"Unable to install *.ipa" when done through reverse proxy #401
Description
!! Please fill in this template, DO NOT ignore or delete it. !!
I tried basic troubleshooting first
- Updated both SignTools and the builder (SignTools-CI or SignTools-Builder) to the latest version
- Read through the FAQ page
Describe the bug
I just spent the last few days shifting my setup for SignTools from using the trial Cloudflare Tunnel with GitHub Actions to self-hosting the SignTools service and SignTools-Builder on my internal network.
There was a lot of trial and error getting everything to work, and I am almost all of the way there, but am running into a strange issue where the correctly signed IPA is not able to be installed using the web portal when connected via the reverse proxy.
When I attempt to install a signed app, it prompts me to open in "iTunes" as it normally does, but immediately fails with "Unable To Install *.ipa".
If I switch to connecting to the SignTools web portal directly over HTTP instead of through the reverse proxy over HTTPS, it seems to work as intended. The application is installed correctly. Additionally, I can download the signed app and verify it has been signed appropriately. The app can be installed manually through the ideviceinstaller -i app.ipa command.
The issue is purely in the OTA installation procedure.
Logs
SignTools output for when connecting directly:
Mar 17 22:16:24 azim SignTools[390828]: 10:16PM INF bytes_in=0 bytes_out=49961 host=10.0.0.6:7895 latency=2.904642 latency_human=2.904642ms method=GET referer= remote_ip=10.0.2.4 status=200 uri=/ user_agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Mobile/15E148 Safari/604.1"
Mar 17 22:18:19 azim SignTools[390828]: 10:18PM WRN using OTA manifest proxy, installation may not work base_url=http://10.0.0.6:7895
Mar 17 22:18:19 azim SignTools[390828]: 10:18PM INF bytes_in=0 bytes_out=1388 host=10.0.0.6:7895 latency=0.321805 latency_human="321.805µs" method=GET referer=http://10.0.0.6:7895/ remote_ip=10.0.2.4 status=200 uri=/apps/d50afb8b-569b-4cfc-86cb-2ec90f5fe6f6/install user_agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Mobile/15E148 Safari/604.1"
Mar 17 22:18:23 azim SignTools[390828]: 10:18PM INF bytes_in=0 bytes_out=0 host=10.0.0.6:7895 latency=0.122165 latency_human="122.165µs" method=HEAD referer= remote_ip=10.0.2.4 status=200 uri=/apps/d50afb8b-569b-4cfc-86cb-2ec90f5fe6f6/signed user_agent="com.apple.appstored/1.0 iOS/17.4 model/iPhone16,2 hwp/t8130 build/21E219 (6; dt:311) AMS/1"
Mar 17 22:18:23 azim SignTools[390828]: 10:18PM INF bytes_in=0 bytes_out=3260512 host=10.0.0.6:7895 latency=48.224842 latency_human=48.224842ms method=GET referer= remote_ip=10.0.2.4 status=200 uri=/apps/d50afb8b-569b-4cfc-86cb-2ec90f5fe6f6/signed user_agent="com.apple.appstored/1.0 iOS/17.4 model/iPhone16,2 hwp/t8130 build/21E219 (6; dt:311) AMS/1"
SignTools output for when connecting via reverse proxy:
Mar 17 22:16:28 azim SignTools[390828]: 10:16PM INF bytes_in=0 bytes_out=49961 host=signtools.ryuu latency=2.465585 latency_human=2.465585ms method=GET referer= remote_ip=10.0.2.4 status=200 uri=/ user_agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Mobile/15E148 Safari/604.1"
Mar 17 22:17:31 azim SignTools[390828]: 10:17PM INF bytes_in=0 bytes_out=1274 host=signtools.ryuu latency=0.237079 latency_human="237.079µs" method=GET referer=https://signtools.ryuu/ remote_ip=10.0.2.4 status=200 uri=/apps/d50afb8b-569b-4cfc-86cb-2ec90f5fe6f6/install user_agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Mobile/15E148 Safari/604.1"
Mar 17 22:17:32 azim SignTools[390828]: 10:17PM INF bytes_in=0 bytes_out=1118 host=signtools.ryuu latency=0.189832 latency_human="189.832µs" method=GET referer= remote_ip=10.0.2.4 status=200 uri=/apps/d50afb8b-569b-4cfc-86cb-2ec90f5fe6f6/manifest user_agent="com.apple.appstored/1.0 iOS/17.4 model/iPhone16,2 hwp/t8130 build/21E219 (6; dt:311) AMS/1"
SignTools does not make any more logs after getting a 200 on the manifest endpoint.
System configuration
- SignTools version: 3.0.1
- Installation type: personal server; lighttpd for reverse proxy
- Operating System: Linux
- Builder type: SignTools-Builder
- Builder version: 1.1.12; 13250eb
Additional context
I believe I should have the correct declarations for reverse proxying in lighttpd, but perhaps there is something I am not understanding about reverse proxying when doing the OTA procedure.
$SERVER["socket"] == "10.0.0.6:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ryuu.pem"
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3", "Options" => "-ServerPreference")
$HTTP["host"] == "signtools.ryuu" {
proxy.server = ( "" => ( ( "host" => "10.0.0.6", "port" => "7895" ) ) )
proxy.forwarded = ( "host" => 1, "proto" => 1, "for" => 1, "remote_user" => 1 )
proxy.header = ( "upgrade" => "enable" )
}
}
# All connections to http should redirect to https
$SERVER["socket"] == "10.0.0.6:80" {
$HTTP["scheme"] == "http" {
$HTTP["host"] == "signtools.ryuu" {
url.redirect := (".*" => "https://%0$0")
}
}
}