Problem with redirects where a Rack app sits behind a proxy

rack-devel archive mirror (unofficial) https://groups.google.com/group/rack-devel
 help / color / mirror / Atom feed

* Problem with redirects where a Rack app sits behind a proxy
@ 2010-11-28 14:21 Jon Leighton
  2010-11-28 14:46 ` Lee Hambley
  0 siblings, 1 reply; 3+ messages in thread
From: Jon Leighton @ 2010-11-28 14:21 UTC (permalink / raw)
  To: Rack Development

Hi there,

I have encountered a problem with redirects with Sinatra proxied by
Apache. Basically, the port number of the backend application server
(Mongrel or whatever) will appear in the Location header.

I've done a fairly extensive investigation here: https://github.com/jonleighton/redirect_test

If you read README.md it basically explains everything in detail, but
what it boils down to is this: Rack::Request#port is incorrect, in
that it uses SERVER_PORT when no explicit port is given by
host_with_port.

Rails is not affected, since it implements its own
ActionDispatch::Request#port method. I believe the Rails
implementation is correct and should be implemented in Rack.

If people agree with this analysis then I'm happy to produce a patch
against Rack.

Cheers,
Jon

--
http://jonathanleighton.com/

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Problem with redirects where a Rack app sits behind a proxy
  2010-11-28 14:21 Problem with redirects where a Rack app sits behind a proxy Jon Leighton
@ 2010-11-28 14:46 ` Lee Hambley
  2010-11-28 15:22   ` Jon Leighton
  0 siblings, 1 reply; 3+ messages in thread
From: Lee Hambley @ 2010-11-28 14:46 UTC (permalink / raw)
  To: rack-devel

[-- Attachment #1: Type: text/plain, Size: 1915 bytes --]

Jon, it's the responsibility of your proxy to set X-Forwarded-For, and of
the Application to check :port if it cares about the real port, or the
X-Forwarded-For list in the case that you acknowledge the request might be
proxied.

Often XFF can be used to trick sites that use it for some `security` (not
your case) as the client can spoof it.

In case you use NGinx, at least you can specify to proxy transparently
(completely) - so your app wouldn't be any wiser.

Some proxies (Akamai) will also set a True-Client-IP header to the value set
last in XFF.

 • http://en.wikipedia.org/wiki/X-Forwarded-For

Hope that makes sense Jon (would be nice to have a standard Ruby way to look
at the proxies & original client info from the `smart` places, as it comes
up for a lot of people. Here's a snippet of a nginx backend configuration
that solved this in the easiest way for me.
https://gist.github.com/46cc2ba95794f5c92693

- Lee

On 28 November 2010 15:21, Jon Leighton <j@jonathanleighton.com> wrote:

> Hi there,
>
> I have encountered a problem with redirects with Sinatra proxied by
> Apache. Basically, the port number of the backend application server
> (Mongrel or whatever) will appear in the Location header.
>
> I've done a fairly extensive investigation here:
> https://github.com/jonleighton/redirect_test
>
> If you read README.md it basically explains everything in detail, but
> what it boils down to is this: Rack::Request#port is incorrect, in
> that it uses SERVER_PORT when no explicit port is given by
> host_with_port.
>
> Rails is not affected, since it implements its own
> ActionDispatch::Request#port method. I believe the Rails
> implementation is correct and should be implemented in Rack.
>
> If people agree with this analysis then I'm happy to produce a patch
> against Rack.
>
> Cheers,
> Jon
>
> --
> http://jonathanleighton.com/

[-- Attachment #2: Type: text/html, Size: 2631 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Problem with redirects where a Rack app sits behind a proxy
  2010-11-28 14:46 ` Lee Hambley
@ 2010-11-28 15:22   ` Jon Leighton
  0 siblings, 0 replies; 3+ messages in thread
From: Jon Leighton @ 2010-11-28 15:22 UTC (permalink / raw)
  To: rack-devel

[-- Attachment #1: Type: text/plain, Size: 3013 bytes --]

Hi Lee,

Thanks for your reply. I'm not entirely following though, so I wonder if
there is some confusion.

For a start, this issue doesn't relate to X-Forwarded-For, but to
X-Forwarded-Host and the SERVER_NAME and SERVER_PORT env variables set
by the app servers.

My basic complaint is that Rack is taking the absence of a ":port"
section in X-Forwarded-For to mean "fall back to SERVER_PORT", when in
fact I think it should be interpreted as "fall back to port 80 (or
443)". (Which is what Rails does.)

See https://github.com/jonleighton/redirect_test/blob/master/README.md
for more detail.

Hope this makes sense.

Cheers,
Jon

On Sun, 2010-11-28 at 15:46 +0100, Lee Hambley wrote:
> Jon, it's the responsibility of your proxy to set X-Forwarded-For, and
> of the Application to check :port if it cares about the real port, or
> the X-Forwarded-For list in the case that you acknowledge the request
> might be proxied.
> 
> 
> Often XFF can be used to trick sites that use it for some `security`
> (not your case) as the client can spoof it.
> 
> 
> In case you use NGinx, at least you can specify to proxy transparently
> (completely) - so your app wouldn't be any wiser.
> 
> 
> Some proxies (Akamai) will also set a True-Client-IP header to the
> value set last in XFF.
> 
> 
>  • http://en.wikipedia.org/wiki/X-Forwarded-For
> 
> Hope that makes sense Jon (would be nice to have a standard Ruby way
> to look at the proxies & original client info from the `smart` places,
> as it comes up for a lot of people. Here's a snippet of a nginx
> backend configuration that solved this in the easiest way for me.
> https://gist.github.com/46cc2ba95794f5c92693
> 
> 
> - Lee  
> 
> On 28 November 2010 15:21, Jon Leighton <j@jonathanleighton.com>
> wrote:
>         Hi there,
>         
>         I have encountered a problem with redirects with Sinatra
>         proxied by
>         Apache. Basically, the port number of the backend application
>         server
>         (Mongrel or whatever) will appear in the Location header.
>         
>         I've done a fairly extensive investigation here:
>         https://github.com/jonleighton/redirect_test
>         
>         If you read README.md it basically explains everything in
>         detail, but
>         what it boils down to is this: Rack::Request#port is
>         incorrect, in
>         that it uses SERVER_PORT when no explicit port is given by
>         host_with_port.
>         
>         Rails is not affected, since it implements its own
>         ActionDispatch::Request#port method. I believe the Rails
>         implementation is correct and should be implemented in Rack.
>         
>         If people agree with this analysis then I'm happy to produce a
>         patch
>         against Rack.
>         
>         Cheers,
>         Jon
>         
>         --
>         http://jonathanleighton.com/
> 
> 

-- 
http://jonathanleighton.com/

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2010-11-28 15:22 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-11-28 14:21 Problem with redirects where a Rack app sits behind a proxy Jon Leighton
2010-11-28 14:46 ` Lee Hambley
2010-11-28 15:22   ` Jon Leighton

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).