mod_dav patch to force scheme/port on https->http proxying

[David Sklar <da...@gmail.com>]

I am having a similar problem to what's mentioned at
http://svn.haxx.se/users/archive-2005-03/1424.shtml -- namely when
exposing an HTTPS server that proxies DAV requests to a server running
mod_dav over HTTP, copy/move requests fail because the destination
sent by the client for the copy/move uses the external URL (with
https). When mod_dav compares that to the source URL in
dav_lookup_uri(), the scheme and port don't match and a 502 is
returned.

The attached patch attempts to remedy the problem by adding two
configuration directives, "DAVForcedScheme" and "DAVForcedPort". If
"DAVForcedScheme" is set then the uri that dav_lookup_uri() is asked
to lookup is modified to explicitly use the supplied scheme. Similar
deal w/r/t port if "DAVForcedPort" is set.

Setting "DAVForcedScheme http" and "DAVForcedPort 80" solve my problem
in a test setup with mod_proxy+mod_ssl running on port 443
reverse-proxying DAV requests over to mod_dav running on (a different
machine) on port 80.

Any comments on the patch would be appreciated -- it's wonderful, it's
a good solution but could be improved, it's a ridiculous way to solve
this problem, etc.

Thanks,
David

Re: mod_dav patch to force scheme/port on https->http proxying

[David Sklar <da...@gmail.com>]

On Jan 9, 2008 2:00 AM, Sander Temme <sc...@apache.org> wrote:
>
> On Jan 8, 2008, at 3:10 PM, David Sklar wrote:
>
> > Any comments on the patch would be appreciated -- it's wonderful, it's
> > a good solution but could be improved, it's a ridiculous way to solve
> > this problem, etc.
>
> Doesn't setting the global directive:
>
> ServerName https://foo.bar:443
>
> already do what you need?

Indeed it does! Thanks for the tip.

David

Re: mod_dav patch to force scheme/port on https->http proxying

[Plüm, Rüdiger, VF-Group <ru...@vodafone.com>]

> -----Ursprüngliche Nachricht-----
> Von: Sander Temme
> Gesendet: Mittwoch, 9. Januar 2008 08:01
> An: dev@httpd.apache.org
> Betreff: Re: mod_dav patch to force scheme/port on 
> https->http proxying
> 
> 
> 
> On Jan 8, 2008, at 3:10 PM, David Sklar wrote:
> 
> > Any comments on the patch would be appreciated -- it's 
> wonderful, it's
> > a good solution but could be improved, it's a ridiculous 
> way to solve
> > this problem, etc.
> 
> Doesn't setting the global directive:
> 
> ServerName https://foo.bar:443
> 
> already do what you need?
> 
> I'd rather see a solution in terms of that directive (where mod_dav  
> picks up the setting in core which is there specifically for the  
> scenario you describe and is available through the 
> ap_hook_http_scheme  
> hook), or an extension to the ProxyPassReverse case which rewrites  
> this particular repsonse part in addition to any Location: header it  
> encounters.

I agree that a general solution is preferred. Changing headers like the
Location header of incoming requests is already possible via mod_headers,
but what makes things really nasty with WebDAV is the fact that you also
need to modify the body of the request. For responses you could use
mod_substitute to do this, but mod_substitute is only an output filter
not an input filter.

Regards

Rüdiger

Re: mod_dav patch to force scheme/port on https->http proxying

[Sander Temme <sc...@apache.org>]

On Jan 8, 2008, at 3:10 PM, David Sklar wrote:

> Any comments on the patch would be appreciated -- it's wonderful, it's
> a good solution but could be improved, it's a ridiculous way to solve
> this problem, etc.

Doesn't setting the global directive:

ServerName https://foo.bar:443

already do what you need?

I'd rather see a solution in terms of that directive (where mod_dav  
picks up the setting in core which is there specifically for the  
scenario you describe and is available through the ap_hook_http_scheme  
hook), or an extension to the ProxyPassReverse case which rewrites  
this particular repsonse part in addition to any Location: header it  
encounters.

S.

-- 
Sander Temme
sctemme@apache.org
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

Re: mod_dav patch to force scheme/port on https->http proxying

[Paul Querna <ch...@force-elite.com>]

Henrik Nordström wrote:
> tis 2008-01-08 klockan 18:10 -0500 skrev David Sklar:
> 
>> The attached patch attempts to remedy the problem by adding two
>> configuration directives, "DAVForcedScheme" and "DAVForcedPort". If
>> "DAVForcedScheme" is set then the uri that dav_lookup_uri() is asked
>> to lookup is modified to explicitly use the supplied scheme. Similar
>> deal w/r/t port if "DAVForcedPort" is set.
> 
> Shouldn't these really be global and changing the internal view of the
> request rather than overriding things within mod_dav? The same problem
> applies to PHP, CGI, intenally generated redirects, etc, etc.

+1, I would like soemthing like this too.

-Paul

Re: mod_dav patch to force scheme/port on https->http proxying

[Henrik Nordström <he...@henriknordstrom.net>]

tis 2008-01-08 klockan 18:10 -0500 skrev David Sklar:

> The attached patch attempts to remedy the problem by adding two
> configuration directives, "DAVForcedScheme" and "DAVForcedPort". If
> "DAVForcedScheme" is set then the uri that dav_lookup_uri() is asked
> to lookup is modified to explicitly use the supplied scheme. Similar
> deal w/r/t port if "DAVForcedPort" is set.

Shouldn't these really be global and changing the internal view of the
request rather than overriding things within mod_dav? The same problem
applies to PHP, CGI, intenally generated redirects, etc, etc.

Regards
Henrik