You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2017/01/23 22:07:13 UTC
[users@httpd] Configuring redirects httpd behind a TLS-terminating proxy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
I've got an EC2 instance behind a load balancer where TLS is being
terminated. I've arranged for two separate httpd (2.4.25)
VirtualHosts: one for the secure connections (proxied from the lb) and
another for the non-secure connections.
I have a Redirect directive that isn't behaving as I'd like it to behave
:
RedirectMatch permanent ^/$ /site/
I have the same redirect in both VirtualHosts. The redirect itself
works, but it doesn't preserve the secure-protocol when I'm using the
secure VirtualHost.
I have this directives to attempt to set the HTTPS environment variable:
# Handle ELB requests; maintain client information
SetEnvIf X-Forwarded-Proto "https" HTTPS=On
SetEnvIf X-Forwarded-Port "(.*)" JK_LOCAL_PORT=$1
I can confirm that ELB is in fact sending the "X-Forwarded-Proto:
https" header to my httpd instance.
I can also see that the HTTPS environment variable is in fact being
set to "On" when I make a request.
I'm expecting httpd to redirect a request from
"https://www.example.com/" to "https://www.example.com/site/" but
instead I'm getting redirected to "http://www.example.com/site/".
Can anyone see anything wrong with my configuration? Or do I have a
misunderstanding of how RedirectMatch will built its relative URLs?
I'd expect the redirects to be protocol-relative, but even though
HTTPS=On, the request from the LB is actually using HTTP and not
HTTPS. Am I not able to override the protocol by setting the HTTPS
environment variable?
Do I have to build an absolute redirect using other environment variable
s?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYhn6RAAoJEBzwKT+lPKRYPGgQAJxY2qq2wAxhzV21iQJFz/qz
vviFasPk17/ezD7ZGM1yHuxOrTrZRglvIRUXrRB3MWBX55fX11NsryxfKNigxOpw
TXtmJQNAScvXZfGdSVkVNcSNHN6FWKE+QRNhtPNhVoyxWP1fUdc00bzFCX3PDvoo
+8ASJJDV+0Qy5O0IlVv4B1uBnfzhVaxBgi2UYzGF8jyrbgUXHUA9R14FtXN6DNqw
Q4UKBXD6W5wS1zPYep9oHs0aqQIycvAXTFB20dwfaZ/Qft/wED2ACNOg60hRtQ3x
tP57zjEQqxzHKPHsTYaM4k6so69lIL9uoNUBgN1Q/Eqyl+ufF13y2EasjL4Y2Svz
qUFzyP85xFHTxnR8QvAYvmL4jqrf2ynZWnKHLDoVs1y9BOb0Iv4/8EWqcaIOG4QF
MlUxoSY32Z/BA3oxkE3pTzzqeyjZTY3ITMtdNDFMWFoDa3iTDBFNjfcUOYJSuaZx
7Q9A7NYtMpTFvTxVpQmz+PFkVpDqmF/xxHO/B9LaPcjTCWqqYU+m5/GTugW/pcoH
LVKfiPEbAYkjmOIR/+BE2x2YU4PglTIrzKfB2MlyHq/3qU3/SNvL+qM0xs6V1tdN
OtLx83lrEKecuqiH3A6zGPpcKqzdCGCMJxbg/jq5QJXMLs3/sSYyo15EjUEQYfjZ
Wn+RdQYSpwcWQ8eoLQVF
=mJ4i
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Configuring redirects httpd behind a TLS-terminating proxy
Posted by Alexandru Duzsardi <al...@pitechnologies.ro>.
Try this in your non-ssl virtualhost
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
More about mod_ssl variables http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#envvars
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Tuesday, January 24, 2017 12:07 AM
To: users@httpd.apache.org
Subject: [users@httpd] Configuring redirects httpd behind a TLS-terminating proxy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
I've got an EC2 instance behind a load balancer where TLS is being terminated. I've arranged for two separate httpd (2.4.25)
VirtualHosts: one for the secure connections (proxied from the lb) and another for the non-secure connections.
I have a Redirect directive that isn't behaving as I'd like it to behave
:
RedirectMatch permanent ^/$ /site/
I have the same redirect in both VirtualHosts. The redirect itself works, but it doesn't preserve the secure-protocol when I'm using the secure VirtualHost.
