Nuxeo Drive 4.x client tries to switch to https access which is not available

My nuxeo server is behind a reverse proxy and is accessed by http. When configuring the client to connect with http it works perfectly and uses http url.

But after restart the nuxeo drive client switches automatically to https: 2019-10-23 14:59:25 21200 5124 INFO nxdrive.engine.engine Updated server url to https://SERVER.eu.ngrok.io/nuxeo

The proxy server returns HTTP 404 code, the https access doesn't exists. Here is the client log message: 2019-10-23 14:59:33 21200 17720 INFO nxdrive.manager Status code for https://SERVER.eu.ngrok.io/nuxeo/drive_browser_login.jsp = 404

But the client keeps calling with https ang getting error: 2019-10-23 15:00:02 21200 18156 DEBUG nuxeo.client Calling 'https://SERVER.eu.ngrok.io/nuxeo/site/automation/NuxeoDrive.GetChangeSummary' 2019-10-23 15:00:03 21200 18156 WARNING nxdrive.engine.watcher.remote_watcher Network error:

It seems that the client misinterpretes the test call on https support, which in this case is not an ssl error, and switches to https instead of keeping http.

Also it's quite surprising and misleading to have a behavior change on the first client connection and after its' restart.

Could you have a look on this please?

Versions: Server - 10.10 HF11 Nuxeo Drive client 4.2.0

0 votes

1 answers

392 views

ANSWER

more logs when first connecting the account:

2019-10-23 14:58:10 19140 11724 DEBUG nxdrive.utils Testing URL 'https://SERVER.eu.ngrok.io/nuxeo' 2019-10-23 14:58:11 19140 11724 DEBUG nxdrive.utils Testing URL 'https://SERVER.eu.ngrok.io:443/nuxeo' 2019-10-23 14:58:12 19140 11724 DEBUG nxdrive.utils Testing URL 'https://SERVER.eu.ngrok.io/nuxeo' 2019-10-23 14:58:14 19140 11724 DEBUG nxdrive.utils Testing URL 'https://SERVER.eu.ngrok.io:443/nuxeo' 2019-10-23 14:58:15 19140 11724 DEBUG nxdrive.utils Testing URL 'https://SERVER.eu.ngrok.io/nuxeo' 2019-10-23 14:58:16 19140 11724 DEBUG nxdrive.utils Testing URL 'https://SERVER.eu.ngrok.io:443/nuxeo' 2019-10-23 14:58:17 19140 11724 DEBUG nxdrive.utils Testing URL 'https://SERVER.eu.ngrok.io' 2019-10-23 14:58:18 19140 11724 DEBUG nxdrive.utils Testing URL 'http://SERVER.eu.ngrok.io/nuxeo' 2019-10-23 14:58:19 19140 11724 DEBUG nxdrive.utils Found URL: http://SERVER.eu.ngrok.io/nuxeo 2019-10-23 14:58:19 19140 11724 INFO nxdrive.manager Proxy configuration for startup page connection: NoProxy<> 2019-10-23 14:58:19 19140 11724 INFO nxdrive.manager Status code for http://SERVER.eu.ngrok.io/nuxeo/drive_browser_login.jsp = 401 2019-10-23 14:58:19 19140 11724 INFO nxdrive.gui.api Web authentication is available on server http://SERVER.eu.ngrok.io/nuxeo

10/23/2019



The code that checks for SSL support is catching all errors, not just SSL ones. In your case, why the reverse proxy handles HTTPS (or seem to handle)? I think the proxy translates HTTPS traffic to HTTP and thus request errors, right?

FI the SSL check has been added with https://jira.nuxeo.com/browse/NXDRIVE-1647.

0 votes



the proxy try to anwer gently that the tunnel is not available for https. Nuxeo drive switch aggressively on https only with the fact that a https connection is succesfull no matter the content returned.

This patch is failing in many points : 1/ different behaviour just after adding the http only account (test https but stay in http because may be https answering 404) , and when nxdrive is restarted (nxdrive.engine.engine Updated server url to https) 2/ fail to differentiate a proxy message error with the nuxeo instance 3/ no way to manually deactivate this behaviour, once the url is changed to https, we cant change it. 4/ try to detect https support with a list of url instead of just detecting the redirect of a http call to https with the http redirect code 5/ goes against user in changing their settings

actually, i had to block 443 tcp to the proxy from the nuxeo drive host to prevent switching to https !

10/23/2019

this code doesnt not handle the content returned (or the 4xx code) and fail when http://url is a nuxeo instance but https://url is not

this code only keep http if tcp connexion fail, or if the server return 5xx code, not 4xx

try:

        url = self.server_url.replace(&quot;http://&quot;, &quot;https://&quot;)
        proxies = self.manager.proxy.settings(url=url)
        import requests

        requests.get(url, proxies=proxies)
        self.server_url = url
        self._dao.update_config(&quot;server_url&quot;, self.server_url)
        log.info(f&quot;Updated server url to {self.server_url}&quot;)
    except Exception:
        log.warning(
            f&quot;Server at {self.server_url} doesn&apos;t seem to handle HTTPS, keeping HTTP&quot;,
            exc_info=True,
        )

the only way to address the redirect case is to stay on http and check a redirect code, not brute forcing on https

10/23/2019

You are right, the check is not ideal. I will create a bugfix ticket and it will be fixed in 4.2.1. Thanks for the report :)
10/23/2019

great support !
10/23/2019

Hi Mickaël Schoentgen, has this modification been made?
04/09/2020

Not yet, but you can follow https://jira.nuxeo.com/browse/NXDRIVE-1917. It is not yet planned as we have other hot topics to tackle first. I will raise the priority thought.
04/09/2020

Ok, thanks
04/10/2020