Thread "Configuring ILIAS v7.28 for nginx and apache"

I would like some help.

We are using Ilias version 5, so far without any problems, but the time has come to upgrade the hardware and software. Therefore, we have been testing the latest versions of Ilias for almost a year now. But we have problems with every version of the Ilias.
We have concluded that we will use the 7.28 version - with which we have the least problems with when installing and configuring SAML.
For testing, we use OS Redhat Enterprise 8.9 with two versions of installed web services: apache 2.4 and nginx 1.14 - each version of the web service is causing different problems, so we test which version of the service can cause less problems or none.
I must also mention that we have SAML set up that works correctly with other SPs, while only ILIAS is causing problems.

Server OS: Red Hat Enterprise 8.9

Apache/2.4.37:
When using Apache, ILIAS 7.28 works visually correctly, except:
- when adding and editing individual groups, javascript does not work properly. An error appears in the console:
Fetch API cannot load http://ilias.url/ilias.php?ref_id=124&obj_id=14&cmd=invokeServer&cmdClass=ilpageeditorserveradaptergui&cmdNode=x0%3Aq4%3Axh%3Axg%3Asp%3Asq&baseClass=ilSAHSEditGUI&action_id=1&component=Page&action=ui.all. Request mode is "same-origin" but the URL's origin is not same as the request origin https://ilias.url.

- when sending a request to the IdP - ILIAS sends it via HTTP instead of HTTPS, which results in an error and a security breach when returning the response. True, response is correct, but the correct protocol is not correct (HTTP instead of HTTPS).


Apache configuration for virtual host:
PHP FPM 7.4 (same php.ini for Apache and nginx)
- all traffic from port 80 is permanently redirected to 443




nginx/1.14.1:
PHP FPM 7.4 (same php.ini for Apache and nginx)
- all traffic from port 80 is permanently redirected to 443
- adding and editing groups javascript unlike Apache works correctly
- when sending a request to the IdP - ILIAS sends it via secure HTTPS communication, but after receiving the response, ILIAS throws a log error that it has an error:
Whoops\Exception\ErrorException thrown with message "array_key_exists(): The first argument should be either a string or an integer"
If there is a need, I can attach the log files. (I did post question related to this issue in past here on forum, but no one helped to resolve issue)



- we tried with PHP8.x, but ilias reports several errors, mostly related to the array - regardless of what is added to the file:


client.ini.ini
[server]
preent_super_global_replacement = "1"


ilias.ini.php
[https]         
auto_https_detect_enabled     "0"     
auto_https_detect_header_name     ""     
auto_https_detect_header_value     ""

---
with entering enabled = "1", and header_name = "ILIAS_HTTPS_ENABLED" problem remains, so we reverted to above ini settings.

Please advise us on how to configure fresh Ilias installation to work with SAML, on any: apache or nginx.
Thanks!

you wrote:

preent_super_global_replacement

... was this just a typo in your post?  The keyname should be:     "prevent_super_global_replacemen"

Hey! Yeah if you wanted to pop in the log it could be some help. We're running Ilias 7.28 on Nginx 1.22.1 with SAML running for quite a few clients so might be able to glean some info from the logs.

Sorry I misstyped (retyping, not copy/paste)

Thank you for your interest in helping us.
It took us a little longer to organize users (learning administrators) to try and check where all the errors occur.
In short, I would conclude that we would prefer to enable everything to run on apache (not on nginx) because it seems to have a "simpler" bug related to CORS. I don't know exactly what the problem is and why ilias redirects to http - while everything is configured to https.

I'm sure if we fix this CORS problem, SAML would work as well.
I can provide additional configurations / logs if needed!

The following are images from Apache and nginx with console output, where errors or correct operation are visible.

---

Sample 1 - Apache Error:



Sample 1 - same page with nginx

---

Sample 2 - Apache error



Sample 2 - same page with nginx

---

Follows configuration of apache, and description of general problem:
------------------------------------------------------------------------------------

Apache 2.4.37

- editing learning modules (ILIAS, SCORM) - not enabled
- file upload (XLS) - enabled
- file download (the same XLS) - disabled
- preview of the PDF file, enabled in the browser


On NGINX 1.14.1

- editing of learning modules (ILIAS, SCORM) - enabled
- file upload (XLS) - not enabled
- file download (same XLS) - not disabled
- PDF file preview, we couldn't check it because the portal froze


------------------------------------------------------------------------------------
CONFIG:

Apache 
httpd-vhosts.conf

######################################
#
# ilias.url
#

<VirtualHost *:80>
    ServerName ilias.url
    Redirect permanent / https://ilias.url/
    # Redirect 301 / https://ilias.url/
</VirtualHost>

<VirtualHost *:443>
    ServerName ilias.url
    DocumentRoot "/var/www/html/ilias/ilias728"
    # DocumentRoot "/var/www/html/ilias/ilias84"
   
    # Protocols h2 http/1.1
    
    <If "%{HTTP_HOST} == 'http://ilias.url'">
        Redirect permanent / https://ilias.url/
    </If>

</VirtualHost>

httpd.conf

######################################
#
# Default apache comments removed to shorten the file
#


#
# This is the main Apache HTTP server configuration file.  
# ...

ServerRoot "/etc/httpd"

Listen 80

Include conf.modules.d/*.conf
Include conf_php/php74-php.conf
Include conf.d/ssl.conf

User apache
Group apache

ServerAdmin root@localhost

<Directory />
    AllowOverride none
    Require all denied
</Directory>

# DocumentRoot "/var/www/html/ilias/ilias728"
DocumentRoot "/var/www/html/default/80"

<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>

# Further relax access to the default document root:
<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

<Files ".ht*">
    Require all denied
</Files>

ErrorLog "logs/error_log"

LogLevel warn

<IfModule log_config_module>
    
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
        # You need to enable mod_logio.c to use %I and %O
        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
   
    TypesConfig /etc/mime.types

    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>

AddDefaultCharset UTF-8

<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>

EnableSendfile on

# Virtual hosts
Include "conf/extra/httpd-vhosts.conf"

Thanks for your help

I've posted the logs, so I'd appreciate it if you could take a look.
I didn't want to "clutter" with excessive text - so maybe I didn't include everything necessary right away.
Let me know if you think I should send additional logs or some configuration (I can include apache, nginx ilias config...).

auto_https_detect_enabled and other settings are only needed in Reverse-Proxy scenario where the webserver is not terminating https itself.

However for SAML client.ini.php setting is needed:
[server]
prevent_super_global_replacement = "1"
 
1. Check your ilias.ini.php for 
[...]
    http_path = "https://ilias.url"
[...]

2. If thats not correct adjust your setup.json - File for
[...]
"http" : {
                "path" : "https://ilias.url",
[...]
and re-run php setup/setup.php update -y setup.json

3. Verify that ILIAS knows its correct URL including "https://" in Administration - System Settings and Maintenance - General Settings - Tab server

4. Update to ILIAS 7.30 !