You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/02/15 22:55:08 UTC
DO NOT REPLY [Bug 38665] New: - ProxyPassReverse sticks to http on redirect to https
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38665>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38665
Summary: ProxyPassReverse sticks to http on redirect to https
Product: Apache httpd-2
Version: 2.2.0
Platform: PC
URL: http://mail-archives.apache.org/mod_mbox/httpd-
users/200602.mbox/ajax/%3c20060212205845.3889.qmail@web5
4608.mail.yahoo.com%3e
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_proxy
AssignedTo: bugs@httpd.apache.org
ReportedBy: kpeharda@yahoo.com
In a case where ProxyPassReverse receives 302 - Found, and a method is changed
from http to https the Proxy always sticks to http. As a consequence, browser
ends up in a loop always querying the same location. Illustrated bellow.
Browser--------------------------Proxy(fe)------------------------Backend
|-------http:/fe/b-end/----------->|
|-------http://be/----------->|
|<--(302)--http://be/Login/---|
|<--(302)--http://fe/b-end/Login/--|
|-----http://fe/b-end/Login/------>|
|-----http://be/Login/------->|
|<--(302)-https://be/Login/---|
|<--(302)--http://fe/b-end/Login/--|
|-----http://fe/b-end/Login/------>| ... and so on, and so on...
There are no error messages in logs that are worth mentioning.
Not sure if this is wanted behaviour or a bug, but without a proxy in between
everything works like a charm.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38665] - ProxyPassReverse sticks to http on redirect to https
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38665>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38665
wrowe@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From wrowe@apache.org 2006-03-21 09:52 -------
Because this is a reverse proxy, it's -your- responsibility to proxy the
appropriate locations to an https: auth on the backend (or, perhaps proxy
all requests to this backend server as https:)
There's no way for Apache to know this, proxy backend connections are not
stateful, the redirect is propogated to the client, and the server cannot
tell the client to perform such a connection across to the backend.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38665] - ProxyPassReverse sticks to http on redirect to https
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38665>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38665
------- Additional Comments From kpeharda@yahoo.com 2006-03-21 20:12 -------
> There's no way for Apache to know this, proxy backend connections are not
> stateful, the redirect is propogated to the client, and the server cannot
> tell the client to perform such a connection across to the backend.
I don't see why would a state be needed here. The reverse proxy receives the
location update from the backend, which states that the next request should be
https and not http.
If apache would not rewrite the "http(s)://" portion of the URL (change method
on behalf of browser), everything would work like a charm. I believe this might
be in collision with note in the section 10.3.3 of the RFC 2616:
"Note: RFC 1945 and RFC 2068 specify that the client is not allowed
to change the method on the redirected request. However, most
existing user agent implementations treat 302 as if it were a 303
response, performing a GET on the Location field-value regardless
of the original request method. The status codes 303 and 307 have
been added for servers that wish to make unambiguously clear which
kind of reaction is expected of the client."
But, it appears to me that even the RFC is considering the behaviour as common
practice, so I don't see why should a proxy insist on the rule to be strictly
followed, especially if it tends to break an application.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org