I have this directives to attempt to set the HTTPS environment variable:
# Handle ELB requests; maintain client information
SetEnvIf X-Forwarded-Proto "https" HTTPS=On
SetEnvIf X-Forwarded-Port "(.*)" JK_LOCAL_PORT=$1
I can confirm that ELB is in fact sending the "X-Forwarded-Proto:
https" header to my httpd instance.
I can also see that the HTTPS environment variable is in fact being set to "On" when I make a request.
I'm expecting httpd to redirect a request from "https://www.example.com/" to "https://www.example.com/site/" but instead I'm getting redirected to "http://www.example.com/site/".
Can anyone see anything wrong with my configuration? Or do I have a misunderstanding of how RedirectMatch will built its relative URLs?
I'd expect the redirects to be protocol-relative, but even though HTTPS=On, the request from the LB is actually using HTTP and not HTTPS. Am I not able to override the protocol by setting the HTTPS environment variable?
Do I have to build an absolute redirect using other environment variable s?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYhn6RAAoJEBzwKT+lPKRYPGgQAJxY2qq2wAxhzV21iQJFz/qz
vviFasPk17/ezD7ZGM1yHuxOrTrZRglvIRUXrRB3MWBX55fX11NsryxfKNigxOpw
TXtmJQNAScvXZfGdSVkVNcSNHN6FWKE+QRNhtPNhVoyxWP1fUdc00bzFCX3PDvoo
+8ASJJDV+0Qy5O0IlVv4B1uBnfzhVaxBgi2UYzGF8jyrbgUXHUA9R14FtXN6DNqw
Q4UKBXD6W5wS1zPYep9oHs0aqQIycvAXTFB20dwfaZ/Qft/wED2ACNOg60hRtQ3x
tP57zjEQqxzHKPHsTYaM4k6so69lIL9uoNUBgN1Q/Eqyl+ufF13y2EasjL4Y2Svz
qUFzyP85xFHTxnR8QvAYvmL4jqrf2ynZWnKHLDoVs1y9BOb0Iv4/8EWqcaIOG4QF
MlUxoSY32Z/BA3oxkE3pTzzqeyjZTY3ITMtdNDFMWFoDa3iTDBFNjfcUOYJSuaZx
7Q9A7NYtMpTFvTxVpQmz+PFkVpDqmF/xxHO/B9LaPcjTCWqqYU+m5/GTugW/pcoH
LVKfiPEbAYkjmOIR/+BE2x2YU4PglTIrzKfB2MlyHq/3qU3/SNvL+qM0xs6V1tdN
OtLx83lrEKecuqiH3A6zGPpcKqzdCGCMJxbg/jq5QJXMLs3/sSYyo15EjUEQYfjZ
Wn+RdQYSpwcWQ8eoLQVF
=mJ4i
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Configuring redirects httpd behind a
TLS-terminating proxy
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Konstantin,
On 1/24/17 3:53 AM, Konstantin Kolinko wrote:
> 2017-01-24 1:07 GMT+03:00 Christopher Schultz
> <ch...@christopherschultz.net>:
>>
>> I've got an EC2 instance behind a load balancer where TLS is
>> being terminated. I've arranged for two separate httpd (2.4.25)
>> VirtualHosts: one for the secure connections (proxied from the
>> lb) and another for the non-secure connections.
>>
>> I have a Redirect directive that isn't behaving as I'd like it to
>> behave :
>>
>> RedirectMatch permanent ^/$ /site/
>>
>> I have the same redirect in both VirtualHosts. The redirect
>> itself works, but it doesn't preserve the secure-protocol when
>> I'm using the secure VirtualHost.
>>
> [....]
>>
>> I'm expecting httpd to redirect a request from
>> "https://www.example.com/" to "https://www.example.com/site/"
>> but instead I'm getting redirected to
>> "http://www.example.com/site/".
>>
>> Can anyone see anything wrong with my configuration? Or do I have
>> a misunderstanding of how RedirectMatch will built its relative
>> URLs?
