[GH-ISSUE #127] Multi-domain setup

kerem commented

2026-02-25 21:34:11 +03:00

Owner

Originally created by @chlarsen on GitHub (Oct 2, 2016).
Original GitHub issue: https://github.com/cypht-org/cypht/issues/127

Originally assigned to: @jasonmunro on GitHub.

Dear Jason,
Here is the situation: Cypht sits on a server that provides internal mail services to that LAN, domain: "organisation.lan". It is not desired to open this internal messaging system up to the outside world, because it is for internal use, only, and we don't want to deal with spam and friends, plus won't have the bandwidth to deal with it anyway.
However, the LAN is accessible from the outside via DMZ, a fixed IP by the internet provider (lucky us - otherwise DDNS would have to make do). This and a bit of Nginx reverse proxy magic allow access to the internal mail via webmal (Cypht), which is useful, while it does not force us to open the mail to the internet at large. Domain for access from the outside: "organisation.org"
Cypht has been configured to work nicely within "organisation.lan", the internal LAN. User log in via IMAP (using OpenLDAP). The Cypht webmail site is accessible from the outside (internet)l, too, via "organisation.org". Log in does not work from here.
I suspected, after our earlier debugging, a cookie issue, and have set

cookie_domain=                                                                                                                                                                                  
;cookie_domain=www.organisation.lan

because this is the domain PHP FastCGI and therefore Cypht have been assigned to.
I have also added

    proxy_cookie_domain                 off;
    proxy_cookie_domain                 cypht.organisation.lan www.organisation.lan;
    proxy_cookie_domain                 organisation.lan www.organisation.lan;
    proxy_cookie_domain                 organisation.com www.organisation.lan;
    proxy_cookie_domain                 www.organisation.com www.organisation.lan;

to the FastCGI Nginx settings to make sure, any incoming cookie names get adjusted to the domain the Cypht application is running on.
However, I still get:

  2 15:12:14 www_php php-fpm[90801]: Array (     [0] => Using Hm_PHP_Session with Hm_Auth_IMAP     [1] => Using DB user configuration     [2] => Using sapi: fpm-fcgi     [3] => Request type: HTTP     [4] => Request path: /cypht/     [5] => TLS request: 0     [6] => Mobile request: 0     [7] => Page ID: message_list     [8] =>  Debug Array (     [0] => Connecting to tcp://www_php.jail.vlan on port 143     [1] => Successfully opened port to the IMAP server     [CAPS] => * CAPABILITY IMAP4rev1 LITERAL+ LOGIN-REFERRALS ID ENABLE XIMAPPROXY     [2] => Log in for admin FAILED     [A1 CAPABILITY] => 0.10567092895508     [LOGIN] => 2.2075390815735 )  Response Array (     [0] => Array         (             [0] => * OK [ CAPABILITY IMAP4rev1 LITERAL+ LOGIN-REFERRALS ID ENABLE XIMAPPROXY ] Dovecot ready.             [1] => * CAPABILITY IMAP4rev1 LITERAL+ LOGIN-REFERRALS ID ENABLE XIMAPPROXY             [2] => A1 OK Completed         )      [1] => Array         (             [0] => A2 NO LOGIN failed         )  )      [9]
Oct  2 15:12:14 www_php php-fpm[90817]: Array (     [0] => Using Hm_PHP_Session with Hm_Auth_IMAP     [1] => Using DB user configuration     [2] => Using sapi: fpm-fcgi     [3] => Request type: HTTP     [4] => Request path: /cypht/     [5] => TLS request: 0     [6] => Mobile request: 0     [7] => Page ID: message_list     [8] => Unable to get session encryption key     [9] => Setting cookie: name: CYPHTID, lifetime: 1475406734, path: /cypht/, domain: www.organisation.lan, secure: , html_only 1     [10] => Setting cookie: name: hm_id, lifetime: 1475406734, path: /cypht/, domain: www.organisation.lan, secure: , html_only 1     [11] => Setting cookie: name: hm_reload_folders, lifetime: 0, path: , domain: , secure: , html_only      [12] => HTTP header fingerprint check failed     [13] => TRANSLATION NOT FOUND :MMC Webmail:     [14] => PHP version 5.6.26     [15] => Zend version 2.6.0     [16] => Peak Memory: 4352     [17] => PID: 90817     [18] => Included files: 55 )

How can we get around this issue? Thanks a lot, indeed!
Chris

kerem closed this issue

2026-02-25 21:34:11 +03:00

kerem commented

2026-02-25 21:34:11 +03:00

Author

Owner

@jasonmunro commented on GitHub (Oct 2, 2016):

default_email_domain is not used to force the cookie domain, it's to build default E-mail addresses for users who have not created a profile. I think you want to set cookie_domain in the ini file.

