Solved

https redirection problem with X-Forwarded-Proto

Posted on 2013-01-18
15
1,727 Views
Last Modified: 2013-12-11
Hi,

We are building a new server  with :
Pound -> Varnish -> Apache -> CentOS.

Since Varnish doesn't work in SSL we are setting "X-Forwarded-Proto" to "https" in Pound and we are detecting that way if we are in https.

It's working when we access directly a url like https://example.com but not when we do a redirection from "http" to "https" with "htaccess" or "PHP".   It's seem like the  X-Forwarded-Proto isn't forwarded with the redirection.  So we get stuck in an infinite redirection loop.

We have found a way to perform the redirection with javascript but we would prefer to have a server side solution.


So we wondering if there is a setting to change in apache, pound, varnish, etc. ?



We have tried a lot of solutions like:

////////////////
// htaccess
////////////////////
  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule (.*) https://example.com [L,R]


///////////////////
// php
//////////////////
if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
	$_SERVER['HTTPS']='on';	
}

if(!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on'){
	header('Location: '. 'https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
}

Open in new window





Our pound config look like:

//////////////////
// pound
///////////////
ListenHTTPS

      Address 0.0.0.0 # all interfaces
      Port 443
      AddHeader "X-Forwarded-Proto: https"
      HeadRemove "X-Forwarded-Proto"
      HeadRemove "X-Forwarded-For"
      Cert "/path/to/certificate.pem

      Service
            BackEnd
                  Address 10.0.0.1
                  Port 80
                  Priority 1
            End

      End
End

We have passed a lot of time on that problem thanks to help us!
0
Comment
Question by:Provost
  • 9
  • 6
15 Comments
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 38796542
Have you done a packet capture to see what is being passed back and forth?

If not, I would suggest using something like Wireshark on each server to see what is being done at each level.

Although I have found an example of the POUND parameters like you have them, I personally would code the HeadRemove's before the AddHeader.

Do you have POUND listening on port 80?  If so can you post it's config?
0
 

Author Comment

by:Provost
ID: 38801212
Hi,
Thanks for your answer. It's hard to find good ressources on this topic.

Wireshark
We have tried Wireshark on the client side.
But effectively we should definitely check on server side too.

Pound

We have the HeadRemove before like you suggest.

//////////////
// Our real pound config: (except for ip and path)
//////////
User "pound"
Group "pound"
Control "/path/to/pound.cfg"


ListenHTTP
    Address 0.0.0.0
    Port 80
      HeadRemove "X-Forwarded-Proto"
      HeadRemove "X-Forwarded-For"
      AddHeader "X-Forwarded-Proto: http"
      RewriteLocation 2
End

ListenHTTPS
    Address 0.0.0.0
    Port    443
    Cert    "/path/to/pound.pem"
      HeadRemove "X-Forwarded-Proto"
      HeadRemove "X-Forwarded-For"
      AddHeader "X-Forwarded-Proto: https"
End

Service
    BackEnd
            Address 0.0.0.0
        Port    80
    End
   
End
0
 

Author Comment

by:Provost
ID: 38807144
In PHP I set  

header("Location: https://example.com")

and in the  response header  i see

HTTP/1.1 302 Found
Server: Apache
X-Powered-By: PHP/5.3.14 ZendServer/5.0
Location: http://example.com
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Accept-Ranges: bytes
Date: Wed, 23 Jan 2013 04:58:22 GMT
X-Varnish: 1294094576
Age: 0
Via: 1.1 varnish
Connection: keep-alive
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 57

Expert Comment

by:giltjr
ID: 38809916
So you went to http://example.com and this is what you got back?

Could there be something stripping out the X-Forwarded for headers on the way back to you?

Is it possible to do a packet capture on everything in/out of POUND to see what it is doing?
0
 

Author Comment

by:Provost
ID: 38828567
I'm doing a redirection to https and yes, this is what I got back.
Yeah that's a possibility.
We've just installed wireshark. We will test it tommorow.
0
 

Author Comment

by:Provost
ID: 38845239
We've installed Wireshark and have looked at the packets.

We can see the redirection ( Location: https://example.com ) is lost  at the end just before the server answer.


First, some more info about the config:
At the top There is a virtual IP. 100.100.100.89
2nd. Pound on a VM  IP: 100.100.100.81
3rd. Varnish on a VM IP: 100.100.100.83
4th. Apache on a VM IP: 100.100.100.87

Step workinkg correclty:
100.100.100.89  : virtual ip receive the request
100.100.100.81 : pound receive the request
100.100.100.83 : varnish receive the request
100.100.100.87 :apache reveive the request and make the redirection
100.100.100.83: varnish pass the redirection
100.100.100.81: pound pass the redirection

Steps where the problem occurs:
1. there is a call to the dns server by 100.100.100.89
2. the answer is sent by (100.100.100.89) to the client and the "s" has disappear from https.   ( Location: http://example.com )
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38845686
What task/service/product controls 100.100.100.89?
0
 

Author Comment

by:Provost
ID: 38851063
That's ha-linux (heartbeat), that we use for high availability.   He's responsible to check if the load balancers are running.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38851108
O.K., let me ask the question another way.  What service/task is responsible for sending out the HTTP request/response that went out from 100.100.100.89?
0
 

Author Comment

by:Provost
ID: 38852003
If I understand your question well it would be Pound.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38852258
So pound is receiving something from the server that "says" redirect to location="https://example.com" but is forwarding out  location="http://example.com"

Not sure, but what happens if you change "RewriteLocation 2" to either 1 or 0 on the ListenHTTP?
0
 

Author Comment

by:Provost
ID: 38861412
I have test the different options (0,1,2)  in listenHTTP et listenHTTPS and it didn't work. Il will check soon in Wireshark if there is any differences.

 I've seen this post: http://www.apsis.ch/pound/pound_list/archive/2010/2010-12/1291695902000 where people have the same problem. And it's seem that it could be a DNS problem.

To clarify our setup:
network
0
 

Author Comment

by:Provost
ID: 38939026
We’ve finally fix our problem.
We had to put “RewriteLocation 0 “In the “ListenHTTP” and to fix a domain name issu in the config.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38939124
I had suggested trying RewriteLocation 0 and 1 and you had said you already tested this.  What was different this time when you did it?

What was the domain name issue and which config?  I don't remember seeing a domain name in the Pound config.
0
 

Author Comment

by:Provost
ID: 38939456
Yes but setting 0,1 or 2 didn’t work at the time. I’ve tried all the possibility in ListenHTTP and ListenHTTPS.
We had to fix the DNS configuration first. Like said in this thread

After that I’ve tried again the 0,1,2 and only the “0” setting was working.

Thanks for your help.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question