Bug 44921 – Apache does not pass HTTPS in the request header when mod_proxy proxies to HTTP

Bug 44921 - Apache does not pass HTTPS in the request header when mod_proxy proxies to HTTP


Summary:	Apache does not pass HTTPS in the request header when mod_proxy proxies to HTTP

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Apache
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.3-0-errata
Assigned To:	Dirk Wiesenthal
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:
Blocks:	47071
	Show dependency tree / graph

Reported:	2017-07-02 13:13 CEST by Dirk Wiesenthal
Modified:	2018-05-24 15:33 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	6: Setup Problem: Issue for the setup process
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.206
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:	Yes
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Wiesenthal

2017-07-02 13:13:04 CEST

The App Center allows to pass HTTPS requests to the container. Apache may use HTTP for that proxy connection.

In this case the information that the connection once was HTTPS is not passed through. This may lead to redirects that explicitly tell the browser use HTTP.

We should use
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}

is out sites.

Comment 1 Felix Botner

2018-05-02 16:51:03 CEST

please also add SSLProxyCheckPeerExpire Off (we already have SSLProxyCheckPeerCN off etc)

Comment 2 Dirk Wiesenthal

2018-05-02 16:54:33 CEST

We will need a backport

Comment 3 Dirk Wiesenthal

2018-05-02 20:40:41 CEST

Fixed in
  univention-apache 10.0.2-2A~4.3.0.201805021835

Comment 4 Felix Botner

2018-05-04 11:14:33 CEST

OK - univention-apache ("X-Forwarded-Proto is https and X-Forwarded-SSL on for https and http and off for http)
OK - UMC, multiple apps

OK - yaml

Comment 5 Quality Assurance

2018-05-04 16:43:09 CEST

--- mirror/ftp/4.3/unmaintained/4.3-0/source/univention-apache_10.0.2-1A~4.3.0.201803060647.dsc
+++ apt/ucs_4.3-0-errata4.3-0/source/univention-apache_10.0.2-2A~4.3.0.201805021835.dsc
@@ -1,6 +1,10 @@
-10.0.2-1A~4.3.0.201803060647 [Tue, 06 Mar 2018 06:47:56 +0100] Univention builddaemon <buildd@univention.de>:
+10.0.2-2A~4.3.0.201805021835 [Wed, 02 May 2018 18:35:38 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. No patches were applied to the original source package
+
+10.0.2-2 [Wed, 02 May 2018 18:34:04 +0200] Dirk Wiesenthal <wiesenthal@univention.de>:
+
+  * Bug #44921: Use X-Forwarded-Proto
 
 10.0.2-1 [Tue, 06 Mar 2018 06:44:56 +0100] Stefan Gohmann <gohmann@univention.de>:

Comment 6 Arvid Requate

2018-05-09 14:21:09 CEST

<http://errata.software-univention.de/ucs/4.3/29.html>