Content

Self-hosted with subdirectory: Some pages redirect to domain URL

SETUP:
OS: Ubuntu 22.04 VM
Core version: OpenProject 14.5.1
PostgreSQL version: 13.16
with Apache backend (installed using the OpenProject build-in interactive setup script).
Nginx frontend that handles all the internal subdirectory redirections to multiple services plus SSL encryption.

PROBLEM:
I've got this subdirectory-based setup, in which some pages within the OpenProject environment incorrectly redirect to the main domain URL like "www.mydomain.com", while it should maintain the subdirectory path like "www.mydomain.com/openproject/".

One failure case in which this behaviour can be reproduced is the following:

Click 'Select a project' on the top left,
Click 'Project Lists',
Click the 5-point star to the left of one of the projects in order to add this one to the list of favorites ...
... and be redirected to 'https://www.mydomain.com/' which displays the Nginx frontend welcome screen.
Now go back one page, then refresh. And behold, the add-to-favorite action is indeed acknowledged anyway.

A quick search leads to this discussion that might point to either a OpenProject hostname misconfiguration, or the ProxyPreserveHost directive that is missing in the Apache vhost file:
https://community.openproject.org/topics/12008
but that directive has been there since the earliest deployment of this VM. And also, most pages function fine, so it is clearly not a system-wide misconfiguration, IMHO.

Found some more and similar topics, but the actual cause and solution still elude me:
https://community.openproject.org/topics/11140
https://community.openproject.org/projects/openproject/work_packages/4797/activity
https://community.openproject.org/topics/6709
https://community.openproject.org/topics/11798

The Apache log file at the OpenProject VM (/var/log/apache2/other_vhosts_access.log) at this point shows a 303 redirect:

[...]
www.mydomain.com:80 10.30.2.6 - - [01/Oct/2024:11:07:09 +0200] "POST /openproject/projects/2/favorite.html HTTP/1.0" 303 1087 "https://www.mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
[...]

The (sanitized) relevant configs look like this.

/etc/openproject/installer.dat

postgres/autoinstall install
postgres/db_host 127.0.0.1
postgres/db_port 45432
postgres/db_name openproject
postgres/db_username openproject
postgres/db_password <secret>
server/autoinstall install
server/hostname www.mydomain.com
server/server_path_prefix /openproject
server/ssl no
repositories/api-key <secret>
repositories/svn-install install
repositories/apache-wrapper-token pzFQc...
repositories/svn-path /tank/openproject/svn
repositories/git-install install
repositories/git-path /tank/openproject/git
repositories/git-http-backend /usr/lib/git-core/git-http-backend/
smtp/autoinstall smtp
smtp/authentication login
smtp/host <secret>
smtp/port 587
smtp/username server@<secret>
smtp/password <secret>
smtp/domain www.mydomain.com
smtp/admin_email openproject@mydomain.com
memcached/autoinstall install
postgres/addon_version v1
openproject/edition default

server/variant apache2

/etc/apache2/sites-enabled/openproject.conf

Include /etc/openproject/addons/apache2/includes/server/*.conf
IncludeOptional /etc/openproject/addons/apache2/custom/server/*.conf

<VirtualHost *:80>
  ServerName www.mydomain.com
  DocumentRoot /opt/openproject/public

  ProxyRequests off
  ProxyPreserveHost On

  Include /etc/openproject/addons/apache2/includes/vhost/*.conf
  IncludeOptional /etc/openproject/addons/apache2/custom/vhost/*.conf

  # Can't use Location block since it would overshadow all the other proxypass directives on CentOS
  ProxyPass /openproject/ http://127.0.0.1:6000/openproject/ retry=0
  ProxyPassReverse /openproject/ http://127.0.0.1:6000/openproject/
</VirtualHost>

/etc/nginx/conf.d/example.com.conf

[...]
    upstream openproject {
        server 10.30.2.45:80;
        }

[...]

server {
    listen 80;
    server_name mydomain.com;
    # Permanent redirect to www:
    rewrite ^(.*) http://www.$server_name$1 permanent;
}

server {
    listen 80;
    server_name www.mydomain.com;
    # Enforce https:
    return 301 https://$server_name$request_uri;
}

server {
    ## NOTE: When running standalone, i.e. without 'sslh':
    listen 443 default ssl;
    ## NOTE: When running in conjunction with 'sslh':
    #listen localhost:443 default ssl;
    server_name  www.mydomain.com mydomain.com;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # Redirect blocked requests to a static banned page
    error_page 444 /banned.html;
    location = /banned.html {
        root   /usr/share/nginx/html;
        access_log /var/log/nginx/blocked.log blocked;
    }
    
    # Proxy, headers, etc
    proxy_redirect http:// https://;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $server_name;

    add_header Front-End-Https on;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    # includeSubDomains; preload;";
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

[...]

    location /openproject {
        access_log /var/log/nginx/openproject.access.log main;
        error_log /var/log/nginx/openproject.error.log;

        #NOTE: To prevent 'error 500' when serving OP behind a rev.proxy, set this ref-policy:
        add_header Referrer-Policy "origin" always;
        client_max_body_size 50M;
        proxy_redirect off;

        proxy_pass http://openproject/openproject;
    }

[...]

Also tried this, at the Nginx config, within the openproject location block specifically:
proxy_set_header X-Forwarded-Host $http_host;
to overrule/replace the domain wide:
proxy_set_header X-Forwarded-Host $host;

but this breaks even more. Even up to redirection to "openproject/openproject", which leads to an even deader end.

Any help or pointers on how to solve this glitch is very much appreciated!
Thanks a lot.

Top Menu

Side Menu

Content

Self-hosted with subdirectory: Some pages redirect to domain URL