Https forwarding even with X-Forwarded-Proto
We are creating a new server with: Pound -> Lac -> Apache -> CentOS.
Since Varnish does not work in SSL, we set "X-Forwarded-Proto" to "https" in Pound, and we detect this if we are in https.
It works when we get a direct URL like https://example.com , but not when we redirect from "http" to "https" with "htaccess" or "PHP". It looks like X-Forwarded-Proto is not being redirected with a redirect. Thus, we are stuck in an endless loop of redirection.
We found a way to accomplish the redirect using javascript, but we'd rather have a server side solution.
So we wonder if there is a setting to change in apache, pounds, varnishes, etc.?
We have tried many solutions such as:
////////////////
// htaccess
////////////////////
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule (.*) https://example.com [L,R]
///////////////////
// php
//////////////////
if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
$_SERVER['HTTPS']='on';
}
if(!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on'){
header('Location: '. 'https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
}
Our pound config look like:
//////////////////
// pound
///////////////
ListenHTTPS
Address 0.0.0.0 # all interfaces
Port 443
AddHeader "X-Forwarded-Proto: https"
HeadRemove "X-Forwarded-Proto"
HeadRemove "X-Forwarded-For"
Cert "/path/to/certificate.pem
Service
BackEnd
Address 10.0.0.1
Port 80
Priority 1
End
End
End
We spent a lot of time on this problem helping us!
source to share
In my case, Varnish has been configured to normalize URLs and remote schema and domain:
set req.url = regsub(req.url, "^http[s]?://[^/]+", "");
So, the redirect response for http://example.com to https://example.com will be cached and requesting https://example.com will return this cached response.
Removing this normalization or adding
hash_data(req.http.Https);
to sub vcl_hash
.
source to share