You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2003/12/19 17:04:15 UTC
UseCanonicalName Off *surprise*
In both Apache 1.3 and 2.0 the UseCanonicalName doesn't work quite as it's
documented. The question would be, do we fix it or document it...
When requesting a document that results in a redirection (directory not
decorated by a trailing backslash, etc) the redirected server name doesn't
actually conform to the Host header provided by the client...
UseCanonicalName On
-or-
UseCanonicalName Off, but the Host: header was missing (e.g. HTTP/1.0)
In 1.3 - the host's {ServerName}:{Port} is returned.
In 2.0 - the host {Servername} is returned (must include port suffix).
there were no surprises there.
UseCanonicalName Off, Host: header provided (HTTP/1.1)
The host name header *excluding the host header port suffix * of the request
is concatenated to httpd 1.3's Port directive setting or the real port number
in httpd 2.0.
Now this might appear to be a moot issue, but if a proxy that doesn't mangling
headers bounces requests from port 80 to another server's port 8080 attempting
to impersonate the front end proxy, everything should work, in theory, with
UseCanonicalName Off. As it turns out, UseCanonicalName must be turned
on to avoid the port :8080 suffix from being appended to the redirects.
Host headers (from my usual clients) do appear in the form
Host: localhost:8080
when the request http://localhost:8080/ is sent. UseCanonicalName Off docs
state outright that we use the Host: header provided by the client. The example
above shows that we do not. But if we correct the behavior, instead of the docs,
then perhaps users will commonly end up with broken configs.
So I'm wondering what the consensus is - fix the docs, or the behavior?
Bill
Re: UseCanonicalName Off *surprise*
Posted by Brian Akins <ba...@web.turner.com>.
William A. Rowe, Jr. wrote:
> UseCanonicalName Off
> Listen 8080
> Port 80
>
> an inbound request with a Host header of foo:80 would respond with
> the redirection http://foo:80/
>
> It does not. The Listen port again applies until you turn UseCanonicalName On.
We had something similar. What we did that works is:
UseCanonicalName On
Listen 80
Listen 8080
ServerName www.domain.com:80
So redirects, no matter what port they came in one, get redirected to
port 80. This was our desired effect.
--
Brian Akins
Senior Systems Engineer
CNN Internet Technologies
Re: UseCanonicalName Off *surprise*
Posted by Jim Jagielski <ji...@jagunet.com>.
On Dec 19, 2003, at 1:35 PM, William A. Rowe, Jr. wrote:
>
> Let me be clear (on the 1.3 side)...
>
> one expects that given;
>
> UseCanonicalName Off
> Listen 8080
> Port 80
>
> an inbound request with a Host header of foo:80 would respond with
> the redirection http://foo:80/
>
> It does not. The Listen port again applies until you turn
> UseCanonicalName On.
>
That is not the case with 1.3.29-dev. We now honor the port # as sent
by the client, no matter what Port says. If the client doesn't
send the port # in the Host header, we grab the port number via
the actual socket.
Re: UseCanonicalName Off *surprise*
Posted by Jim Jagielski <ji...@jagunet.com>.
On Dec 19, 2003, at 1:35 PM, William A. Rowe, Jr. wrote:
>
> Let me be clear (on the 1.3 side)...
>
> one expects that given;
>
> UseCanonicalName Off
> Listen 8080
> Port 80
>
> an inbound request with a Host header of foo:80 would respond with
> the redirection http://foo:80/
>
> It does not. The Listen port again applies until you turn
> UseCanonicalName On.
>
That is not the case with 1.3.29-dev. We now honor the port # as sent
by the client, no matter what Port says. If the client doesn't
send the port # in the Host header, we grab the port number via
the actual socket.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: UseCanonicalName Off *surprise*
Posted by "William A. Rowe, Jr." <wr...@apache.org>.
At 11:16 AM 12/19/2003, Tony Finch wrote:
>On Fri, Dec 19, 2003 at 10:04:15AM -0600, William A. Rowe, Jr. wrote:
>>
>> UseCanonicalName Off, Host: header provided (HTTP/1.1)
>>
>> The host name header *excluding the host header port suffix * of the request
>> is concatenated to httpd 1.3's Port directive setting or the real port number
>> in httpd 2.0.
>
>The Port directive has some muddled ServerName/UseCanonicalName semantics
>which is what distinguishes it from the Listen directive. I think the
>behaviour you describe is intended.
>
>> Now this might appear to be a moot issue, but if a proxy that doesn't mangling
>> headers bounces requests from port 80 to another server's port 8080 attempting
>> to impersonate the front end proxy, everything should work, in theory, with
>> UseCanonicalName Off. As it turns out, UseCanonicalName must be turned
>> on to avoid the port :8080 suffix from being appended to the redirects.
