httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: mood_remoteip ProxyProtocol addition
Date Tue, 07 Feb 2017 20:33:15 GMT
On Tue, Feb 7, 2017 at 7:03 PM, Jordan Gigov <coladict@gmail.com> wrote:
> On 7 February 2017 at 18:08, Sander Hoentjen <sander@hoentjen.eu> wrote:
>>
>> I am trying to have haproxy added in front of our Apache servers, for
>> SSL termination. This is not hard to do, and especially with the recent
>> addition of ProxyProtocol support to mod_remoteip it works almost as we
>> need it.
>> Unfortunately we have a lot of users that use things like:
>> RewriteCond %{HTTPS} !on
>> in their .htaccess, and stuff like:
>> if $_SERVER['HTTPS']
>> in their PHP code.
>>
>> [1] https://github.com/AntagonistHQ/httpd/tree/remote-ssl
>
> I submitted an issue and a patch for that some time ago.
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=59829

I'm a bit reluctant with these patches, and probably need to be
convinced this isn't an application issue in the first place (why not
use X-Forwarded-Proto or alike to achieve the same? i.e. generate
https links...), or an SSL endpoint issue (why not rewrite URLs or
alike there?).

My point is that we are not changing/masquarading something which is
remote here (like the client IP address), we are making so that the
applications and httpd itself think they are locally talking SSL/TLS.
Thus they will send things like "; Secure" cookies in "clear" on the
wire, or anything which is expected to not be eavesdrop-able.

I'd like others from the community to give their opinions here, for
now I find this quite opposite to TLS principles/expectations...


Regards,
Yann.

Mime
View raw message