Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
modauthtkt-users-requ...@lists.sourceforge.net
You can reach the person managing the list at
modauthtkt-users-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: x_forwarded_host & redirects (Christian Folini)
2. Re: x_forwarded_host & redirects (Gavin Carr)
3. Re: x_forwarded_host & redirects (Charles Colbourn)
4. Re: x_forwarded_host & redirects (Gavin Carr)
5. Re: x_forwarded_host & redirects (Charles Colbourn)
6. Re: x_forwarded_host & redirects (Gavin Carr)
7. Re: x_forwarded_host & redirects (Charles Colbourn)
----------------------------------------------------------------------
Message: 1
Date: Thu, 25 Mar 2010 11:17:17 +0100
From: Christian Folini <christian.fol...@time-machine.ch>
Subject: Re: [modauthtkt-users] x_forwarded_host & redirects
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <20100325101717.ga1...@localhost>
Content-Type: text/plain; charset=utf-8
On Thu, Mar 25, 2010 at 10:01:41AM +0000, Charles Colbourn wrote:
> We're using Apache 1.3, partly because we've previously been unable to
> get mod_authtkt working on Apache2 (apparently - before my time), and
> mod_headers in Apache 1.x doesn't seem to support the 'RequestHeader'.
> I hoped to get mod_rewrite to do it, but so far I've had no success
> finding a syntax to unset request headers.
You can't do that in 1.3 AFAIK.
Move on the Apache 2.2. Mod_auth_tkt works as a bliss and
Apache 1.3 is out of support.
Regs,
Christian
--
I will live in the Past, the Present, and the Future. The Spirits of
all Three shall strive within me. I will not shut out the lessons that
they teach.
--- Charles Dickens
------------------------------
Message: 2
Date: Thu, 25 Mar 2010 13:09:39 +0000
From: Gavin Carr <ga...@openfusion.com.au>
Subject: Re: [modauthtkt-users] x_forwarded_host & redirects
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <20100325130937.ga6...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii
Hi Charles,
On Wed, Mar 24, 2010 at 04:29:52PM +0000, Charles Colbourn wrote:
> we've been having problems with invalid URL's in redirects coming back
> from mod_authtkt. On delving around in the code it appears that
> mod_authtkt treats X_FORWARDED_HOST as the webservers hostname for
> building the redirect URL ('appears' - I'm not too handy with C so
> apologies if I'm missing some processing here). Trouble is, our
> requests have been through a proxy and contain a comma separated list
> of hostnames.
That doesn't sound right - are you sure you're not looking at
X-Forwarded-For, which can be a list:
X-Forwarded-For: client1, proxy1, proxy2
X-Forwarded-Host is supposed to be the original Host header requested
by the client, so the server can tell what it's called as far as the
proxy is concerned. See the apache mod_proxy docs:
http://httpd.apache.org/docs/2.1/mod/mod_proxy.html
Of course, it could be weird proxy behaviour, as these are all
non-RFC headers. What is the proxy?
Cheers,
Gavin
------------------------------
Message: 3
Date: Thu, 25 Mar 2010 13:50:49 +0000
From: Charles Colbourn <charles.colbo...@googlemail.com>
Subject: Re: [modauthtkt-users] x_forwarded_host & redirects
To: modauthtkt-users@lists.sourceforge.net
Message-ID:
<3e3448551003250650v234fdd00t7dbedfdfe070...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi Gavin,
>From the Apache mod_proxy documentation:
"X-Forwarded-For
The IP address of the client.
X-Forwarded-Host
The original host requested by the client in the Host HTTP request header.
X-Forwarded-Server
The hostname of the proxy server.
Be careful when using ***these*** headers on the origin server, since
they will contain more than one (comma-separated) value if the
original request already contained one of these headers. For example,
you can use %{X-Forwarded-For}i in the log format string of the origin
server to log the original clients IP address, but you may get more
than one address if the request passes through several proxies."
(My *** emphasis).
My initial thought was the same - it should be the original host the
ultimate downstream client requested. It looks like some
vendors/developers have interpreted this as meaning that
X-Forwarded-Host should, at each proxy, have the host requested by the
last client (real client or proxy) added to the list.
So if the request goes through 2 proxies, the first will set the
header to the host requested by the original client, and the second
will add on the host requested by the first proxy (whether that's the
same or not).
I'm guessing this behaviour is a troubleshooting feature. Some of our
proxies write it, others don't, resulting in intermittent behaviour
depending on the path the client follows.
