Bug 45449 - Apache force_https exclude does not support patterns
Apache force_https exclude does not support patterns
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Apache
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Florian Best
Daniel Tröder
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-25 12:11 CEST by Florian Best
Modified: 2017-09-28 15:56 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.137
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2017092221000363
Bug group (optional): Error handling, External feedback
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-09-25 12:11:38 CEST
Since Bug #44628 we support UCR variables to make exceptions for the "force https" rule.

The exceptions currently compare the URL lexicographically inequal.
We should change this so that a regex pattern is accepted.

We need this e.g. for the letsencrypt app, which needs to allow ^/.well-known/acme-challenge/.*.
Comment 1 Florian Best univentionstaff 2017-09-25 12:17:21 CEST
univention-apache (9.0.5-13):
dd653b05077d | Bug #45449: use regex patterns for force https exclusion rules

univention-apache.yaml:
1b7a972c1caa | YAML Bug #45449
Comment 4 Daniel Tröder univentionstaff 2017-09-26 13:42:53 CEST
OK: code
OK: advisory (improved wording: a0bccdc..6b51f7c)
OK: manual test:
ucr set apache2/force_https=yes apache2/force_https/exclude/request_uri/test1="/test1/a" apache2/force_https/exclude/request_uri/test2="/test1/b/$"

/test1 doesn't exist, so 404 will happen. But if not excluded requests will first be redirected (301).

wget --no-check-certificate  http://10.200.3.52/test1/ -> 301
wget --no-check-certificate http://10.200.3.52/test1/abc/ -> 404
wget --no-check-certificate  http://10.200.3.52/test1/b/ -> 404
wget --no-check-certificate  http://10.200.3.52/test1/bc -> 301
Comment 5 Philipp Hahn univentionstaff 2017-09-28 15:56:45 CEST
<http://errata.software-univention.de/ucs/4.2/187.html>