Also, in the debug output you posted, you are not being authenticated by the IMAP server

A2 NO LOGIN failed

It might be useful to capture the request HTTP headers so we can see exactly what Cypht is getting:
https://gist.github.com/jasonmunro/3ce8216ac94309c13a0d023b480edf49

@jasonmunro commented on GitHub (Oct 2, 2016): default_email_domain is not used to force the cookie domain, it's to build default E-mail addresses for users who have not created a profile. I think you want to set cookie_domain in the ini file. Also, in the debug output you posted, you are not being authenticated by the IMAP server > A2 NO LOGIN failed It might be useful to capture the request HTTP headers so we can see exactly what Cypht is getting: https://gist.github.com/jasonmunro/3ce8216ac94309c13a0d023b480edf49

kerem commented

2026-02-25 21:34:11 +03:00

Author

Owner

@chlarsen commented on GitHub (Oct 2, 2016):

Soory, I meant cookie_domain. Have corrected the initial message. Yes, I am not logged in indeed, because the ?cookie is not approved. Let me add the debugging bits you suggested.

@chlarsen commented on GitHub (Oct 2, 2016): Soory, I meant cookie_domain. Have corrected the initial message. Yes, I am not logged in indeed, because the ?cookie is not approved. Let me add the debugging bits you suggested.

kerem commented

2026-02-25 21:34:11 +03:00

Author

Owner

@chlarsen commented on GitHub (Oct 2, 2016):

Here is what I get:
Oct 2 20:29:57 www_php php-fpm[61351]: Array ( [HOME] => /nonexistent [USER] => cypht.mmc.lan [FCGI_ROLE] => RESPONDER [QUERY_STRING] => page=message_list&list_path=unread [REQUEST_METHOD] => POST [CONTENT_TYPE] => application/x-www-form-urlencoded [CONTENT_LENGTH] => 126 [SCRIPT_NAME] => /cypht/index.php [REQUEST_URI] => /cypht/?page=message_list&list_path=unread [DOCUMENT_URI] => /cypht/index.php [DOCUMENT_ROOT] => /home/www_php/mmc.lan [SERVER_PROTOCOL] => HTTP/1.0 [REQUEST_SCHEME] => http [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_SOFTWARE] => nginx/1.11.4 [REMOTE_ADDR] => 197.248.188.206 [REMOTE_PORT] => [SERVER_ADDR] => 127.0.1.106 [SERVER_PORT] => 10001 [SERVER_NAME] => www.mmc.lan [REDIRECT_STATUS] => 200 [SCRIPT_FILENAME] => /home/www_php/mmc.lan/cypht/index.php [HTTP_HOST] => www.mweamedicalcentre.com [HTTP_X_REAL_IP] => 197.248.188.206 [HTTP_X_FORWARDED_FOR] => 197.248.188.206 [HTTP_X_FORWARDED_PROTOCO
Oct 2 20:29:58 www_php php-fpm[61351]: Array ( [0] => Using Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user configuration [2] => ELOG called in /home/www_php/mmc.lan/cypht/lib/request.php at line 123 [3] => Using sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request path: /cypht/ [6] => TLS request: 0 [7] => Mobile request: 0 [8] => Page ID: message_list [9] => Setting cookie: name: hm_id, lifetime: 0, path: /cypht/, domain: www.mmc.lan, secure: , html_only 1 [10] => Connecting to dsn: pgsql:host=pgsql.jail.vlan;dbname=cypht [11] => Default SMTP server added [12] => Redirecting to ?page=message_list&list_path=unread [13] => PHP version 5.6.26 [14] => Zend version 2.6.0 [15] => Peak Memory: 3584 [16] => PID: 61351 [17] => Included files: 54 )
Mind you - logging in from the LAN works. So it is a domain (?cookie) issue.

