fastcgi_param GEOIP_REGION_NAME $geoip_region_name;
                fastcgi_param GEOIP_CITY $geoip_city;
                fastcgi_param GEOIP_AREA_CODE $geoip_area_code;
                fastcgi_param GEOIP_LATITUDE $geoip_latitude;
                fastcgi_param GEOIP_LONGITUDE $geoip_longitude;
                fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
        }
        ## Relay all piwik.php requests to fastcgi.
        location = /piwik.php {
                fastcgi_cache nginx;
                fastcgi_cache_key $host$request_uri;
                fastcgi_cache_valid 200 301 5m;
                fastcgi_cache_valid 302 3m;
                fastcgi_cache_valid 404 1m;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                include fastcgi_params;

                fastcgi_param GEOIP_ADDR $remote_addr;
                fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
                fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
                fastcgi_param GEOIP_REGION $geoip_region;
                fastcgi_param GEOIP_REGION_NAME $geoip_region_name;
                fastcgi_param GEOIP_CITY $geoip_city;
                fastcgi_param GEOIP_AREA_CODE $geoip_area_code;
                fastcgi_param GEOIP_LATITUDE $geoip_latitude;
                fastcgi_param GEOIP_LONGITUDE $geoip_longitude;
                fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
        }
        ## Any other attempt to access PHP files returns a 404.
        location ~* ^.+\.php$ {
                return 404;
        }
        ## No crawling of this site for bots that obey robots.txt.
        location = /robots.txt {
                return 200 "User-agent: *\nDisallow: /\n";
        }
} # server



(Matthieu Aubry) #2

can you try reuse the Piwik nginx config here maybe? GitHub - perusio/piwik-nginx: Nginx configuration for running Piwik


#3

Hi matt,

Thanks for you answer.

I already use it. (if i remember well) I just compact what i need in one file.
I remove some cache, add some values for geoip, update to my server and add some stuff. (so not really the same anymore :slight_smile: )

Do you really thing, if I change the config file will correct the problem ? Because it seems what this config file was not ready to use for https.
Moreover my config file and these files are pretty similar. (more or less but not impact rewrite or redirect value)

And i forgot to mentionne something. The first time I force ssl to PIWIK, it’s works well during about 10 or 30 minutes before the error appear. (The page isn’t redirecting properly or too many redirections)

I also note when i disable force ssl to comeback to http, i need to wait 5 or 10 minutes before PIWIK works again.

P.S. : Piwik cron is activated
P.S. 2 : In it’s maybe more “The page isn’t redirecting properly” than “Too many redirections”