Hoping to either get some advice or report a fairly significant bug / unintuitive feature design.
The context is this: Savapage is hosted in VLAN1 and our reverse proxy server is on VLAN2. Running a basic nginx configuration (https), the following behaviour is observed:
- https://123.456.789.10 successfully redirects to the /user route.
- https://savapage.domain.com redirects to /user and then enters an infinite refresh loop with a message stating “connection to server is lost” - notably, this behavior is only on Chromium browsers (Chrome and Edge tested). Firefox and Safari load fine.
Chromium seems like it might have stricter policies. Documentation on hosting Savapage is quite limited but I did find this that:
- SavaPage server accepts SSL connections from local host only. When remote access to SavaPage is proxied, e.g. by Apache redirect, the remote address will be 127.0.0.1 in all cases. Therefore, requests from local loop-back address 127.0.0.1 are not accepted. The request origin must be a “real” IP address identical to the one of the SavaPage server.
- At the client, SSL host name verification is turned off. This allows a mismatch between the server host name and the SSL certificate CN.
I can barely wrap my head around this topic (it’s not my forte), but this seems like a very restrictive and non standard practice? Am I missing something, or does this setup mean that any reverse proxy must be on the same machine?