@chlarsen commented on GitHub (Oct 2, 2016): Here is what I get: Oct 2 20:29:57 www_php php-fpm[61351]: Array ( [HOME] => /nonexistent [USER] => cypht.mmc.lan [FCGI_ROLE] => RESPONDER [QUERY_STRING] => page=message_list&list_path=unread [REQUEST_METHOD] => POST [CONTENT_TYPE] => application/x-www-form-urlencoded [CONTENT_LENGTH] => 126 [SCRIPT_NAME] => /cypht/index.php [REQUEST_URI] => /cypht/?page=message_list&list_path=unread [DOCUMENT_URI] => /cypht/index.php [DOCUMENT_ROOT] => /home/www_php/mmc.lan [SERVER_PROTOCOL] => HTTP/1.0 [REQUEST_SCHEME] => http [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_SOFTWARE] => nginx/1.11.4 [REMOTE_ADDR] => 197.248.188.206 [REMOTE_PORT] => [SERVER_ADDR] => 127.0.1.106 [SERVER_PORT] => 10001 [SERVER_NAME] => www.mmc.lan [REDIRECT_STATUS] => 200 [SCRIPT_FILENAME] => /home/www_php/mmc.lan/cypht/index.php [HTTP_HOST] => www.mweamedicalcentre.com [HTTP_X_REAL_IP] => 197.248.188.206 [HTTP_X_FORWARDED_FOR] => 197.248.188.206 [HTTP_X_FORWARDED_PROTOCO Oct 2 20:29:58 www_php php-fpm[61351]: Array ( [0] => Using Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user configuration [2] => ELOG called in /home/www_php/mmc.lan/cypht/lib/request.php at line 123 [3] => Using sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request path: /cypht/ [6] => TLS request: 0 [7] => Mobile request: 0 [8] => Page ID: message_list [9] => Setting cookie: name: hm_id, lifetime: 0, path: /cypht/, domain: www.mmc.lan, secure: , html_only 1 [10] => Connecting to dsn: pgsql:host=pgsql.jail.vlan;dbname=cypht [11] => Default SMTP server added [12] => Redirecting to ?page=message_list&list_path=unread [13] => PHP version 5.6.26 [14] => Zend version 2.6.0 [15] => Peak Memory: 3584 [16] => PID: 61351 [17] => Included files: 54 ) Mind you - logging in from the LAN works. So it is a domain (?cookie) issue.

kerem commented

2026-02-25 21:34:11 +03:00

Author

Owner

@chlarsen commented on GitHub (Oct 2, 2016):

In order to avoid running two separate instances (which sounds a bit silly), I have been trying to massage the FQDN into the LAN domain, as described in the above message.

@chlarsen commented on GitHub (Oct 2, 2016): In order to avoid running two separate instances (which sounds a bit silly), I have been trying to massage the FQDN into the LAN domain, as described in the above message.

kerem commented

2026-02-25 21:34:11 +03:00

Author

Owner

@jasonmunro commented on GitHub (Oct 2, 2016):

we should be able to get this working without separate instances, I would hate to resort to that. I think maybe you are doing the cookie translation backwards.

In order for the cookies to work, the domain set on the cookie must match the domain in the browser. None of the intermediate names matter, nor does the internal name. Browsers use this name (and path) to determine which cookies to include on a request. If the domain on the cookie does not match the address in the browser, the cookie won't be sent, and Cypht can't tell if you are logged in.

By default Cypht uses HTTP_HOST, which in this case is www.mweamedicalcentre.com, is this not the domain in the users browser? Sorry, I'm a bit confused by your config :) I added the cookie domain quickly, and it's just a simple check to override the HTTP_HOST header. We could expand this option to include a map similar to what nginx does. You could set a cookie domain to use based on the HTTP_HOST value, and set multiple for different contexts.

@jasonmunro commented on GitHub (Oct 2, 2016): we should be able to get this working without separate instances, I would hate to resort to that. I think maybe you are doing the cookie translation backwards. In order for the cookies to work, the domain set on the cookie must match the domain in the browser. None of the intermediate names matter, nor does the internal name. Browsers use this name (and path) to determine which cookies to include on a request. If the domain on the cookie does not match the address in the browser, the cookie won't be sent, and Cypht can't tell if you are logged in. By default Cypht uses HTTP_HOST, which in this case is www.mweamedicalcentre.com, is this not the domain in the users browser? Sorry, I'm a bit confused by your config :) I added the cookie domain quickly, and it's just a simple check to override the HTTP_HOST header. We could expand this option to include a map similar to what nginx does. You could set a cookie domain to use based on the HTTP_HOST value, and set multiple for different contexts.

kerem commented

2026-02-25 21:34:11 +03:00

Author

Owner

@jasonmunro commented on GitHub (Oct 4, 2016):

Just want to give you a heads up: I added some additional CSRF attack protection that might not play nice with your proxies. It's enabled by default, but you can disable it with:

disable_origin_check=true

in your hm3.ini file.

