Bug 37518 - incompatible setting of X-Forwarded-Proto in /etc/apache2/sites-available/univention-management-console
incompatible setting of X-Forwarded-Proto in /etc/apache2/sites-available/uni...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-0-errata
Assigned To: Florian Best
Dirk Wiesenthal
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-01-12 12:01 CET by Dirk Ahrnke
Modified: 2015-02-04 15:57 CET (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
best: Patch_Available+


Attachments
tested patch (1.26 KB, patch)
2015-01-12 12:58 CET, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Ahrnke 2015-01-12 12:01:10 CET
The current site-definition of the umc has:

"RequestHeader set X-Forwarded-Proto %{HTTPS}s"

This results in "off" when accessing the server with http and "on" with https.

Most applications will expect the protocol ("https" or "http") to be returned.

One of the affected applications is ownCloud 7. The incompatible usage will cause a fallback to http when the application was accessed successfully with https. When https is forced in ownCloud with the default setting, a redirect loop occurs.

The problem was reported twice in the forum:
http://forum.univention.de/viewtopic.php?f=67&t=3644
http://forum.univention.de/viewtopic.php?f=67&t=3690
Comment 1 Florian Best univentionstaff 2015-01-12 12:31:45 CET
This was introduced by Bug #36617 in UCS 4.0-0.

Currently the settings in the apache site configuration "univention-management-console" sets global apache configurations instead of only for UMC related services.
We should use a Location directive or a virtual host.
Comment 2 Florian Best univentionstaff 2015-01-12 12:39:53 CET
diff --git a/ucs-4.0-0/management/univention-management-console-frontend/conffiles/etc/apache2/sites-available/univention-management-console b/ucs-4.0-0/management/univention-management-console-frontend/conffiles/etc/apache2/sites-availab
index c5906cf..efc97a9 100644
--- a/ucs-4.0-0/management/univention-management-console-frontend/conffiles/etc/apache2/sites-available/univention-management-console
+++ b/ucs-4.0-0/management/univention-management-console-frontend/conffiles/etc/apache2/sites-available/univention-management-console
@@ -2,2 +2,3 @@
 
+<LocationMatch "^/(umcp|umc|univention-management-console)/">
 ProxyPreserveHost on
@@ -41,2 +42,3 @@ RewriteRule ^(/univention-management-console/js)_[^/]*/(.*) $1/$2 [R=301]
 SetEnv proxy-nokeepalive 1
+</LocationMatch>
Comment 3 Florian Best univentionstaff 2015-01-12 12:58:40 CET
Created attachment 6592 [details]
tested patch

The patch from the comment contains 2 mistakes: leading slash must be removed, the ProxyPass directives aren't allowed underneath of LocationMatch.
Comment 4 Dirk Ahrnke 2015-01-22 11:31:29 CET
I can confirm that the "LocationMatch" directive avoids the fallback to http for ownCloud 7.
It would be nice if the change could be provided to the customers.
Comment 5 Florian Best univentionstaff 2015-01-30 10:54:12 CET
UMCP specific configurations have been put into LocationMatch directive.
Fix: svn r57681
Package: univention-management-console-frontend
Version: 4.1.106-11.993.201501301040
YAML: 2015-01-30-univention-management-console-frontend.yaml
Comment 6 Dirk Wiesenthal univentionstaff 2015-02-03 16:57:31 CET
Okay, works fine
Comment 7 Janek Walkenhorst univentionstaff 2015-02-04 15:57:49 CET
<http://errata.univention.de/ucs/4.0/76.html>