Issue with darkstat_redirect.php since update.
-
So I updated darkstat to 3.1.3_2.
The darkstat webgui has been configured to bind to loopback interface and I've then NAT'ed port 666 to 127.0.0.1.
Before the update the link to "Access darkstat" was just pointing to http://IP:666 Since the update it now uses darkstat_redirect.php to check systemconfig and will redirect to HTTPS if it's enabled in pfSense:
($proto = $config['system']['webgui']['protocol'];)However darkstat does not seem to listen on HTTPS.
TLDR; New darkstat_redirect.php will check for HTTPS when darkstat does not work with HTTPS requests.
Fix: change url variable in /usr/local/www/darkstat_redirect.php from:$url = "{$proto}://{$baseurl}:{$port}";to:
$url = "http://{$baseurl}:{$port}"; -
FFS, I swear this is the last time I've touched this stone-age behemoth. (It worked just fine here with HTTPS, well… because it's behind haproxy. Which would be my suggestion if you really need this package - and you can make it available on IPv6 this way as well).
https://github.com/pfsense/FreeBSD-ports/pull/285
-
Thanks for pushing the update.
As you said, probably best to run this behind HAProxy in any case. I will install HAProxy it when I get some sparetime.
-
So, thinking about it, I don't get what's the regression here. Was broken before, is same broken now. Nothing changed, except that you can configure a port.
You'll probably need to configure an alias (CNAME) for it or access it via IP if you have webGUI on HTTPS, namely due to https://redmine.pfsense.org/issues/6650 (that is no regression and nothing I could fix in the package, was exactly the same before the redirect hack, and pretty much the reason I did stick this behind haproxy.) As said above, stick this behind haproxy is the preferred way to do things here.
-
Hmm.
I don't have access to any older installation now so I cannot check, but I'm pretty sure the earlier link to darkstats did not redirect to https.
I access my install via an A record, the same DNS name is configured under "Alternate Hostnames".
HTTP://hostname:666 works, whereas HTTPS://hostname:666 does not. HTTP://IP:666 works, HTTPS://IP:666 does not.I don't want to argue, just stating my experience. Will setup HAProxy after coffee.
-
It did not redirect to https. But pfSense itself will redirect to HTTPS if you even visited it by hostname, because the browser will save the HSTS header sent by nginx for that FQDN. HSTS does not give a damn about ports. (And yeah, IP works, browsers don't do HSTS on IPs. Not the point here really.)
Anyway, doesn't matter, will make the hostname configurable, see https://github.com/pfsense/FreeBSD-ports/pull/285.
That's really the only way around HSTS here.
-
Merged in 3.1.3_3. Use the LAN (or another darkstat interface) IP for the redirect if you don't want to be bothered with HSTS/DNS/reverse proxies.