CODEWITHSUNDEEP
apachehttpscentosvarnish
JPR
JPR

Reputation: 31

https redirection loop even with X-Forwarded-Proto

We are building a new server with : Pound -> Varnish -> Apache -> CentOS.

Since Varnish doesn't work in SSL we are setting "X-Forwarded-Proto" to "https" in Pound and we are detecting that way if we are in https.

It's working when we access directly a url like https://example.com but not when we do a redirection from "http" to "https" with "htaccess" or "PHP". It's seem like the X-Forwarded-Proto isn't forwarded with the redirection. So we get stuck in an infinite redirection loop.

We have found a way to perform the redirection with javascript but we would prefer to have a server side solution.

So we wondering if there is a setting to change in apache, pound, varnish, etc. ?

We have tried a lot of solutions like:

////////////////
// htaccess
////////////////////
  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule (.*) https://example.com [L,R]


///////////////////
// php 
//////////////////
if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
    $_SERVER['HTTPS']='on'; 
}

if(!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on'){
    header('Location: '. 'https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
}

Our pound config look like:

//////////////////
// pound
///////////////
ListenHTTPS

      Address 0.0.0.0 # all interfaces
      Port 443
      AddHeader "X-Forwarded-Proto: https"
      HeadRemove "X-Forwarded-Proto"
      HeadRemove "X-Forwarded-For"
      Cert "/path/to/certificate.pem

      Service
            BackEnd
                  Address 10.0.0.1
                  Port 80
                  Priority 1
            End

      End
End

We have passed a lot of time on that problem thanks to help us!

Upvotes: 3

Views: 5610

Answers (2)

Paul Sweatte
Paul Sweatte

Reputation: 24627

As noted above:

We had to:

  • Put RewriteLocation 0 in the ListenHTTPs
  • Fix a domain name issue in the config
ListenHTTPS

  ReWriteLocation 0

Upvotes: 3

Fabian Schmengler
Fabian Schmengler

Reputation: 24576

In my case, Varnish was configured to normalize URLs and removed scheme and domain:

set req.url = regsub(req.url, "^http[s]?://[^/]+", "");

So that the redirect response for http://example.com to https://example.com would be cached and the request to https://example.com would return this cached response.

Removing this normalization or adding

hash_data(req.http.Https);

to sub vcl_hash helped.

Upvotes: 0

Related Questions