Solved

https redirection problem with X-Forwarded-Proto

Posted on 2013-01-18
15
1,813 Views
Last Modified: 2013-12-11
Hi,

We are building a new server  with :
Pound -> Varnish -> Apache -> CentOS.

Since Varnish doesn't work in SSL we are setting "X-Forwarded-Proto" to "https" in Pound and we are detecting that way if we are in https.

It's working when we access directly a url like https://example.com but not when we do a redirection from "http" to "https" with "htaccess" or "PHP".   It's seem like the  X-Forwarded-Proto isn't forwarded with the redirection.  So we get stuck in an infinite redirection loop.

We have found a way to perform the redirection with javascript but we would prefer to have a server side solution.


So we wondering if there is a setting to change in apache, pound, varnish, etc. ?



We have tried a lot of solutions like:

////////////////
// htaccess
////////////////////
  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule (.*) https://example.com [L,R]


///////////////////
// php
//////////////////
if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
	$_SERVER['HTTPS']='on';	
}

if(!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on'){
	header('Location: '. 'https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
}

Open in new window





Our pound config look like:

//////////////////
// pound
///////////////
ListenHTTPS

      Address 0.0.0.0 # all interfaces
      Port 443
      AddHeader "X-Forwarded-Proto: https"
      HeadRemove "X-Forwarded-Proto"
      HeadRemove "X-Forwarded-For"
      Cert "/path/to/certificate.pem

      Service
            BackEnd
                  Address 10.0.0.1
                  Port 80
                  Priority 1
            End

      End
End

We have passed a lot of time on that problem thanks to help us!
0
Comment
Question by:Provost
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
15 Comments
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 38796542
Have you done a packet capture to see what is being passed back and forth?

If not, I would suggest using something like Wireshark on each server to see what is being done at each level.

Although I have found an example of the POUND parameters like you have them, I personally would code the HeadRemove's before the AddHeader.

Do you have POUND listening on port 80?  If so can you post it's config?
0
 

Author Comment

by:Provost
ID: 38801212
Hi,
Thanks for your answer. It's hard to find good ressources on this topic.

Wireshark
We have tried Wireshark on the client side.
But effectively we should definitely check on server side too.

Pound

We have the HeadRemove before like you suggest.

//////////////
// Our real pound config: (except for ip and path)
//////////
User "pound"
Group "pound"
Control "/path/to/pound.cfg"


ListenHTTP
    Address 0.0.0.0
    Port 80
      HeadRemove "X-Forwarded-Proto"
      HeadRemove "X-Forwarded-For"
      AddHeader "X-Forwarded-Proto: http"
      RewriteLocation 2
End

ListenHTTPS
    Address 0.0.0.0
    Port    443
    Cert    "/path/to/pound.pem"
      HeadRemove "X-Forwarded-Proto"
      HeadRemove "X-Forwarded-For"
      AddHeader "X-Forwarded-Proto: https"
End

Service
    BackEnd
            Address 0.0.0.0
        Port    80
    End
   
End
0
 

Author Comment

by:Provost
ID: 38807144
In PHP I set  

header("Location: https://example.com")

and in the  response header  i see

HTTP/1.1 302 Found
Server: Apache
X-Powered-By: PHP/5.3.14 ZendServer/5.0
Location: http://example.com
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Accept-Ranges: bytes
Date: Wed, 23 Jan 2013 04:58:22 GMT
X-Varnish: 1294094576
Age: 0
Via: 1.1 varnish
Connection: keep-alive
0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 
LVL 57

Expert Comment

by:giltjr
ID: 38809916
So you went to http://example.com and this is what you got back?

Could there be something stripping out the X-Forwarded for headers on the way back to you?

Is it possible to do a packet capture on everything in/out of POUND to see what it is doing?
0
 

Author Comment

by:Provost
ID: 38828567
I'm doing a redirection to https and yes, this is what I got back.
Yeah that's a possibility.
We've just installed wireshark. We will test it tommorow.
0
 

Author Comment

by:Provost
ID: 38845239
We've installed Wireshark and have looked at the packets.

We can see the redirection ( Location: https://example.com ) is lost  at the end just before the server answer.


First, some more info about the config:
At the top There is a virtual IP. 100.100.100.89
2nd. Pound on a VM  IP: 100.100.100.81
3rd. Varnish on a VM IP: 100.100.100.83
4th. Apache on a VM IP: 100.100.100.87

Step workinkg correclty:
100.100.100.89  : virtual ip receive the request
100.100.100.81 : pound receive the request
100.100.100.83 : varnish receive the request
100.100.100.87 :apache reveive the request and make the redirection
100.100.100.83: varnish pass the redirection
100.100.100.81: pound pass the redirection

Steps where the problem occurs:
1. there is a call to the dns server by 100.100.100.89
2. the answer is sent by (100.100.100.89) to the client and the "s" has disappear from https.   ( Location: http://example.com )
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38845686
What task/service/product controls 100.100.100.89?
0
 

Author Comment

by:Provost
ID: 38851063
That's ha-linux (heartbeat), that we use for high availability.   He's responsible to check if the load balancers are running.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38851108
O.K., let me ask the question another way.  What service/task is responsible for sending out the HTTP request/response that went out from 100.100.100.89?
0
 

Author Comment

by:Provost
ID: 38852003
If I understand your question well it would be Pound.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38852258
So pound is receiving something from the server that "says" redirect to location="https://example.com" but is forwarding out  location="http://example.com"

Not sure, but what happens if you change "RewriteLocation 2" to either 1 or 0 on the ListenHTTP?
0
 

Author Comment

by:Provost
ID: 38861412
I have test the different options (0,1,2)  in listenHTTP et listenHTTPS and it didn't work. Il will check soon in Wireshark if there is any differences.

 I've seen this post: http://www.apsis.ch/pound/pound_list/archive/2010/2010-12/1291695902000 where people have the same problem. And it's seem that it could be a DNS problem.

To clarify our setup:
network
0
 

Author Comment

by:Provost
ID: 38939026
We’ve finally fix our problem.
We had to put “RewriteLocation 0 “In the “ListenHTTP” and to fix a domain name issu in the config.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38939124
I had suggested trying RewriteLocation 0 and 1 and you had said you already tested this.  What was different this time when you did it?

What was the domain name issue and which config?  I don't remember seeing a domain name in the Pound config.
0
 

Author Comment

by:Provost
ID: 38939456
Yes but setting 0,1 or 2 didn’t work at the time. I’ve tried all the possibility in ListenHTTP and ListenHTTPS.
We had to fix the DNS configuration first. Like said in this thread

After that I’ve tried again the 0,1,2 and only the “0” setting was working.

Thanks for your help.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question