Project

General

Profile

Actions

Bug #1499

closed

HTTPS env var should be "on" when using mod_extforward and the X-Forwarded-Proto header is set.

Added by Anonymous about 16 years ago. Updated almost 8 years ago.

Status:
Fixed
Priority:
Normal
Category:
mod_extforward
Target version:
ASK QUESTIONS IN Forums:

Description

mod_extforward should parse the "X-Forwarded-Proto" header. If it is equal to "https", this should be stored in the connection variable somewhere (i.e. the is_ssl variable should be set to 1). However, simply setting is_ssl to 1 breaks the server, so there should be another way to make mod_fastcgi set the HTTPS environment variable.

-- Thomas Steinacher <tom


Files

extforward-proto.patch (1.99 KB) extforward-proto.patch Here is an incomplete and ugly patch which solves the problem for fastcgi by introducing an is_proxy_ssl variable. -- Thomas Steinacher <tom Anonymous, 2007-12-31 19:48
Actions #1

Updated by glen about 16 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

Committed revision r2052

Actions #2

Updated by transacid almost 9 years ago

  • Status changed from Fixed to Reopened
  • Target version deleted (1.4.19)

this is not fixed (I'm on 1.4.31-4+deb7u3)

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: _pk_id.2.9fb9=cd6f3dc8e22665d5.1427806151.5.1432309044.1432303252.; _pk_ses.2.9fb9=*
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
X-Forwarded-Proto: https
Strict-Transport-Security: max-age=10886400; includeSubDomains; preload
X-SSL-cipher: TLSv1.2/ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES Mac=SHA1
X-Forwarded-For: X.X.X.X

2015-05-22 17:49:11: (response.c.241) run condition
2015-05-22 17:49:11: (configfile-glue.c.583) === start of condition block ===
2015-05-22 17:49:11: (configfile-glue.c.273) 10 global/HTTPscheme==https nej
8<--------
2015-05-22 17:49:11: (configfile-glue.c.471) HTTP["scheme"] ( http ) compare to https
2015-05-22 17:49:11: (configfile-glue.c.534) 1 (uncached) result: false
2015-05-22 17:49:11: (configfile-glue.c.583) === start of condition block ===
2015-05-22 17:49:11: (configfile-glue.c.235) go parent global/HTTPscheme==https
2015-05-22 17:49:11: (configfile-glue.c.541) 1 (cached) result: false
2015-05-22 17:49:11: (configfile-glue.c.534) 2 (uncached) result: false
2015-05-22 17:49:11: (configfile-glue.c.583) === start of condition block ===
2015-05-22 17:49:11: (configfile-glue.c.471) HTTP["scheme"] ( http ) compare to http
2015-05-22 17:49:11: (configfile-glue.c.534) 3 (uncached) result: true
8<--------

Actions #3

Updated by stbuehler over 8 years ago

  • Description updated (diff)
  • Category deleted (mod_extforward)
  • Target version set to 1.4.x
Actions #4

Updated by gstrauss almost 8 years ago

  • Target version changed from 1.4.x to 1.4.40

Partially fixed. Another follow-up patch is further below.

commit 05858f6cf2d93f49c8995aed05e79b7bc68538b3
Author: Stefan Bühler <stbuehler@web.de>
Date:   Wed Jul 31 20:23:21 2013 +0000

    [ssl] Fix $HTTP["scheme"] conditional, could be "http" for ssl connections if the ssl $SERVER["socket"] conditional was nested (fixes #2501)

    con->conf.is_ssl got removed and replaced by:
     * con->conf.ssl_enabled for the config var "ssl.engine" - it is only
       used to determine which server-sockets should use ssl. (usually not
       needed as it is mandatory and enough to set ssl.pemfile anyway)
     * con->srv_socket->is_ssl to detect the actual ssl status of the
       bound socket, which is the same as the ssl status of the connection
     * con->uri.scheme for the actual $HTTP["scheme"] value, also used for
       the CGI "HTTPS=ON" variable. This defaults to "https" if the
       connection uses ssl, but can be changed for example by mod_extforward
       if X-Forwarded-Proto: is set to either "http" or "https" (other values
       are ignored right now)

    Also removed the broken srv_socket->is_proxy_ssl as it was a connection
    value in a server_socket struct...

    git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2887 152afb58-edef-0310-8abb-c4023f1b3aa9

Looks like mod_extforward.c also needs to reset the condition cache when the scheme is changed. This additional patch should address that:

diff --git a/src/mod_extforward.c b/src/mod_extforward.c
index fdb3c11..4a56f55 100644
--- a/src/mod_extforward.c
+++ b/src/mod_extforward.c
@@ -352,6 +352,7 @@ static void ipstr_to_sockaddr(server *srv, const char *host, sock_addr *sock) {

 static void clean_cond_cache(server *srv, connection *con) {
        config_cond_cache_reset_item(srv, con, COMP_HTTP_REMOTE_IP);
+       config_cond_cache_reset_item(srv, con, COMP_HTTP_SCHEME);
 }

 URIHANDLER_FUNC(mod_extforward_uri_handler) {

Actions #5

Updated by gstrauss almost 8 years ago

  • Status changed from Reopened to Patch Pending
Actions #6

Updated by gstrauss almost 8 years ago

  • Category set to mod_extforward
  • Status changed from Patch Pending to Fixed

updated in e5e5548b

Actions

Also available in: Atom