Bug 44628 - (4.2) force_https makes apache redirect traffic for localhost
(4.2) force_https makes apache redirect traffic for localhost
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Apache
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-0-errata
Assigned To: Florian Best
Daniel Tröder
:
Depends on: 43603
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-18 08:54 CEST by Daniel Tröder
Modified: 2017-05-24 10:48 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.229
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Tröder univentionstaff 2017-05-18 08:54:54 CEST
+++ This bug was initially created as a clone of Bug #43603 +++

As with Bug #40121 force_https also makes Apache redirect HTTP connections for localhost. This breaks OX: http://forum.univention.de/viewtopic.php?t=6505&p=24980#p24980 and probably other proxied software.

The following rule seems to fix that:
---
RewriteCond %{HTTP_HOST} != localhost
---
(Is a rule for 127.0.0.1 also needed?)
Comment 1 Florian Best univentionstaff 2017-05-19 11:31:13 CEST
univention-apache (9.0.5-10):
r79441 | Bug #44628: make excludes for force_https configurable

univention-apache.yaml:
r79444 | YAML Bug #44628
Comment 2 Daniel Tröder univentionstaff 2017-05-21 11:59:02 CEST
* YAML: being forcing -> being forced
* Apache doesn't start anymore:

root@dc2000:~# ucr set apache2/force_https=true

root@dc2000:~# ucr search force_https
apache2/force_https/exclude/(request_uri|http_host|remote_addr|server_name)/.*: <empty>
apache2/force_https/exclude/http_host/localhost: localhost
apache2/force_https/exclude/request_uri/mod-status: /server-status
apache2/force_https: true

root@dc2000:~# systemctl restart apache2.service 
Job for apache2.service failed. See 'systemctl status apache2.service' and 'journalctl -xn' for details.

root@dc2000:~# systemctl status apache2.service
● apache2.service - LSB: Apache2 web server
   Loaded: loaded (/etc/init.d/apache2)
   Active: failed (Result: exit-code) since So 2017-05-21 11:53:19 CEST; 4s ago
  Process: 17635 ExecStop=/etc/init.d/apache2 stop (code=exited, status=0/SUCCESS)
  Process: 17663 ExecStart=/etc/init.d/apache2 start (code=exited, status=1/FAILURE)

Mai 21 11:53:19 dc2000 systemd[1]: Starting LSB: Apache2 web server...
Mai 21 11:53:19 dc2000 apache2[17663]: Starting web server: apache2 failed!
Mai 21 11:53:19 dc2000 apache2[17663]: The apache2 configtest failed. ... (warning).
Mai 21 11:53:19 dc2000 apache2[17663]: Output of config test was:
Mai 21 11:53:19 dc2000 apache2[17663]: AH00526: Syntax error on line 80 of /etc/apache2/mods-enabled/ssl.conf:
Mai 21 11:53:19 dc2000 apache2[17663]: RewriteCond: bad flag delimiters
Mai 21 11:53:19 dc2000 apache2[17663]: Action 'configtest' failed.
Mai 21 11:53:19 dc2000 apache2[17663]: The Apache error log may have more information.
Mai 21 11:53:19 dc2000 systemd[1]: apache2.service: control process exited, code=exited status=1
Mai 21 11:53:19 dc2000 systemd[1]: Failed to start LSB: Apache2 web server.
Mai 21 11:53:19 dc2000 systemd[1]: Unit apache2.service entered failed state.

root@dc2000:~# grep -n Rewrite /etc/apache2/mods-enabled/ssl.conf
78:RewriteEngine on
79:RewriteCond %{HTTPS} off
80:RewriteCond %{REQUEST_URI} != /server-status
81:RewriteCond %{HTTP_HOST} != localhost
82:RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
Comment 3 Florian Best univentionstaff 2017-05-22 15:09:36 CEST
univention-apache (9.0.5-11):
r79505 | Bug #44628: fix syntax error
Comment 4 Daniel Tröder univentionstaff 2017-05-22 18:22:45 CEST
OK: manual test
r79522: updated advisory
Comment 5 Janek Walkenhorst univentionstaff 2017-05-24 10:48:07 CEST
<http://errata.software-univention.de/ucs/4.2/20.html>