Bug 43603 - (4.1) force_https makes apache redirect traffic for localhost
(4.1) force_https makes apache redirect traffic for localhost
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Apache
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-4-errata
Assigned To: Florian Best
Daniel Tröder
:
: 42695 43609 (view as bug list)
Depends on:
Blocks: 44628
  Show dependency treegraph
 
Reported: 2017-02-22 08:04 CET by Daniel Tröder
Modified: 2017-05-24 11:10 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.229
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
best: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Tröder univentionstaff 2017-02-22 08:04:08 CET
As with Bug #40121 force_https also makes Apache redirect HTTP connections for localhost. This breaks OX: http://forum.univention.de/viewtopic.php?t=6505&p=24980#p24980 and probably other proxied software.

The following rule seems to fix that:
---
RewriteCond %{HTTP_HOST} != localhost
---
(Is a rule for 127.0.0.1 also needed?)
Comment 1 Florian Best univentionstaff 2017-02-22 13:49:07 CET
*** Bug 43609 has been marked as a duplicate of this bug. ***
Comment 2 Thomas Siedentopf 2017-02-22 13:53:32 CET
maybe it would be a good idea to exclude every possible entry for localhost to catch every localhost for sure:

RewriteCond %{HTTP_HOST} != localhost
RewriteCond %{REMOTE_ADDR} !=127.0.0.1
RewriteCond %{REMOTE_ADDR} !=::1
Comment 3 Florian Best univentionstaff 2017-02-22 13:58:31 CET
Note: REMOTE_ADDR is the IP of the client not of the requested server/host.
Comment 4 Daniel Tröder univentionstaff 2017-05-15 15:34:45 CEST
Another customer ran into this.

Possible solution in forum: https://help.univention.com/t/univention-oxappsuite-synchronisiert-nicht-mit-iphone/4987/8
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2017-05-17 22:11:21 CEST
We should discuss on how to fix this. With OX we have a service that connects to localhost and is unable to use SSL-encrypted connections.
Ideas:
a) do not use force_https for localhost
b) use a UCRV with exceptions (FQDN:PORT, ...)
c) <insert your idea here>
Comment 6 Michael Grandjean univentionstaff 2017-05-17 22:34:21 CEST
I'd vote for configurable exceptions. See also Bug #42695
Comment 7 Florian Best univentionstaff 2017-05-18 17:38:00 CEST
What do you think about the following UCR scheme:

apache2/force_https/exclude/request_uri//server-status=true
apache2/force_https/exclude/http_host/localhost=true
apache2/force_https/exclude/remote_addr/127.0.0.1=true

resulting in:
RewriteCond %{REQUEST_URI} != /server-status
RewriteCond %{HTTP_HOST} != localhost
RewriteCond %{REMOTE_ADDR} != 192.168.0.1

For URI's I could always prepend a leading slash, so that the variable looks nicer?!

Do we need more complex rules, like "=" as condition pattern?
Maybe we can use "=" if the variable is false and "!=" is the variable is true? Or let the condition string be specified by the value?:
apache2/force_https/exclude/request_uri//server-status=!=
→ looks ugly

I prefer the simplest solution which isn't 100% powerful.
Comment 8 Daniel Tröder univentionstaff 2017-05-19 09:55:45 CEST
(In reply to Florian Best from comment #7)
> What do you think about the following UCR scheme:
> 
> apache2/force_https/exclude/request_uri//server-status=true
> apache2/force_https/exclude/http_host/localhost=true
> apache2/force_https/exclude/remote_addr/127.0.0.1=true
> 
> resulting in:
> RewriteCond %{REQUEST_URI} != /server-status
> RewriteCond %{HTTP_HOST} != localhost
> RewriteCond %{REMOTE_ADDR} != 192.168.0.1
Will this be used only for "force_https" and those 3 rules, or as a general pattern apache2/force_https/exclude/<var.upper()>/<RHS>=<comparision> ?
If it is only for force_https -> OK, if all kind of rules can be created:

RewriteCond <var.upper()> <comparision> <RHS>

then I'd prefer something to reflect that, like apache2/RewriteCond/<var>/<RHS>=<comparision>.

> For URI's I could always prepend a leading slash, so that the variable looks
> nicer?!
Yes.
Everything behind apache2/force_https/exclude/ until "=" should be used as right-hand-side, allowing URLs with multiple levels, like "aa/bb/cc".