@jasonmunro commented on GitHub (Oct 4, 2016): Just want to give you a heads up: I added some additional CSRF attack protection that might not play nice with your proxies. It's enabled by default, but you can disable it with: disable_origin_check=true in your hm3.ini file.

kerem commented

2026-02-25 21:34:11 +03:00

Author

Owner

@chlarsen commented on GitHub (Oct 4, 2016):

Thanks a lot, Jason. Goodone. Will check it out asap. At Nairobi arport...

C.

On 04/10/16 19:33, Jason Munro wrote:

Just want to give you a heads up: I added some additional CSRF attack
protection that might not play nice with your proxies. It's enabled by
default, but you can disable it with:

disable_origin_check=true

in your hm3.ini file.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/jasonmunro/cypht/issues/127#issuecomment-251441098,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ACvwTdwlHzVT--la3dM5fyUjm-sWUnC1ks5qwn_dgaJpZM4KL_6J.

Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen

@chlarsen commented on GitHub (Oct 4, 2016): Thanks a lot, Jason. Goodone. Will check it out asap. At Nairobi arport... C. On 04/10/16 19:33, Jason Munro wrote: > Just want to give you a heads up: I added some additional CSRF attack > protection that might not play nice with your proxies. It's enabled by > default, but you can disable it with: > > disable_origin_check=true > > in your hm3.ini file. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > https://github.com/jasonmunro/cypht/issues/127#issuecomment-251441098, > or mute the thread > https://github.com/notifications/unsubscribe-auth/ACvwTdwlHzVT--la3dM5fyUjm-sWUnC1ks5qwn_dgaJpZM4KL_6J. ## Dr Christoph H. Larsen synaLinQ 296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc Nha Trang, Khánh Hòa, Việt Nam Mobile: +84-98-9607357 (Vietnam) +254-776-588224, +254-701-279511 (Kenya) +256-778-121305 (Uganda) +49-176-96456254 (Germany) Fax: +49-231-292734790 E-mail: christoph.larsen@synalinq.com Skype: christoph.larsen

kerem commented

2026-02-25 21:34:11 +03:00

Author

Owner

@chlarsen commented on GitHub (Oct 5, 2016):

Dear Jason,

This does not seem the make any difference. In both cases (with
"disable_origin_check=true" and with "disable_origin_check=false") I get:

Oct 5 11:13:19 www_php php-fpm[60403]: Array ( [HOME] =>
/nonexistent [USER] => cypht.mmc.lan [FCGI_ROLE] =>
RESPONDER [QUERY_STRING] => page=message_list&list_path=unread
[REQUEST_METHOD] => POST [CONTENT_TYPE] =>
application/x-www-form-urlencoded [CONTENT_LENGTH] => 126
[SCRIPT_NAME] => /cypht/index.php [REQUEST_URI] =>
/cypht/?page=message_list&list_path=unread [DOCUMENT_URI] =>
/cypht/index.php [DOCUMENT_ROOT] => /home/www_php/mmc.lan
[SERVER_PROTOCOL] => HTTP/1.0 [REQUEST_SCHEME] => http
[GATEWAY_INTERFACE] => CGI/1.1 [SERVER_SOFTWARE] => nginx/1.11.4
[REMOTE_ADDR] => 182.52.67.177 [REMOTE_PORT] => [SERVER_ADDR]
=> 127.0.1.106 [SERVER_PORT] => 10001 [SERVER_NAME] =>
www.mmc.lan [REDIRECT_STATUS] => 200 [SCRIPT_FILENAME] =>
/home/www_php/mmc.lan/cypht/index.php [HTTP_HOST] =>
www.mweamedicalcentre.com [HTTP_X_REAL_IP] => 182.52.67.177
[HTTP_X_FORWARDED_FOR] => 182.52.67.177 [HTTP_X_FORWARDED_PROTOCOL] =>
Oct 5 11:13:19 www_php php-fpm[60403]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/request.php at line 123 [3] => Using
sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request path:
/cypht/ [6] => TLS request: 0 [7] => Mobile request: 0 [8] =>
Page ID: message_list [9] => Setting cookie: name: hm_id, lifetime:
0, path: /cypht/, domain: www.mmc.lan, secure: , html_only 1 [10] =>
Connecting to dsn: pgsql:host=pgsql.jail.vlan;dbname=cypht [11] =>
Default SMTP server added [12] => Redirecting to
?page=message_list&list_path=unread [13] => PHP version 5.6.26
[14] => Zend version 2.6.0 [15] => Peak Memory: 3584 [16] =>
PID: 60403 [17] => Included files: 54 )

I fail to see at present, where the fault may be...

