https redirection problem with X-Forwarded-Proto

Hi,

We are building a new server  with :
Pound -> Varnish -> Apache -> CentOS.

Since Varnish doesn't work in SSL we are setting "X-Forwarded-Proto" to "https" in Pound and we are detecting that way if we are in https.

It's working when we access directly a url like https://example.com but not when we do a redirection from "http" to "https" with "htaccess" or "PHP".   It's seem like the  X-Forwarded-Proto isn't forwarded with the redirection.  So we get stuck in an infinite redirection loop.

We have found a way to perform the redirection with javascript but we would prefer to have a server side solution.


So we wondering if there is a setting to change in apache, pound, varnish, etc. ?



We have tried a lot of solutions like:

////////////////
// htaccess
////////////////////
  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule (.*) https://example.com [L,R]


///////////////////
// php
//////////////////
if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
	$_SERVER['HTTPS']='on';	
}

if(!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on'){
	header('Location: '. 'https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
}

Open in new window





Our pound config look like:

//////////////////
// pound
///////////////
ListenHTTPS

      Address 0.0.0.0 # all interfaces
      Port 443
      AddHeader "X-Forwarded-Proto: https"
      HeadRemove "X-Forwarded-Proto"
      HeadRemove "X-Forwarded-For"
      Cert "/path/to/certificate.pem

      Service
            BackEnd
                  Address 10.0.0.1
                  Port 80
                  Priority 1
            End

      End
End

We have passed a lot of time on that problem thanks to help us!
ProvostAsked:
Who is Participating?
 
giltjrConnect With a Mentor Commented:
Have you done a packet capture to see what is being passed back and forth?

If not, I would suggest using something like Wireshark on each server to see what is being done at each level.

Although I have found an example of the POUND parameters like you have them, I personally would code the HeadRemove's before the AddHeader.

Do you have POUND listening on port 80?  If so can you post it's config?
0
 
ProvostAuthor Commented:
Hi,
Thanks for your answer. It's hard to find good ressources on this topic.

Wireshark
We have tried Wireshark on the client side.
But effectively we should definitely check on server side too.

Pound

We have the HeadRemove before like you suggest.

//////////////
// Our real pound config: (except for ip and path)
//////////
User "pound"
Group "pound"
Control "/path/to/pound.cfg"


ListenHTTP
    Address 0.0.0.0
    Port 80
      HeadRemove "X-Forwarded-Proto"
      HeadRemove "X-Forwarded-For"
      AddHeader "X-Forwarded-Proto: http"
      RewriteLocation 2
End

ListenHTTPS
    Address 0.0.0.0
    Port    443
    Cert    "/path/to/pound.pem"
      HeadRemove "X-Forwarded-Proto"
      HeadRemove "X-Forwarded-For"
      AddHeader "X-Forwarded-Proto: https"
End

Service
    BackEnd
            Address 0.0.0.0
        Port    80
    End
   
End
0
 
ProvostAuthor Commented:
In PHP I set  

header("Location: https://example.com")

and in the  response header  i see

HTTP/1.1 302 Found
Server: Apache
X-Powered-By: PHP/5.3.14 ZendServer/5.0
Location: http://example.com
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Accept-Ranges: bytes
Date: Wed, 23 Jan 2013 04:58:22 GMT
X-Varnish: 1294094576
Age: 0
Via: 1.1 varnish
Connection: keep-alive
0
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

 
giltjrCommented:
So you went to http://example.com and this is what you got back?

Could there be something stripping out the X-Forwarded for headers on the way back to you?

Is it possible to do a packet capture on everything in/out of POUND to see what it is doing?
0
 
ProvostAuthor Commented:
I'm doing a redirection to https and yes, this is what I got back.
Yeah that's a possibility.
We've just installed wireshark. We will test it tommorow.
0
 
ProvostAuthor Commented:
We've installed Wireshark and have looked at the packets.

We can see the redirection ( Location: https://example.com ) is lost  at the end just before the server answer.


First, some more info about the config:
At the top There is a virtual IP. 100.100.100.89
2nd. Pound on a VM  IP: 100.100.100.81
3rd. Varnish on a VM IP: 100.100.100.83
4th. Apache on a VM IP: 100.100.100.87

Step workinkg correclty:
100.100.100.89  : virtual ip receive the request
100.100.100.81 : pound receive the request
100.100.100.83 : varnish receive the request
100.100.100.87 :apache reveive the request and make the redirection
100.100.100.83: varnish pass the redirection
100.100.100.81: pound pass the redirection

Steps where the problem occurs:
1. there is a call to the dns server by 100.100.100.89
2. the answer is sent by (100.100.100.89) to the client and the "s" has disappear from https.   ( Location: http://example.com )
0
 
giltjrCommented:
What task/service/product controls 100.100.100.89?
0
 
ProvostAuthor Commented:
That's ha-linux (heartbeat), that we use for high availability.   He's responsible to check if the load balancers are running.
0
 
giltjrCommented:
O.K., let me ask the question another way.  What service/task is responsible for sending out the HTTP request/response that went out from 100.100.100.89?
0
 
ProvostAuthor Commented:
If I understand your question well it would be Pound.
0
 
giltjrCommented:
So pound is receiving something from the server that "says" redirect to location="https://example.com" but is forwarding out  location="http://example.com"

Not sure, but what happens if you change "RewriteLocation 2" to either 1 or 0 on the ListenHTTP?
0
 
ProvostAuthor Commented:
I have test the different options (0,1,2)  in listenHTTP et listenHTTPS and it didn't work. Il will check soon in Wireshark if there is any differences.

 I've seen this post: http://www.apsis.ch/pound/pound_list/archive/2010/2010-12/1291695902000 where people have the same problem. And it's seem that it could be a DNS problem.

To clarify our setup:
network
0
 
ProvostAuthor Commented:
We’ve finally fix our problem.
We had to put “RewriteLocation 0 “In the “ListenHTTP” and to fix a domain name issu in the config.
0
 
giltjrCommented:
I had suggested trying RewriteLocation 0 and 1 and you had said you already tested this.  What was different this time when you did it?

What was the domain name issue and which config?  I don't remember seeing a domain name in the Pound config.
0
 
ProvostAuthor Commented:
Yes but setting 0,1 or 2 didn’t work at the time. I’ve tried all the possibility in ListenHTTP and ListenHTTPS.
We had to fix the DNS configuration first. Like said in this thread

After that I’ve tried again the 0,1,2 and only the “0” setting was working.

Thanks for your help.
0
All Courses

From novice to tech pro — start learning today.