Item14181: Bootstrap detects incorrect hostname, and may mis-detect https when behind a proxy.

pencil
Priority: Enhancement
Current State: Closed
Released In: 2.1.3
Target Release: patch
Applies To: Extension
Component: ConfigureBootstrap
Branches: Item14180 Release02x01 master
Reported By: GeorgeClark
Waiting For:
Last Change By: GeorgeClark
When Foswiki is behind a proxy, the HTTP_HOST env variable is the URL used by the proxy to connect to Foswiki, not the URL that the user sees.

  http://mywiki.com -> [Proxy Server] -> http://192.168.1.1/

Bootstrap will use the 192.168 URL and not the mywiki.com that is seen by the user. The Headers are somewhat non-standard but X_FORWARDED_HOST is typically used to identify the forwarded hostname.

Note that the initial fix will work for a single proxy. When a cascade of proxy servers is used, the X_FORWARDED_HOST is set to a list of servers.

Also I don't know how to detect the case where the user uses https:// which is proxied through an SSL Accelerator to http://

-- GeorgeClark - 09 Sep 2016

Marking this fixed - but there are the above mentioned limitations. Also need further investigation for effect of proxy on logging (client IP addr, etc).

-- GeorgeClark - 01 Nov 2016

Reopening this. Bootstrap gets it right, but then configure complains about the mismatch. Also, we could helpfully warn that forceDefaultUrlHost should be enabled. Or bootstrap could just set it.

-- GeorgeClark - 15 Dec 2016

I think I've also figured out how to detect https from the proxy, so will try to get that checked in as well. The Browser seems to set HTTP_UPGRADE_INSECURE_REQUESTS for the original view request. It is not set for the jsonrpc requests though, but those have a referer of https:... so that can be used as well.

-- GeorgeClark - 15 Dec 2016

And that doesn't work. Browsers seem to set UPGRADE flag even on HTTP requests. Added a SSL=1 "hint" that will take care of SSL behind a proxy.

-- GeorgeClark - 15 Dec 2016
 
Topic revision: r9 - 18 Feb 2017, GeorgeClark - This page was cached on 23 Sep 2017 - 16:45.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License