C.

On 04/10/16 23:33, Jason Munro wrote:

Just want to give you a heads up: I added some additional CSRF attack
protection that might not play nice with your proxies. It's enabled by
default, but you can disable it with:

disable_origin_check=true

in your hm3.ini file.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/jasonmunro/cypht/issues/127#issuecomment-251441098,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ACvwTdwlHzVT--la3dM5fyUjm-sWUnC1ks5qwn_dgaJpZM4KL_6J.

Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen

@chlarsen commented on GitHub (Oct 5, 2016): Dear Jason, This does not seem the make any difference. In both cases (with "disable_origin_check=true" and with "disable_origin_check=false") I get: Oct 5 11:13:19 www_php php-fpm[60403]: Array ( [HOME] => /nonexistent [USER] => cypht.mmc.lan [FCGI_ROLE] => RESPONDER [QUERY_STRING] => page=message_list&list_path=unread [REQUEST_METHOD] => POST [CONTENT_TYPE] => application/x-www-form-urlencoded [CONTENT_LENGTH] => 126 [SCRIPT_NAME] => /cypht/index.php [REQUEST_URI] => /cypht/?page=message_list&list_path=unread [DOCUMENT_URI] => /cypht/index.php [DOCUMENT_ROOT] => /home/www_php/mmc.lan [SERVER_PROTOCOL] => HTTP/1.0 [REQUEST_SCHEME] => http [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_SOFTWARE] => nginx/1.11.4 [REMOTE_ADDR] => 182.52.67.177 [REMOTE_PORT] => [SERVER_ADDR] => 127.0.1.106 [SERVER_PORT] => 10001 [SERVER_NAME] => www.mmc.lan [REDIRECT_STATUS] => 200 [SCRIPT_FILENAME] => /home/www_php/mmc.lan/cypht/index.php [HTTP_HOST] => www.mweamedicalcentre.com [HTTP_X_REAL_IP] => 182.52.67.177 [HTTP_X_FORWARDED_FOR] => 182.52.67.177 [HTTP_X_FORWARDED_PROTOCOL] => Oct 5 11:13:19 www_php php-fpm[60403]: Array ( [0] => Using Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user configuration [2] => ELOG called in /home/www_php/mmc.lan/cypht/lib/request.php at line 123 [3] => Using sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request path: /cypht/ [6] => TLS request: 0 [7] => Mobile request: 0 [8] => Page ID: message_list [9] => Setting cookie: name: hm_id, lifetime: 0, path: /cypht/, domain: www.mmc.lan, secure: , html_only 1 [10] => Connecting to dsn: pgsql:host=pgsql.jail.vlan;dbname=cypht [11] => Default SMTP server added [12] => Redirecting to ?page=message_list&list_path=unread [13] => PHP version 5.6.26 [14] => Zend version 2.6.0 [15] => Peak Memory: 3584 [16] => PID: 60403 [17] => Included files: 54 ) I fail to see at present, where the fault may be... C. On 04/10/16 23:33, Jason Munro wrote: > Just want to give you a heads up: I added some additional CSRF attack > protection that might not play nice with your proxies. It's enabled by > default, but you can disable it with: > > disable_origin_check=true > > in your hm3.ini file. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > https://github.com/jasonmunro/cypht/issues/127#issuecomment-251441098, > or mute the thread > https://github.com/notifications/unsubscribe-auth/ACvwTdwlHzVT--la3dM5fyUjm-sWUnC1ks5qwn_dgaJpZM4KL_6J. ## Dr Christoph H. Larsen synaLinQ 296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc Nha Trang, Khánh Hòa, Việt Nam Mobile: +84-98-9607357 (Vietnam) +254-776-588224, +254-701-279511 (Kenya) +256-778-121305 (Uganda) +49-176-96456254 (Germany) Fax: +49-231-292734790 E-mail: christoph.larsen@synalinq.com Skype: christoph.larsen

kerem commented

2026-02-25 21:34:11 +03:00

Author

Owner

@chlarsen commented on GitHub (Oct 5, 2016):

Dear Jason,

Thanks a lot for reverting so quickly:

Imagine two avenues to access the hospital's server: One is via the
Intranet, domain: mmc.lan. The other is via the Internet, domain:
mweamedicalcentre.com.