>
> If that VirtualHost is accessed only by your lb, you should look
> at ServerName directive. It can include a scheme.
Interesting. It looks like that's exactly what I'm looking for. I just
did a quick test and it looks like that will solve my problem quite well
.
Alexandru, I was hoping to avoid using mod_proxy unless necessary, but
thanks for the suggestion.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYkjYSAAoJEBzwKT+lPKRYIpMQAIO1fUAIzXoniBecYhJ7CWGl
ZOaE3gsi9UPxtitDpoQU+BXrzDugcvmXNpIxUveQsQ4ZaqUOiot0QUXn80tne757
MwWx020G+Th6iFnaB4P7weSbJM1hRwXmXbUmA0vLXlScf8f9KdC0LqGYHqspOtCv
xdWrC3x66g/qLhxRmeseCU0tCjsrnben7CGwtzESsmqkB1XSAXSLID2hs/auakot
47+2J+tomGmP+HvGJ1yw5ClArGbmXF/geG3DH8QVEkviX3hX0nIVltoCYpAQtnYX
U8m6jhbtoqFk21qoSKcYVTY9Zk8Olb01hPs2KW7KCERHw4+7c0zhMu2FQ1RurHBC
2sDEe/OklHoeP9BExtxYGEqZcOHLpsOcoofM4wZGhTX+Wu41/HdJJDVKojz9E0C4
83S5IVmoIRBxr5QcfoW65To5WdYzRC0mlZN8Vae87M1kjfJAMQ2caN6brSLkDy7B
VRdX1GVS5a+sczyG0ska/zgflMV0mOyTtQHp3+tXy/HU18IoovUN4oxcuORtif1J
knmRVqjEDUcxh4TvuhjouHpsNg5DivaSFgwf43l2mwQPqldmmtKBoRMNVZjrBnhQ
d9zpEwMPwpkdUcHsgVWZe466u7dK+b5bQN336LJAtRFrb6KhVfrILoO1K2bvGb7L
eo4o+u7iJvNmgeN56l32
=7E9Q
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Configuring redirects httpd behind a
TLS-terminating proxy
Posted by Konstantin Kolinko <kn...@gmail.com>.
2017-01-24 1:07 GMT+03:00 Christopher Schultz <ch...@christopherschultz.net>:
>
> I've got an EC2 instance behind a load balancer where TLS is being
> terminated. I've arranged for two separate httpd (2.4.25)
> VirtualHosts: one for the secure connections (proxied from the lb) and
> another for the non-secure connections.
>
> I have a Redirect directive that isn't behaving as I'd like it to behave
> :
>
> RedirectMatch permanent ^/$ /site/
>
> I have the same redirect in both VirtualHosts. The redirect itself
> works, but it doesn't preserve the secure-protocol when I'm using the
> secure VirtualHost.
>
[....]
>
> I'm expecting httpd to redirect a request from
> "https://www.example.com/" to "https://www.example.com/site/" but
> instead I'm getting redirected to "http://www.example.com/site/".
>
> Can anyone see anything wrong with my configuration? Or do I have a
> misunderstanding of how RedirectMatch will built its relative URLs?
If that VirtualHost is accessed only by your lb, you should look at
ServerName directive. It can include a scheme.
http://httpd.apache.org/docs/2.4/mod/core.html#servername
[quote]
Sometimes, the server runs behind a device that processes SSL, such as
a reverse proxy, load balancer or SSL offload appliance. When this is
the case, specify the https:// scheme and the port number to which the
clients connect in the ServerName directive to make sure that the
server generates the correct self-referential URLs.
[/quote]
(Source code:
mod_alias.c/int fixup_redir(request_rec *r)
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/mappers/mod_alias.c?view=markup#l679
-> calls ap_construct_url(), declared in include/http_core.h, implemented in
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?revision=1772678&view=markup#l1194
-> calls ap_http_scheme(r), declared in include/httpd.h as
#define ap_http_scheme(r) ap_run_http_scheme(r)
-> It is a hook API, a method that can be implemented in a module.
http://marc.info/?t=131165065300001&r=1&w=2
-> Implementation:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http/http_core.c?revision=1757669&view=markup#l113
-> Calls
r->server->server_scheme
)
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org