Internal Apache port leaks when using proxy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Medium
|
Unassigned | ||
2.12 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Evergreen circa 2.11, affects all versions.
Related to OpenSRF bugs #1638651 and #1648188.
When Apache is configured to use nonstandard ports (e.g. 7080 vs. 80, 7443 vs 443) for use in combination with a proxy server (see opensrf bugs above), Apache will in some cases leak the internal port number to the client, causing the browser to side-step the proxy and attempt to talk directly to the internal Apache port.
So far, I've only seen this in one type of scenario, using RedirectMatch:
RedirectMatch 301 ^/$ /eg/opac/home
This will redirect a browser from http://
One solution is replace the RedirectMatch instances with something like this:
RewriteRule ^/$ %{REQUEST_
Other suggestions welcome, of course.
Changed in evergreen: | |
milestone: | 2.12-rc → 2.12.0 |
tags: | added: signedoff |
Changed in evergreen: | |
milestone: | 2.12.1 → 2.12.2 |
tags: | added: signedoff |
Changed in evergreen: | |
assignee: | nobody → Galen Charlton (gmc) |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
Config updates pushed here:
http:// git.evergreen- ils.org/ ?p=working/ Evergreen. git;a=shortlog; h=refs/ heads/user/ berick/ lp1648234- apache- proxy-leaks- port
1. As written, these changes further bake into the configuration the assumption that the browser will be requesting standard 80/443 ports. However, these are not the only configuration bits that assume this. And it's still possible to use non-standard ports on the client side, but would require additional changes Apache config changes.
2. There are a number of JSPAC => TPAC redirects that I did not address in this patch. Are we planning to keep these in the stock configuration indefinitely?
From the commit:
Paths affected by this patch:
/ slimpac/ start.html slimpac/ advanced. html slimpac/ .*?locale= .*
/eg/staff
/opac/extras/
/opac/extras/
/opac/extras/
To test:
1. Configure Apache to use non-standard ports for port 80/443 (e.g. 7080 HOST/ HOST:7080/ eg/opac/ home HOST/ HOST/eg/ opac/home
and 70443).
2. Confirm the issue by navigating to http://
3. This should redirect the browser to http://
4. Apply the Apache config changes and reload/restart Apache.
5. Clear the browser cache to reset any redirects
6. Navigate to http://
7. Confirm it redirects the browser to http://