There are historical and practical reasons for this: The (internal)
domain mmc.lan has ben created long before the FQDN
mweamedicalcentre.com has ever been registered. As for other facilities,
not all of them may be able to enjoy the luxury of a FQDN registration
for cost or policy reasons.

So, it is probably not a bad thing to continue this dichotomy between
internal and external domains - otherwise I would have gone for the
FQDN, only, and defined a subdomain to the FQDN for internal use.

Given the above situation, we have users logging in from
https://www.mmc.lan/cypht as well as
https://www.mweamedicalcentre.com/cypht, and somehow they should always
land at www_php.jail.vlan:10001, because this is the jail and port,
where Cypht is running. Luckily, we have all traffic channelled through
Ngnx sitting in secure.jail.vlan redirecting ordinary traffic arriving
at ports 80 and 443 to the appropriate jail and port, in accordance with
locations, such as /cypht.

Therefore it is a bit hard to decide, which domain the cookie_domain
setting to set to. May the setting could relate to the target domain
FastCGI is actually running on in my Nginx server, e.g. www.mmc.lan?

What would be the best strategy to go about it?

Thanks a lot for your thoughts!

Chris

On 03/10/16 04:26, Jason Munro wrote:

we should be able to get this working without separate instances, I
would hate to resort to that. I think maybe you are doing the cookie
translation backwards.

In order for the cookies to work, the domain set on the cookie must
match the domain in the browser. None of the intermediate names
matter, nor does the internal name. Browsers use this name (and path)
to determine which cookies to include on a request. If the domain on
the cookie does not match the address in the browser, the cookie won't
be sent, and Cypht can't tell if you are logged in.

By default Cypht uses HTTP_HOST, which in this case is
www.mweamedicalcentre.com http://www.mweamedicalcentre.com, is this
not the domain in the users browser? Sorry, I'm a bit confused by your
config :) I added the cookie domain quickly, and it's just a simple
check to override the HTTP_HOST header. We could expand this option to
include a map similar to what nginx does. You could set a cookie
domain to use based on the HTTP_HOST value, and set multiple for
different contexts.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/jasonmunro/cypht/issues/127#issuecomment-250997222,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ACvwTTRtgcY1uwX5odoR08fxL7hpRCFUks5qwCGRgaJpZM4KL_6J.

Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen

@chlarsen commented on GitHub (Oct 5, 2016): Dear Jason, Thanks a lot for reverting so quickly: Imagine two avenues to access the hospital's server: One is via the Intranet, domain: mmc.lan. The other is via the Internet, domain: mweamedicalcentre.com. There are historical and practical reasons for this: The (internal) domain mmc.lan has ben created long before the FQDN mweamedicalcentre.com has ever been registered. As for other facilities, not all of them may be able to enjoy the luxury of a FQDN registration for cost or policy reasons. So, it is probably not a bad thing to continue this dichotomy between internal and external domains - otherwise I would have gone for the FQDN, only, and defined a subdomain to the FQDN for internal use. Given the above situation, we have users logging in from https://www.mmc.lan/cypht as well as https://www.mweamedicalcentre.com/cypht, and somehow they should always land at www_php.jail.vlan:10001, because this is the jail and port, where Cypht is running. Luckily, we have all traffic channelled through Ngnx sitting in secure.jail.vlan redirecting ordinary traffic arriving at ports 80 and 443 to the appropriate jail and port, in accordance with locations, such as /cypht. Therefore it is a bit hard to decide, which domain the cookie_domain setting to set to. May the setting could relate to the target domain FastCGI is actually running on in my Nginx server, e.g. www.mmc.lan? What would be the best strategy to go about it? Thanks a lot for your thoughts! Chris On 03/10/16 04:26, Jason Munro wrote: > we should be able to get this working without separate instances, I > would hate to resort to that. I think maybe you are doing the cookie > translation backwards. > > In order for the cookies to work, the domain set on the cookie must > match the domain in the browser. None of the intermediate names > matter, nor does the internal name. Browsers use this name (and path) > to determine which cookies to include on a request. If the domain on > the cookie does not match the address in the browser, the cookie won't > be sent, and Cypht can't tell if you are logged in. > > By default Cypht uses HTTP_HOST, which in this case is > www.mweamedicalcentre.com http://www.mweamedicalcentre.com, is this > not the domain in the users browser? Sorry, I'm a bit confused by your > config :) I added the cookie domain quickly, and it's just a simple > check to override the HTTP_HOST header. We could expand this option to > include a map similar to what nginx does. You could set a cookie > domain to use based on the HTTP_HOST value, and set multiple for > different contexts. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > https://github.com/jasonmunro/cypht/issues/127#issuecomment-250997222, > or mute the thread > https://github.com/notifications/unsubscribe-auth/ACvwTTRtgcY1uwX5odoR08fxL7hpRCFUks5qwCGRgaJpZM4KL_6J. ## Dr Christoph H. Larsen synaLinQ 296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc Nha Trang, Khánh Hòa, Việt Nam Mobile: +84-98-9607357 (Vietnam) +254-776-588224, +254-701-279511 (Kenya) +256-778-121305 (Uganda) +49-176-96456254 (Germany) Fax: +49-231-292734790 E-mail: christoph.larsen@synalinq.com Skype: christoph.larsen

