You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Alan Post <ap...@interwoven.com> on 2001/05/15 12:10:11 UTC

ap_get_server_port

Dear Sirs,

  In 2.0.16 (as in 1.3.X) it seems that ap_get_server_port, when
  UseCanonicalName is off, returns the local port the connection is bound to.

  I feel that httpd should pick up the port from the Host header, if one is
  present.  The documentation of UseCanonicalName, as I read it, indicates this
  behavior.

  It is very straightforward to see the behavior I speak of:
  
    (1) generic 2.0.16 build
    (2) set UseCanonicalName to Off
    (3) send httpd:

      GET /manual HTTP/1.1
      Host: bogus:6666

    (4) see the response redirecting us to bogus:<listen port>, instead of
        bogus:6666

  The HTTP/1.1 spec includes the following sentences:

    An HTTP/1.1 proxy MUST ensure that any request message it forwards does
    contain an appropriate Host header field that identifies the service being
    requested by the proxy.
      (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23)

    For 3xx responses, the location SHOULD indicate the server's preferred URI
    for automatic redirection to the resource.
      (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.30)

  which I would interpret as allowing either behavior.

  The current behavior seems like a bug to me.  For instance, a client
  contacting httpd (listening on port 80) via an SSH tunnel might generate the
  request:

    GET /manual HTTP/1.1
    Host: localhost:12777

  only to get redirected to

    http://localhost/manual/

  which points to a different server.  It seems to me that making
  UseCanonicalName match its documentation would fix this problem without
  causing others.

  Is there something I am missing?

  Thanks for all the hard work.  Overall, I've been very happy with httpd, and
  I'm excited about the direction you folks are taking it.


      Alan Post

Re: ap_get_server_port

Posted by "Roy T. Fielding" <fi...@ebuilt.com>.

>   I feel that httpd should pick up the port from the Host header, if one is
>   present.  The documentation of UseCanonicalName, as I read it, indicates this
>   behavior.

No.  The reason we do not do this is because the security context depends
on the physical incoming port, and allowing the client request data to
override it would aloow the client to defeat the context.

....Roy