User Sign-up Connection Reset Error When Behind Reverse Proxy

Great question!

In fact, I just did a complete re-install from scratch - just to make sure I had a complete understanding and documented process. I've pasted that below as well. Note this is on Fedora 35 using PHP 8.1.3 from Remi's RPMs. This is more than a core CB install, but there are no 3rd party extensions installed. They are all CB extensions that were auto-installed with CB Quickstart. I'm happy to quickly re-install it again with just CB core if that will help. Since I have the entire process documented, I can re-produce it in roughly an hour now.

Even after the re-install I just did, everything works behind the reverse proxy except for the user signup. That's the only piece that's failing. I'll see if I can pull together some PHP logs as well. In the meantime, here are my installation notes. There should be enough here for you to reproduce my Joomla build. I've also included a sample HAProxy.config file (host names redacted - you can include your own though).

Note that, because I'm building a Web Server farm, my database server is remote. I'm running the current version of MariaDB. That should not make a difference with this part, but that is the case with my configuration.

Installation Notes:

Install Remi’s RPMs Repo and PHP 8.1 using wizard generated commands: rpms.remirepo.net/wizard/

Command to install everything else, including php extensions, for Joomla Server prereqs:

sudo dnf install nano httpd mariadb php-cli php-fpm php-curl php-mysqlnd php-gd php-opcache php-zip php-intl php-common php-bcmath php-imagick php-xmlrpc php-json php-readline php-memcached php-redis php-mbstring php-apcu php-xml php-dom php-redis php-memcached php-memcache

Complete Selinux Required Settings (Commands from Automation Script):
Note: While these setting should include all known requirements, changing Selinux to Permissive mode during Joomla install is strongly recommended.
sudo semanage boolean -m --on httpd_can_network_connect
sudo semanage boolean -m --on httpd_can_network_connect_db
sudo semanage boolean -m --on httpd_can_network_relay
sudo semanage boolean -m --on httpd_can_sendmail
sudo semanage boolean -m --on httpd_graceful_shutdown
sudo semanage boolean -m --on httpd_unified
sudo semanage boolean -m --on nis_enabled
sudo semanage fcontext -D
sudo semanage fcontext -a -f a -t httpd_sys_rw_content_t -r 's0' 'html'

Site Custom PHP Settings:
memory_limit = 512M
post_max_size = 2096M
upload_max_filesize = 2048M
output_buffering = off (This is normally the default, but you must comment out)
max_execution_time = 300
max_input_time = 300

You Can Install Joomla Server After The Above Is Complete...
Note: Install and configure everything from inside the reverse proxy using the local host name (FQDN)
Install and Configure Joomla
Install Community Builder and subscribed plugins using CB Quickstart

More information - I reloaded with a backward level of PHP (version 8.0.15) so see if that might be the issue. I also only loaded the core version of Community Builder with no extensions. The problem is still there. And, again, it appears to only be happening with the sign-up page. I can login with accounts already created and navigate with zero issues.

Why would a load balancer / reverse proxy work with everything except for one page specific form submission? It doesn't make sense to me that the problem would be the reverse proxy. If it were, we would see the error consistently with other forms as well. We simply don't.

Pulling my hair out on this one now...

If you're able to provide access to this install then please PM backend super login credentials and will try some debug builds to see if I can figure out where in the registration process it's stopping. I'm at a complete loss as well at this point as I can't see any obvious reasons for this and is very strange it only impacts that 1 location.

Happy to send you credentials via PM.

...In the meantime, I've been pounding on this all day. I may have found the problem. Actually several of them. They included configuration on teh server, the reverse proxy, and one I never expected: As it turns out, my ISP appears to have additional security controls that were actually killing the connection. I didn't even know those controls were there!

On the last one, I never saw it until I decided to try a different reverse proxy. I switched from HAProxy to Nginx. HAProxy never passed on that the connection was being killed by my ISP's security controls. Nginx was at least willing to intervene and throw back the security page from my ISP instead of just dropping the session altogether. I had to add an exception for my server proxy to the controls to allow it to respond to me in the way it was.

I'm still testing, but it looks like it's now working. At least I'm getting through the initial sign-up page that was being thrown back as killed before.

Apologies for the run-around! As I mentioned, I had absolutely no idea at all that what could have been killing the sessions was neither Joomla/CB nor my proxy server, but some unknown security features in my ISP. But it is currently looking like that was indeed the case.

Awesome! Glad you were able to find the issue. Thank you for your detailed responses. Given we couldn't find any hints around the web this topic will undoubtedly be of use for others with similar problems.

Thanks. I'm just glad I got this figured out for now. I'm still seeing a little weirdness with trying to run the CB Quickstart plug-in, but I can also just do manual install/configuration for that if needed as a work-around for now.

I've uploaded a sample Nginx configuration file for posterity's sake. You will need to rename it as your nginx.conf file if you are running Fedora 35 or similar. Otherwise you can copy/paste as needed. This one is hopefully commented enough that people can customize it to their needs. It will allow you to configure a Nginx reverse proxy/load balancer with OUTSIDE and INSIDE network interfaces to one or more Joomla servers in a backend webserver farm. It also should enable you to optionally do SSL termination (SSL on the proxy and unencrypted on a private network to the back). You need to un-comment those bits and customize everything to your specific IP addresses.

Hopefully this will also help others over time.

I appreciate the assist! I think we can also mark this one as SOLVED at this point.