Basic Authentication popup in production

[insad]

The user forums seem not to exist anymore, so I'm asking this here.

Running in production mode (until now never happened in dev mode), some menu items show a basic authentication popup. Strange enough it happens only with some back office menu items, and not with other.

I'm running the site with Apache 2.4.41 on Ubuntu 20.04 and PHP 7.4 (using PHP-FPM). but exactly the same happens running under PHP-CGI, with and without .htaccess (generated by symfony/apache-pack).

Correctly set for PHP-FPM:

        SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1

and also when using PHP-CGI:

        # Sets the HTTP_AUTHORIZATION header removed by Apache
        RewriteEngine On
        RewriteCond %{HTTP:Authorization} .+
        RewriteRule ^ - [E=HTTP_AUTHORIZATION:%0]

Somebody has an idea, what can be going wrong?

Relevant Apache2 site configuration:

<VirtualHost *:80>
    ServerName videos.domain-redacted.com
    Redirect / https://videos.domain-redacted.com/
</VirtualHost>
<VirtualHost *:443>
    ServerName videos.domain-redacted.com

    DocumentRoot /srv/pumukit/public
    DirectoryIndex /index.php

    <Directory /srv/pumukit/public>
        # Sets the HTTP_AUTHORIZATION header removed by Apache
        RewriteEngine On
        RewriteCond %{HTTP:Authorization} .+
        RewriteRule ^ - [E=HTTP_AUTHORIZATION:%0]

        # Allows .htaccess override
        #AllowOverride All
        #Require all granted

        FallbackResource /index.php
    </Directory>

    <Directory /srv/pumumkit/public/bundles>
        DirectoryIndex disabled
        FallbackResource disabled
    </Directory>

    ErrorLog /var/log/apache2/pumukit_error.log
    CustomLog /var/log/apache2/pumukit_access.log combined

    # Use PHP-FPM
    <FilesMatch \.php$>
        SetHandler "proxy:unix:/var/run/php/php7.4-fpm.sock|fcgi://localhost"
    </FilesMatch>

    SSLEngine on
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/domain-redacted.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain-redacted.com/privkey.pem
</VirtualHost>

[Yurujai]

Hi @insad,

What values ​​do you have in the .env file in these parameters: PUMUKIT_HOST, PUMUKIT_SCHEME ?

Default value of PUMUKIT_HOST is wrong in your case, you should set your production environment host as value.

Best regards!

[insad]

Hi Pablo,

Thanks for your reply, but still something must be wrong. Here the relevant parts of my .env.local file:

###> symfony/framework-bundle ###
APP_ENV=prod
APP_SECRET=--redacted--
TRUSTED_PROXIES=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
#https://github.com/symfony/symfony/issues/29609
TRUSTED_HOSTS=localhost|api|videos4.domain-redacted.com
###< symfony/framework-bundle ###

###> pumukit ###
PUMUKIT_USER=admin
PUMUKIT_PASS=--redacted--
....
PUMUKIT_LOCALE=es
PUMUKIT_SECRET=--redacted--
....
PUMUKIT_LOCALES=es
PUMUKIT_HOST=videos4.domain-redacted.com
PUMUKIT_SCHEME=https
....

###> nelmio/cors-bundle ###
#CORS_ALLOW_ORIGIN="^https?://(localhost|127\.0\.0\.1)(:[0-9]+)?$"
CORS_ALLOW_ORIGIN="*"
###< nelmio/cors-bundle ###

I added my domain in the "TRUSTED_HOSTS" list, set it as "PUMUKIT_HOST" parameter, and finally set "CORS_ALLOW_ORIGIN" to "*"
After that I cleaned the cache, but even so not much luck...

I'm running a fresh (yesterday) copy of the github master (4.0.x-dev) with the paella player installed.

Will myself also search for a solution, I do a lot of PHP programming, but besides some libraries I use from Symfony, have no experience with the platform.

Muchas gracias nuevamente,

Albert

[insad]

I have found where the problem originates. E.g. in /admin/series, there is javascript code calling url's /api/keywords/mmobj and /api/keywords/series (window.mmobjkeywords.initialize() resp. window.serieskeywords.initialize()). These API calls cause the popup authentication window, if I click "Cancel" in this window, I get back a 401 error. Not sure how to solve this problem, maybe also your jquery is very very old (1.10.2) ??