kerem commented

2026-02-25 21:34:11 +03:00

Author

Owner

@jasonmunro commented on GitHub (Oct 5, 2016):

Sorry for the late follow up. I think I found some issues in the code. Your debug output above is very helpful. I will update you when I have more info, but I think we can get this done without even using the cookie_domain option.

@jasonmunro commented on GitHub (Oct 5, 2016): Sorry for the late follow up. I think I found some issues in the code. Your debug output above is very helpful. I will update you when I have more info, but I think we can get this done without even using the cookie_domain option.

kerem commented

2026-02-25 21:34:11 +03:00

Author

Owner

@jasonmunro commented on GitHub (Oct 5, 2016):

Ok, I have an update I would like you to test if you could. Please do the following:

update your code to the latest in github
remove the cookie_domain setting in your hm3.ini file
rerun the config gen script
see if you can login from the 2 different contexts.

Thanks!

@jasonmunro commented on GitHub (Oct 5, 2016): Ok, I have an update I would like you to test if you could. Please do the following: - update your code to the latest in github - remove the cookie_domain setting in your hm3.ini file - rerun the config gen script - see if you can login from the 2 different contexts. Thanks!

kerem commented

2026-02-25 21:34:11 +03:00

Author

Owner

@chlarsen commented on GitHub (Oct 6, 2016):

Dear Jason,

I have been able to log in from the remote location! I have sent the
Kenyan team a request to login from within the LAN. Feedback to follow
asap.

More soonest, thanks a lot!

Chris

@chlarsen commented on GitHub (Oct 6, 2016): Dear Jason, I have been able to log in from the remote location! I have sent the Kenyan team a request to login from within the LAN. Feedback to follow asap. More soonest, thanks a lot! Chris

kerem commented

2026-02-25 21:34:11 +03:00

Author

Owner

@chlarsen commented on GitHub (Oct 6, 2016):

Dear Jason,
Yes, multi-domain logins work! Great! Thanks a lot!
Chris

@chlarsen commented on GitHub (Oct 6, 2016): Dear Jason, Yes, multi-domain logins work! Great! Thanks a lot! Chris

kerem commented

2026-02-25 21:34:11 +03:00

Author

Owner

@jasonmunro commented on GitHub (Oct 6, 2016):

Excellent! Thanks for the follow up. I'm going to close this issue then. As always, feel free to open a new one or re-open this one as needed.

@jasonmunro commented on GitHub (Oct 6, 2016): Excellent! Thanks for the follow up. I'm going to close this issue then. As always, feel free to open a new one or re-open this one as needed.

kerem commented

2026-02-25 21:34:11 +03:00

Author

Owner

@chlarsen commented on GitHub (Oct 6, 2016):

Hugely appreciated, Jason.

Chris

@chlarsen commented on GitHub (Oct 6, 2016): Hugely appreciated, Jason. Chris

Rows
Columns

[GH-ISSUE #127] Multi-domain setup #108