On Tue, Feb 7, 2017 at 7:03 PM, Jordan Gigov <colad...@gmail.com> wrote:
> On 7 February 2017 at 18:08, Sander Hoentjen <san...@hoentjen.eu> wrote:
>>
>> I am trying to have haproxy added in front of our Apache servers, for
>> SSL termination. This is not hard to do, and especially with the recent
>> addition of ProxyProtocol support to mod_remoteip it works almost as we
>> need it.
>> Unfortunately we have a lot of users that use things like:
>> RewriteCond %{HTTPS} !on
>> in their .htaccess, and stuff like:
>> if $_SERVER['HTTPS']
>> in their PHP code.
>>
>> [1] https://github.com/AntagonistHQ/httpd/tree/remote-ssl
>
> I submitted an issue and a patch for that some time ago.
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=59829I'm a bit reluctant with these patches, and probably need to be convinced this isn't an application issue in the first place (why not use X-Forwarded-Proto or alike to achieve the same? i.e. generate https links...), or an SSL endpoint issue (why not rewrite URLs or alike there?). My point is that we are not changing/masquarading something which is remote here (like the client IP address), we are making so that the applications and httpd itself think they are locally talking SSL/TLS. Thus they will send things like "; Secure" cookies in "clear" on the wire, or anything which is expected to not be eavesdrop-able. I'd like others from the community to give their opinions here, for now I find this quite opposite to TLS principles/expectations... Regards, Yann.
