Solved

https redirection problem with X-Forwarded-Proto

Posted on 2013-01-18
15
1,643 Views
Last Modified: 2013-12-11
Hi,

We are building a new server  with :
Pound -> Varnish -> Apache -> CentOS.

Since Varnish doesn't work in SSL we are setting "X-Forwarded-Proto" to "https" in Pound and we are detecting that way if we are in https.

It's working when we access directly a url like https://example.com but not when we do a redirection from "http" to "https" with "htaccess" or "PHP".   It's seem like the  X-Forwarded-Proto isn't forwarded with the redirection.  So we get stuck in an infinite redirection loop.

We have found a way to perform the redirection with javascript but we would prefer to have a server side solution.


So we wondering if there is a setting to change in apache, pound, varnish, etc. ?



We have tried a lot of solutions like:

////////////////
// htaccess
////////////////////
  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule (.*) https://example.com [L,R]


///////////////////
// php
//////////////////
if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
	$_SERVER['HTTPS']='on';	
}

if(!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on'){
	header('Location: '. 'https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
}

Open in new window





Our pound config look like:

//////////////////
// pound
///////////////
ListenHTTPS

      Address 0.0.0.0 # all interfaces
      Port 443
      AddHeader "X-Forwarded-Proto: https"
      HeadRemove "X-Forwarded-Proto"
      HeadRemove "X-Forwarded-For"
      Cert "/path/to/certificate.pem

      Service
            BackEnd
                  Address 10.0.0.1
                  Port 80
                  Priority 1
            End

      End
End

We have passed a lot of time on that problem thanks to help us!
0
Comment
Question by:Provost
  • 9
  • 6
15 Comments
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 38796542
Have you done a packet capture to see what is being passed back and forth?

If not, I would suggest using something like Wireshark on each server to see what is being done at each level.

Although I have found an example of the POUND parameters like you have them, I personally would code the HeadRemove's before the AddHeader.

Do you have POUND listening on port 80?  If so can you post it's config?
0
 

Author Comment

by:Provost
ID: 38801212
Hi,
Thanks for your answer. It's hard to find good ressources on this topic.

Wireshark
We have tried Wireshark on the client side.
But effectively we should definitely check on server side too.

Pound

We have the HeadRemove before like you suggest.

//////////////
// Our real pound config: (except for ip and path)
//////////
User "pound"
Group "pound"
Control "/path/to/pound.cfg"


ListenHTTP
    Address 0.0.0.0
    Port 80
      HeadRemove "X-Forwarded-Proto"
      HeadRemove "X-Forwarded-For"
      AddHeader "X-Forwarded-Proto: http"
      RewriteLocation 2
End

ListenHTTPS
    Address 0.0.0.0
    Port    443
    Cert    "/path/to/pound.pem"
      HeadRemove "X-Forwarded-Proto"
      HeadRemove "X-Forwarded-For"
      AddHeader "X-Forwarded-Proto: https"
End

Service
    BackEnd
            Address 0.0.0.0
        Port    80
    End
   
End
0
 

Author Comment

by:Provost
ID: 38807144
In PHP I set  

header("Location: https://example.com")

and in the  response header  i see

HTTP/1.1 302 Found
Server: Apache
X-Powered-By: PHP/5.3.14 ZendServer/5.0
Location: http://example.com
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Accept-Ranges: bytes
Date: Wed, 23 Jan 2013 04:58:22 GMT
X-Varnish: 1294094576
Age: 0
Via: 1.1 varnish
Connection: keep-alive
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38809916
So you went to http://example.com and this is what you got back?

Could there be something stripping out the X-Forwarded for headers on the way back to you?

Is it possible to do a packet capture on everything in/out of POUND to see what it is doing?
0
 

Author Comment

by:Provost
ID: 38828567
I'm doing a redirection to https and yes, this is what I got back.
Yeah that's a possibility.
We've just installed wireshark. We will test it tommorow.
0
 

Author Comment

by:Provost
ID: 38845239
We've installed Wireshark and have looked at the packets.

We can see the redirection ( Location: https://example.com ) is lost  at the end just before the server answer.


First, some more info about the config:
At the top There is a virtual IP. 100.100.100.89
2nd. Pound on a VM  IP: 100.100.100.81
3rd. Varnish on a VM IP: 100.100.100.83
4th. Apache on a VM IP: 100.100.100.87

Step workinkg correclty:
100.100.100.89  : virtual ip receive the request
100.100.100.81 : pound receive the request
100.100.100.83 : varnish receive the request
100.100.100.87 :apache reveive the request and make the redirection
100.100.100.83: varnish pass the redirection
100.100.100.81: pound pass the redirection

Steps where the problem occurs:
1. there is a call to the dns server by 100.100.100.89
2. the answer is sent by (100.100.100.89) to the client and the "s" has disappear from https.   ( Location: http://example.com )
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38845686
What task/service/product controls 100.100.100.89?
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:Provost
ID: 38851063
That's ha-linux (heartbeat), that we use for high availability.   He's responsible to check if the load balancers are running.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38851108
O.K., let me ask the question another way.  What service/task is responsible for sending out the HTTP request/response that went out from 100.100.100.89?
0
 

Author Comment

by:Provost
ID: 38852003
If I understand your question well it would be Pound.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38852258
So pound is receiving something from the server that "says" redirect to location="https://example.com" but is forwarding out  location="http://example.com"

Not sure, but what happens if you change "RewriteLocation 2" to either 1 or 0 on the ListenHTTP?
0
 

Author Comment

by:Provost
ID: 38861412
I have test the different options (0,1,2)  in listenHTTP et listenHTTPS and it didn't work. Il will check soon in Wireshark if there is any differences.

 I've seen this post: http://www.apsis.ch/pound/pound_list/archive/2010/2010-12/1291695902000 where people have the same problem. And it's seem that it could be a DNS problem.

To clarify our setup:
network
0
 

Author Comment

by:Provost
ID: 38939026
We’ve finally fix our problem.
We had to put “RewriteLocation 0 “In the “ListenHTTP” and to fix a domain name issu in the config.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38939124
I had suggested trying RewriteLocation 0 and 1 and you had said you already tested this.  What was different this time when you did it?

What was the domain name issue and which config?  I don't remember seeing a domain name in the Pound config.
0
 

Author Comment

by:Provost
ID: 38939456
Yes but setting 0,1 or 2 didn’t work at the time. I’ve tried all the possibility in ListenHTTP and ListenHTTPS.
We had to fix the DNS configuration first. Like said in this thread

After that I’ve tried again the 0,1,2 and only the “0” setting was working.

Thanks for your help.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now