>
>In this situation you should be using Listen rather than Port. Is 2.0 different?
Let me be clear (on the 1.3 side)...
one expects that given;
UseCanonicalName Off
Listen 8080
Port 80
an inbound request with a Host header of foo:80 would respond with
the redirection http://foo:80/
It does not. The Listen port again applies until you turn UseCanonicalName On.
Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: UseCanonicalName Off *surprise*
Posted by "William A. Rowe, Jr." <wr...@apache.org>.
At 11:16 AM 12/19/2003, Tony Finch wrote:
>On Fri, Dec 19, 2003 at 10:04:15AM -0600, William A. Rowe, Jr. wrote:
>>
>> UseCanonicalName Off, Host: header provided (HTTP/1.1)
>>
>> The host name header *excluding the host header port suffix * of the request
>> is concatenated to httpd 1.3's Port directive setting or the real port number
>> in httpd 2.0.
>
>The Port directive has some muddled ServerName/UseCanonicalName semantics
>which is what distinguishes it from the Listen directive. I think the
>behaviour you describe is intended.
>
>> Now this might appear to be a moot issue, but if a proxy that doesn't mangling
>> headers bounces requests from port 80 to another server's port 8080 attempting
>> to impersonate the front end proxy, everything should work, in theory, with
>> UseCanonicalName Off. As it turns out, UseCanonicalName must be turned
>> on to avoid the port :8080 suffix from being appended to the redirects.
>
>In this situation you should be using Listen rather than Port. Is 2.0 different?
Let me be clear (on the 1.3 side)...
one expects that given;
UseCanonicalName Off
Listen 8080
Port 80
an inbound request with a Host header of foo:80 would respond with
the redirection http://foo:80/
It does not. The Listen port again applies until you turn UseCanonicalName On.
Bill
Re: UseCanonicalName Off *surprise*
Posted by Jim Jagielski <ji...@jagunet.com>.
1.3.29-dev actually changes the determination of the port value
with UCN off in effect.
The big question is if the client does NOT send a Host
header, and UCN is Off, should the port be the port
number used in the connection socket OR should we use
whatever Port is set to... The current implementation,
which I think is correct, is to use the physical port
number... The intent of UCN Off is to say, basically,
"trust whatever the client sends you, as far as
hostname and port number..." and with that in mind,
I think we should trust what port the client is talking
to in absence of Host (since that is closer to the
goal of Apache's concept of host:port not being the
final or high priority authority).
Also note that what 2.0 and what 2.1 does as far as
ap_get_server_port() with a non-existent Host header
are different... 1.3.29-dev follows the 2.1 logic.
On Dec 19, 2003, at 11:04 AM, William A. Rowe, Jr. wrote:
>
> UseCanonicalName On
> -or-
> UseCanonicalName Off, but the Host: header was missing (e.g. HTTP/1.0)
>
> In 1.3 - the host's {ServerName}:{Port} is returned.
> In 2.0 - the host {Servername} is returned (must include port
> suffix).
>
> there were no surprises there.
>
> UseCanonicalName Off, Host: header provided (HTTP/1.1)
>
> The host name header *excluding the host header port suffix * of the
> request
> is concatenated to httpd 1.3's Port directive setting or the real
> port number
> in httpd 2.0.
>
> Now this might appear to be a moot issue, but if a proxy that doesn't
> mangling
> headers bounces requests from port 80 to another server's port 8080
> attempting
> to impersonate the front end proxy, everything should work, in theory,
> with
> UseCanonicalName Off. As it turns out, UseCanonicalName must be turned
> on to avoid the port :8080 suffix from being appended to the redirects.
>
> Host headers (from my usual clients) do appear in the form
> Host: localhost:8080
> when the request http://localhost:8080/ is sent. UseCanonicalName Off
> docs
> state outright that we use the Host: header provided by the client.
> The example
> above shows that we do not. But if we correct the behavior, instead
> of the docs,
> then perhaps users will commonly end up with broken configs.
>
> So I'm wondering what the consensus is - fix the docs, or the behavior?
>
> Bill
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: UseCanonicalName Off *surprise*
Posted by Tony Finch <do...@dotat.at>.
On Fri, Dec 19, 2003 at 10:04:15AM -0600, William A. Rowe, Jr. wrote:
>
> UseCanonicalName Off, Host: header provided (HTTP/1.1)
>
> The host name header *excluding the host header port suffix * of the request
> is concatenated to httpd 1.3's Port directive setting or the real port number
> in httpd 2.0.
