GLPI appending :80 to CAS Callback URL

Question

Problem:

GLPI is appending :80 to the callback URL for CAS authentication using Keycloak. After logging in successfully on Keycloak, user gets redirected to the GLPI URL which containers :80 in the URL, and is faced with SSL_ERROR_RX_RECORD_TOO_LONG on firefox and similar error pages on other browsers.

Details:

I have deployed GLPI 9.1.3 using docker with the following configurations:

Environment: AWS EC2 Instance (Ubuntu 18.04)
Reverse-Proxy: Nginx
GLPI mapped to port 6969

Here is my docker-compose.yaml file:

    version: "3.2"

    services:
    #Mysql Container
      mysql:
        image: mysql:5.7.23
        container_name: mysql
        hostname: mysql
        command: --default-authentication-plugin=mysql_native_password
        volumes:
          - ./mysql_data:/var/lib/mysql
        environment:
          - MYSQL_ROOT_PASSWORD=password
          - MYSQL_DATABASE=glpidb
          - MYSQL_USER=glpi_user
          - MYSQL_PASSWORD=glpi_password
        restart: always

    #GLPI Container
      glpi:
        build: .
        container_name : glpi
        hostname: glpi
        depends_on:
          - mysql
        ports:
          - 127.0.0.1:6969:80
        volumes:
          - /etc/timezone:/etc/timezone:ro
          - /etc/localtime:/etc/localtime:ro
          - ./html/glpi/:/var/www/html/glpi
          - ./plugins:/var/www/html/glpi/plugins
        environment:
          - TIMEZONE=Europe/Brussels
        restart: always
        links:
          - "mysql:mysql"

You might notice that this does not use the official GLPI image. Below is my Dockerfile to build the image:

    FROM diouxx/glpi

    RUN echo 'ServerName glpi.example.com' >> /etc/apache2/apache2.conf

Command for deploying the containers: docker-compose up --build

I also have a Keycloak service CAS Authentication enabled using github/jacekkow's project.

The GLPI service is running behind an Nginx proxy listening on port 80:

    server {
            listen 80;
            server_name glpi.example.com;
            location / {
                    proxy_pass http://localhost:6969;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection 'upgrade';
                    proxy_set_header Host $host;
                    proxy_cache_bypass $http_upgrade;
                    proxy_buffering off;
            }
    }

Answer 1

After searching a lot, I found this Blog Post and understood that the problem might be in PhpCAS Module.

As mentioned in the post, I searched for this line in the plugin codebase:

$server_port = $_SERVER['HTTP_X_FORWARDED_PORT'];

phpCAS module was working out of Client.php at this path: $GLPI_ROOT_DIR/vendor/jasig/phpcas/source/CAS/Client.php

I commented out the logic where it was appending the port number at the end in privat function _getClientUrl():

        /* if (!strpos($server_url, ':')) {
            if (empty($_SERVER['HTTP_X_FORWARDED_PORT'])) {
                $server_port = $_SERVER['SERVER_PORT'];
            } else {
                $ports = explode(',', $_SERVER['HTTP_X_FORWARDED_PORT']);
                $server_port = $ports[0];
            }

            if ( ($this->_isHttps() && $server_port!=443)
                || (!$this->_isHttps() && $server_port!=80)
            ) {
                $server_url .= ':';
                $server_url .= $server_port;
            }
        } */

After saving the changes, GLPI was correctly setting the callback URL while redirecting to Keycloak.