Recent Topics

Using b2evolution behind a reverse proxy

started by on Aug 31, 2015 – Last touched: Sep 01, 2015

Aug 31, 2015 10:55    

I would like to operate the b2evolution behind a reverse proxy (web access manager)
This reverse proxy creates a portal, with all the authorized application for a user.
I uses an external url which is different from the url the application uses.

As an example if the 'internal' url of the installation is, the external url (viewed from a browser perspective) would be
When i try to add the b2evolution application a get to the home screen, but then I get the following message when clicking on whatever link :

Incorrect crumb received! [loginform]

Your request was stopped for security reasons.
Have you waited more than 120 minutes before submitting your request?
Please go back to the previous page and refresh it before submitting the form again.
Alternatively, you can try to resubmit your request with a refreshed crumb:

Aug 31, 2015 15:37

From the 2 URLs you show above, which one do you use as the $baseurl in the b2evolution configuration?

Does your reverse proxy translate all URLs in both directions or not?

The error you show contains [loginform] which is a very specific case. What if you try to navigate to other public pages of your blog? Can you make a test where the blog is set as public in b2evolution, not as private/require login. You want to isolate the problem of logging in from the problem of navigating the site.

Sep 01, 2015 08:54

Hi, you are right, the error message occurs after a login from behind the reverse proxy.
Pages without notification do work.
The reverse proxy translates urls in both direction, if the parser is able to recognise a url.
Sometimes, for instance in javascript, this is not possible, so extra rules must be defined to make a correct replacement

Sep 01, 2015 14:37

The login page has special javascript that tries to encrypt passwords before submitting the form. You may try to disable this. (It will be disabled by the LDAP plugin anyways because it needs clear passwords to check against the LDAP server). Disabling this in the core (user login settings) may reduce unneeded javascript loads and possible errors.

I'm not sure that's the issue though.

Can you also try posting a comment without being logged in?

Posting a comment should be using the same "crumb" system where it refuses to do an action if the client doesn't send back a crumb it previously got.

In this case I would say the problem is either:

  • the crumbs are modified or filtered by the reverse proxy
  • there is a cookie domain issue where cookies set by b2evolution don't get sent back to b2evolution (which would actually me my #1 suspect at this point)

Sep 01, 2015 15:29

The first problem happens when i want to look at a post.
The leave a comment form is not displayer. a sponge cursor with Form is loading.
The only anormal request I see in the logs of the WAM is a call to /browserconfig.xml.
So the url calling this file is not correctly translated.

Sep 01, 2015 15:47

sometimes, tools like this also use a control based on the referee page. for example if the site on a page receives a POST for which the referer is not the same, ex it rejects the POST.
I do not know if such a protection is used with b2evolution

Sep 01, 2015 16:57

b2evolution does not check the Referer, but it definitely requires a session cookie to be sent back.

/browserconfig.xml maight be an IE thing. It's not a b2evolution file.

There is an AJAX request to load the comment form indeed. In the case of an intranet (less spammers) you can disable this in the advanced settings of each collection.

You may however get the same issue again with AJAX features in the backoffice which may also need special handling for their URL to be translated.

Form is loading...

powered by open-source CMS software – This forum is powered by b2evolution CMS, a complete engine for your website.