The Port directive has some muddled ServerName/UseCanonicalName semantics
which is what distinguishes it from the Listen directive. I think the
behaviour you describe is intended.
> Now this might appear to be a moot issue, but if a proxy that doesn't mangling
> headers bounces requests from port 80 to another server's port 8080 attempting
> to impersonate the front end proxy, everything should work, in theory, with
> UseCanonicalName Off. As it turns out, UseCanonicalName must be turned
> on to avoid the port :8080 suffix from being appended to the redirects.
In this situation you should be using Listen rather than Port. Is 2.0 different?
Tony.
--
f.a.n.finch <do...@dotat.at> http://dotat.at/
SHETLAND ISLES: NORTHWEST 4, EASING VARIABLE 2. LATER INCREASING EAST THEN
NORTHEAST 5 OR 6. MAINLY FAIR, ISOLATED SHOWERS. GOOD. MODERATE.
Re: UseCanonicalName Off *surprise*
Posted by Jim Jagielski <ji...@jagunet.com>.
1.3.29-dev actually changes the determination of the port value
with UCN off in effect.
The big question is if the client does NOT send a Host
header, and UCN is Off, should the port be the port
number used in the connection socket OR should we use
whatever Port is set to... The current implementation,
which I think is correct, is to use the physical port
number... The intent of UCN Off is to say, basically,
"trust whatever the client sends you, as far as
hostname and port number..." and with that in mind,
I think we should trust what port the client is talking
to in absence of Host (since that is closer to the
goal of Apache's concept of host:port not being the
final or high priority authority).
Also note that what 2.0 and what 2.1 does as far as
ap_get_server_port() with a non-existent Host header
are different... 1.3.29-dev follows the 2.1 logic.
On Dec 19, 2003, at 11:04 AM, William A. Rowe, Jr. wrote:
>
> UseCanonicalName On
> -or-
> UseCanonicalName Off, but the Host: header was missing (e.g. HTTP/1.0)
>
> In 1.3 - the host's {ServerName}:{Port} is returned.
> In 2.0 - the host {Servername} is returned (must include port
> suffix).
>
> there were no surprises there.
>
> UseCanonicalName Off, Host: header provided (HTTP/1.1)
>
> The host name header *excluding the host header port suffix * of the
> request
> is concatenated to httpd 1.3's Port directive setting or the real
> port number
> in httpd 2.0.
>
> Now this might appear to be a moot issue, but if a proxy that doesn't
> mangling
> headers bounces requests from port 80 to another server's port 8080
> attempting
> to impersonate the front end proxy, everything should work, in theory,
> with
> UseCanonicalName Off. As it turns out, UseCanonicalName must be turned
> on to avoid the port :8080 suffix from being appended to the redirects.
>
> Host headers (from my usual clients) do appear in the form
> Host: localhost:8080
> when the request http://localhost:8080/ is sent. UseCanonicalName Off
> docs
> state outright that we use the Host: header provided by the client.
> The example
> above shows that we do not. But if we correct the behavior, instead
> of the docs,
> then perhaps users will commonly end up with broken configs.
>
> So I'm wondering what the consensus is - fix the docs, or the behavior?
>
> Bill
>
>
Re: UseCanonicalName Off *surprise*
Posted by Tony Finch <do...@dotat.at>.
On Fri, Dec 19, 2003 at 10:04:15AM -0600, William A. Rowe, Jr. wrote:
>
> UseCanonicalName Off, Host: header provided (HTTP/1.1)
>
> The host name header *excluding the host header port suffix * of the request
> is concatenated to httpd 1.3's Port directive setting or the real port number
> in httpd 2.0.
The Port directive has some muddled ServerName/UseCanonicalName semantics
which is what distinguishes it from the Listen directive. I think the
behaviour you describe is intended.
> Now this might appear to be a moot issue, but if a proxy that doesn't mangling
> headers bounces requests from port 80 to another server's port 8080 attempting
> to impersonate the front end proxy, everything should work, in theory, with
> UseCanonicalName Off. As it turns out, UseCanonicalName must be turned
> on to avoid the port :8080 suffix from being appended to the redirects.
In this situation you should be using Listen rather than Port. Is 2.0 different?
Tony.
--
f.a.n.finch <do...@dotat.at> http://dotat.at/
SHETLAND ISLES: NORTHWEST 4, EASING VARIABLE 2. LATER INCREASING EAST THEN
NORTHEAST 5 OR 6. MAINLY FAIR, ISOLATED SHOWERS. GOOD. MODERATE.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org