You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Andrei <la...@gmail.com> on 2017/03/16 15:33:10 UTC
[users@httpd] Spoofing SERVER_PORT/HTTPS env?
Hello everyone,
I have a setup with Varnish/Hitch in front of Apache, where Hitch proxies
the SSL traffic to Varnish via HTTP, and Apache receives the request via
HTTP while the client request was done via https. This local downgrade is
due to Varnish not supporting SSL. Since there are quite a few platforms
out there that rely on HTTPS/SERVER_PORT checks to force https redirects
for example, I've been toying with mod_rpaf which can spoof the environment
variables based on X headers from a defined list of IPs, but it's not
consistent and requires disabling keepalive due to a long standing bug -
https://github.com/gnif/mod_rpaf/issues/42. That being said, I'm trying to
ditch mod_rpaf and spoof the variables using SetEnvIf based on a custom
X-Header instead, which will be set by Varnish. The only problem I'm
running in to is overriding SERVER_PORT. For example, if I have:
SetEnvIf X-HTTPS "on" HTTPS=on
SetEnvIf X-HTTPS "on" REQUEST_SCHEME=https
SetEnvIf X-HTTPS "on" SERVER_PORT=443
The above results in:
root@avi [~]# curl -sH"X-HTTPS: on" http://domain.com/headers.php|egrep -i
'https|r_port'
$_SERVER[HTTPS]; => on
$_SERVER[HTTP_X_HTTPS]; => on
$_SERVER[REQUEST_SCHEME]; => https
$_SERVER[SERVER_PORT]; => 80
root@avi [~]#
While I would expect them to be:
$_SERVER[HTTPS]; => on
$_SERVER[HTTP_X_HTTPS]; => on
$_SERVER[REQUEST_SCHEME]; => https
$_SERVER[SERVER_PORT]; => 443
If anyone knows of a different method, or module to use, I'm more than open
to ideas. Thanks in advance!
Re: [users@httpd] Re: Spoofing SERVER_PORT/HTTPS env?
Posted by Andrei <la...@gmail.com>.
So there's a restriction on $_SERVER[SERVER_PORT]? Is it compiled in?
On Mar 23, 2017 14:37, "Rainer Canavan" <ra...@sevenval.com> wrote:
[...]
>> SetEnvIf X-HTTPS "on" SERVER_PORT=443
>>
>> The above results in:
[...]
>> $_SERVER[SERVER_PORT]; => 80
We had the same problem a few years ago, and went with a
workaround in the end. We're simply setting and evaluating a
different variable instead of SERVER_PORT, e.g.
OVERRIDE_SERVER_PORT, if it is set.
rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
On Mar 23, 2017 14:37, "Rainer Canavan" <ra...@sevenval.com> wrote:
[...]
>> SetEnvIf X-HTTPS "on" SERVER_PORT=443
>>
>> The above results in:
[...]
>> $_SERVER[SERVER_PORT]; => 80
We had the same problem a few years ago, and went with a
workaround in the end. We're simply setting and evaluating a
different variable instead of SERVER_PORT, e.g.
OVERRIDE_SERVER_PORT, if it is set.
rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Spoofing SERVER_PORT/HTTPS env?
Posted by Rainer Canavan <ra...@sevenval.com>.
[...]
>> SetEnvIf X-HTTPS "on" SERVER_PORT=443
>>
>> The above results in:
[...]
>> $_SERVER[SERVER_PORT]; => 80
We had the same problem a few years ago, and went with a
workaround in the end. We're simply setting and evaluating a
different variable instead of SERVER_PORT, e.g.
OVERRIDE_SERVER_PORT, if it is set.
rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Spoofing SERVER_PORT/HTTPS env?
Posted by Andrei <la...@gmail.com>.
bump
On Thu, Mar 16, 2017 at 5:33 PM, Andrei <la...@gmail.com> wrote:
> Hello everyone,
>
> I have a setup with Varnish/Hitch in front of Apache, where Hitch proxies
> the SSL traffic to Varnish via HTTP, and Apache receives the request via
> HTTP while the client request was done via https. This local downgrade is
> due to Varnish not supporting SSL. Since there are quite a few platforms
> out there that rely on HTTPS/SERVER_PORT checks to force https redirects
> for example, I've been toying with mod_rpaf which can spoof the environment
> variables based on X headers from a defined list of IPs, but it's not
> consistent and requires disabling keepalive due to a long standing bug -
> https://github.com/gnif/mod_rpaf/issues/42. That being said, I'm trying
> to ditch mod_rpaf and spoof the variables using SetEnvIf based on a custom
> X-Header instead, which will be set by Varnish. The only problem I'm
> running in to is overriding SERVER_PORT. For example, if I have:
>
> SetEnvIf X-HTTPS "on" HTTPS=on
> SetEnvIf X-HTTPS "on" REQUEST_SCHEME=https
> SetEnvIf X-HTTPS "on" SERVER_PORT=443
>
> The above results in:
>
> root@avi [~]# curl -sH"X-HTTPS: on" http://domain.com/headers.php|egrep
> -i 'https|r_port'
> $_SERVER[HTTPS]; => on
> $_SERVER[HTTP_X_HTTPS]; => on
> $_SERVER[REQUEST_SCHEME]; => https
> $_SERVER[SERVER_PORT]; => 80
> root@avi [~]#
>
>
> While I would expect them to be:
>
> $_SERVER[HTTPS]; => on
> $_SERVER[HTTP_X_HTTPS]; => on
> $_SERVER[REQUEST_SCHEME]; => https
> $_SERVER[SERVER_PORT]; => 443
>
> If anyone knows of a different method, or module to use, I'm more than
> open to ideas. Thanks in advance!
>
>
>