> Do we need more complex rules, like "=" as condition pattern?
> Maybe we can use "=" if the variable is false and "!=" is the variable is
> true? Or let the condition string be specified by the value?:
> apache2/force_https/exclude/request_uri//server-status=!=
> → looks ugly
Indeed :)

> I prefer the simplest solution which isn't 100% powerful.
Me too.

Let's make this here about force_https only, and create a separate Bug, if a complete generator for RewriteCond rules is desired.
Comment 9 Florian Best univentionstaff 2017-05-19 10:33:51 CEST
(In reply to Daniel Tröder from comment #8)
> Let's make this here about force_https only, and create a separate Bug, if a
> complete generator for RewriteCond rules is desired.
My comment was already specific to the force-https RewriteRule. Every RewriteCond is bound to a RewriteRule. We don't need any generic implementation.
Comment 10 Florian Best univentionstaff 2017-05-19 11:34:25 CEST
I changed my idea of the UCR scheme a little bit to:
 apache2/force_https/exclude/request_uri/mod-status?/server-status
 apache2/force_https/exclude/http_host/localhost?localhost

[apache2/force_https/exclude/(request_uri|http_host|remote_addr|server_name)/.*]
Description[en]=Configures conditions which excludes certain requests from being forcing to use an encrypted connection. The conditions type can check one of the request URI, HTTP Host request header, IP address (remote_addr) of the client or server name. If the request matches the set value it is not forced to use an encrypted connection. The wildcard can be anything to name the rule.

Description[de]=Konfiguriert Bedinungen, um keine verschlüsselte Verbindung für bestimmte Anfragen zu erzwingen. Der Bedingungstyp kann die Anfrage-URL (request_uri), HTTP Host Anfrage-Header (http_host), IP-Adresse des Clients (remote_addr) oder der Server-Name (server_name) sein. Wenn die Anfrage dem gesetzten Wert entspricht wird keine verschlüsselte Verbindung erzwungen. Ein beliebiger Platzhalter kann als Name für die Regel gewählt werden.


univention-apache (8.0.1-8):
r79442 | Bug #43603: make excludes for force_https configurable

univention-apache.yaml:
r79443 | YAML Bug #43603
Comment 11 Florian Best univentionstaff 2017-05-19 13:42:52 CEST
*** Bug 42695 has been marked as a duplicate of this bug. ***
Comment 12 Daniel Tröder univentionstaff 2017-05-22 09:44:59 CEST
see Bug #44628
Comment 13 Florian Best univentionstaff 2017-05-22 15:01:29 CEST
Thank you. Fixed in:
univention-apache (8.0.1-9):
r79511 | Bug #43603: fix syntax error
Comment 14 Daniel Tröder univentionstaff 2017-05-22 18:31:35 CEST
OK: manual test:

# dpkg -l univention-apache
ii  univention-apache       8.0.1-7.258.2016 all

# ucr set apache2/force_https=true
# /etc/init.d/apache2 restart

# wget http://localhost/
--2017-05-19 21:01:17--  http://localhost/
Auflösen des Hostnamen »localhost (localhost)«... ::1, 127.0.0.1
Verbindungsaufbau zu localhost (localhost)|::1|:80... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 301 Moved Permanently
Platz: https://localhost/[folge]
--2017-05-19 21:01:17--  https://localhost/
Verbindungsaufbau zu localhost (localhost)|::1|:443... verbunden.
GnuTLS: A TLS warning alert has been received.
Es ist nicht möglich, eine SSL-Verbindung herzustellen.

# univention-upgrade --ignoreterm --ignoressh
# dpkg -l univention-apache
ii  univention-apache       8.0.1-9.260.2017 all

# wget http://localhost/
--2017-05-19 21:04:46--  http://localhost/
Auflösen des Hostnamen »localhost (localhost)«... ::1, 127.0.0.1
Verbindungsaufbau zu localhost (localhost)|::1|:80... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 302 Found
Platz: http://localhost/ucs-overview/[folge]
--2017-05-19 21:04:46--  http://localhost/ucs-overview/
Wiederverwendung der bestehenden Verbindung zu localhost:80.
HTTP-Anforderung gesendet, warte auf Antwort... 200 OK
Länge: 3286 (3,2K) [text/html]
In »»index.html«« speichern.

100%[==========================================================================>] 3.286       --.-K/s   in 0s      

2017-05-19 21:04:46 (253 MB/s) - »»index.html«« gespeichert [3286/3286]

r79522: update advisory
Comment 15 Janek Walkenhorst univentionstaff 2017-05-24 11:10:26 CEST
<http://errata.software-univention.de/ucs/4.1/424.html>