Wrong token using httpd and relayd on openbsd

[caywin25]

Hello

I find myself facing a problem.
I can't share an article with the "Shaare link" button

When I open the window and enter my credentials, I get the message Wrong token and I cannot share the link.

It seems to me that it is because of my reverse proxy.
My configuration is as follows:

• My reverse proxy listens on ports 443 and 80 and my web server on port 8080

Log on my webserver with Wrong token message :

<domain> 127.0.0.1 - - [24/Jan/2024:19:57:25 +0100] "POST /login?returnurl=%2Fadmin%2Fshaare%3Fpost%3Dhttps%253A%252F%252Fgithub.com%252Fshaarli%252FShaarli%252Fpulls%26title%3DPull%2520requests%2520%25C2%25B7%2520shaarli%252FShaarli%2520%25C2%25B7%2520GitHub%26description%3D%26source%3Dbookmarklet HTTP/1.1" 403 0 "https://domain.fr/login%3Freturnurl=%252Fadmin%252Fshaare%253Fpost%253Dhttps%25253A%25252F%25252Fgithub.com%25252Fshaarli%25252FShaarli%25252Fpulls%2526title%253DPull%252520requests%252520%2525C2%2525B7%252520shaarli%25252FShaarli%252520%2525C2%2525B7%252520GitHub%2526description%253D%2526source%253Dbookmarklet" "Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0" <IP> -

I think that's where the problem comes from.
Could you please help me ?

[caywin25]

I just did new tests.
If I log in directly to my shaarli site and I want to share a link with the "Shaare link" window I get the error: Wrong token.

If I am not logged in on my shaarli site but I log in from the small window ¨Shaare link¨ I can share any links.

Finally if I log into the small "shaare link" window and on my shaarli site one of the will return the Wrong Token error and will be unusable

[nodiscc]

Hi,

It seems to me that it is because of my reverse proxy.

Please post

• your shaarli version and installation method used (releae zip, source+composer, docker...)
• the relevant virtualhost/server configuration of your reverse proxy/web server

[caywin25]

Hello

Thanks for your reply.
I'm using httpd ans relayd on openbsd and I installed shaarli with zip
I know is not standard :)

httpd.conf

server "perso.shaarli.org" {
        listen on 127.0.0.1 port 8080

        log style forwarded
        log {
                access "access.log"
                error "error.log"
        }

        location "/tpl/*" {
            root "/htdocs/shaarli"
        }

        location "*.php" {
            root "/htdocs/shaarli"
            fastcgi socket "/run/php-fpm.sock"
        }

        location "*index.php*" {
            root "/htdocs/shaarli"
            fastcgi socket "/run/php-fpm.sock"
        }

        location match "/(.*)" {
            request rewrite "/index.php/%1"
        }

        location "/*" {
            root "/htdocs/shaarli"
        }
        gzip-static
}

server "perso.shaarli.org" {
        listen on 127.0.0.1 port 8081
        block return 301 "https://$HTTP_HOST$REQUEST_URI"
}

relayd.conf

match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Real-IP" value "$REMOTE_ADDR"

Above are the headers that I pass to VHOST
The rest of the conf is just standard for the 443

Thank for your help

[nodiscc]

Does accessing /admin/token on your instance return a token?

Are there errors in the browser console or webserver logs?

[nodiscc]

Hi @caywin25 did you get a chance to check /admin/token on your instance, as requested above?

[caywin25]

Hello @nodiscc
Sorry for delay
Yes if I go to /admin/token I have my token

Thanks
Regards

[russsharek]

I ran into a very similar looking problem with my shaarli instance, which was also installed on OpenBSD using httpd and relayd. It turned out that the login session was failing because there was no tmp directory in the chroot of the web server.

Creating tmp in $webroot with appropriate permissions solved the problem for me.