Hi,
I'm referring to the wikibase-release pipline. My deployment is the docker compose setup and to enable and expose all services I use nginx (which redirects the public urls to HTTPS and to the corresponding docker services). I have the following problem.
First when setting up quickstatements in the docker-compose.extra.yml there is:
WB_PUBLIC_SCHEME_HOST_AND_PORT=http://${WIKIBASE_HOST}:${WIKIBASE_PORT}
which means that there is a redirect not to https. This should be fixed.
If I ignore this and try to login via oauth to quickstatements, I will be redirected, I log in to the wikibase, I give the rights and when I'm back to quickstatements I'm NOT logged in. I can avoid this by unsetting in docker-compose.yml the following:
aliases:
- ${WIKIBASE_HOST}
- wikibase-docker.svc
Then quickstatements is working as expected. I really do not remember the reason for that. Arggg....
Anyway.
- If I take the configurations out of the box (with the ajustments above) quickstatements is working but the type as you search is not working. The reason is that apis are called under http://my.host (so not httpS). In particular the type as you search is not working because the browser complains:
XMLHttpRequest cannot load http://my.host/w/api.php?action=wbsearchentities&search=test&format=json&errorformat=plaintext&language=en&uselang=en&type=item due to access control checks.
To fix this problem I set
$wgServer = 'https://my.host'
then the type as you search is working.
- If I enable $wgServer = 'https://my.host' then quickstatement is not working. The reason is connected to the OAuth extension. When logging in via quick statements I get then:
<br /> <b>Fatal error</b>: Uncaught Exception: Error retrieving token1: {&quot;error&quot;:&quot;mwoauth-oauth-exception&quot;,&quot;message&quot;:&quot;An error occurred in the OAuth protocol: Invalid signature&quot;,&quot;callback&quot;:&quot;https:\/\/quickstatements.wikibase.the-qa-company.com\/api.php&quot;} in /var/www/html/magnustools/public_html/php/oauth.php:289 Stack trace: #0 /var/www/html/quickstatements/public_html/api.php(123): MW_OAuth->doAuthorizationRedirect('https://quickst...') #1 {main} thrown in <b>/var/www/html/magnustools/public_html/php/oauth.php</b> on line <b>289</b><br />
basically the problem is "Invalid signature". This I think (60% sure) is due to the fact that the host knows it is 'https://my.host' but we are calling it over 'wikibase-docker.svc'. By comparing the signatures OAuth complains.
So I changed in docker-compose.extra.yml the quickstatement section to
WIKIBASE_SCHEME_AND_HOST=https://my.host
With this I'm redirected to the wikibase, I can login, give the rights but when coming back I get:
<br /> <b>Fatal error</b>: Uncaught Exception: Curl error: in /var/www/html/magnustools/public_html/php/oauth.php:164 Stack trace: #0 /var/www/html/magnustools/public_html/php/oauth.php(53): MW_OAuth->fetchAccessToken() #1 /var/www/html/quickstatements/public_html/quickstatements.php(110): MW_OAuth->__construct(Array) #2 /var/www/html/quickstatements/public_html/api.php(49): QuickStatements->getOA() #3 {main} thrown in <b>/var/www/html/magnustools/public_html/php/oauth.php</b> on line <b>164</b><br />
I checked in the code and there is an API call to:
https://my.host/w/index.php?title=Special:OAuth/token
Which looks fine, but this call is passing via nginx, then proxied to localhost:8080 and the Wikibase responds with 302 Found and redirects to the exact same URL. The reason (I guess) is that over the revers proxy the call is going to localhost:8080 and so the OAuth says, try again over 'https://my.host'. But this is exactly what we are calling. I tried in nginx to set all these headers:
proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Proto: https;
but it is not working either. The wikibase still replies 302 and points to the same redirect. Strangely this is only happening for 'https://my.host/w/index.php?title=Special:OAuth' Others paths are fine.
Basically my question is. Is there a way to properly setting up quickstatements with the docker release pipeline over a public url (using nginx). I'm currently not able to make this work and I would really be greatfull for help.
Thank you
D063520
PS: if it helps I can provide access to the above setup or show the things in a call