On 25 March 2010 13:09, Gavin Carr <ga...@openfusion.com.au> wrote:
> Hi Charles,
>
> On Wed, Mar 24, 2010 at 04:29:52PM +0000, Charles Colbourn wrote:
>> we've been having problems with invalid URL's in redirects coming back
>> from mod_authtkt. On delving around in the code it appears that
>> mod_authtkt treats X_FORWARDED_HOST as the webservers hostname for
>> building the redirect URL ('appears' - I'm not too handy with C so
>> apologies if I'm missing some processing here). Trouble is, our
>> requests have been through a proxy and contain a comma separated list
>> of hostnames.
>
> That doesn't sound right - are you sure you're not looking at
> X-Forwarded-For, which can be a list:
>
> ?X-Forwarded-For: client1, proxy1, proxy2
>
> X-Forwarded-Host is supposed to be the original Host header requested
> by the client, so the server can tell what it's called as far as the
> proxy is concerned. See the apache mod_proxy docs:
>
> ?http://httpd.apache.org/docs/2.1/mod/mod_proxy.html
>
> Of course, it could be weird proxy behaviour, as these are all
> non-RFC headers. What is the proxy?
>
> Cheers,
> Gavin
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> modauthtkt-users mailing list
> modauthtkt-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
>
------------------------------
Message: 4
Date: Thu, 25 Mar 2010 15:58:15 +0000
From: Gavin Carr <ga...@openfusion.com.au>
Subject: Re: [modauthtkt-users] x_forwarded_host & redirects
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <20100325155813.gb6...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii
Hi Charles,
On Thu, Mar 25, 2010 at 01:50:49PM +0000, Charles Colbourn wrote:
> >From the Apache mod_proxy documentation:
>
> "X-Forwarded-For
> The IP address of the client.
> X-Forwarded-Host
> The original host requested by the client in the Host HTTP request header.
> X-Forwarded-Server
> The hostname of the proxy server.
>
> Be careful when using ***these*** headers on the origin server, since
> they will contain more than one (comma-separated) value if the
> original request already contained one of these headers. For example,
> you can use %{X-Forwarded-For}i in the log format string of the origin
> server to log the original clients IP address, but you may get more
> than one address if the request passes through several proxies."
>
> (My *** emphasis).
>
> My initial thought was the same - it should be the original host the
> ultimate downstream client requested. It looks like some
> vendors/developers have interpreted this as meaning that
> X-Forwarded-Host should, at each proxy, have the host requested by the
> last client (real client or proxy) added to the list.
>
> So if the request goes through 2 proxies, the first will set the
> header to the host requested by the original client, and the second
> will add on the host requested by the first proxy (whether that's the
> same or not).
Ah lovely. :-/
So if we strip off everything from the first comma, that should do what
you need? I suppose that's reasonable, although I dislike having to rely
on non-standard headers at all.
Cheers,
Gavin
------------------------------
Message: 5
Date: Thu, 25 Mar 2010 16:21:08 +0000
From: Charles Colbourn <charles.colbo...@googlemail.com>
Subject: Re: [modauthtkt-users] x_forwarded_host & redirects
To: modauthtkt-users@lists.sourceforge.net
Message-ID:
<3e3448551003250921h39b61177v97e37f77b2dba...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Probably - the header I'm looking at just has the same hostname twice,
separated by commas. Personally I'd be just as happy to use HTTP_HOST
instead of X-FORWARDED-HOST. I'm curious, what's the reasoning behind
preferring to populate the hostname from the latter?
thanks,
Charles.
On 25 March 2010 15:58, Gavin Carr <ga...@openfusion.com.au> wrote:
> Hi Charles,
>
> On Thu, Mar 25, 2010 at 01:50:49PM +0000, Charles Colbourn wrote:
>> >From the Apache mod_proxy documentation:
>>
>> "X-Forwarded-For
>> ? ? The IP address of the client.
>> X-Forwarded-Host
>> ? ? The original host requested by the client in the Host HTTP request
>> header.
>> X-Forwarded-Server
>> ? ? The hostname of the proxy server.
>>
>> Be careful when using ***these*** headers on the origin server, since
>> they will contain more than one (comma-separated) value if the
>> original request already contained one of these headers. For example,
>> you can use %{X-Forwarded-For}i in the log format string of the origin
>> server to log the original clients IP address, but you may get more
>> than one address if the request passes through several proxies."
>>
>> (My *** emphasis).
>>
>> My initial thought was the same - it should be the original host the
>> ultimate downstream client requested. It looks like some
>> vendors/developers have interpreted this as meaning that
>> X-Forwarded-Host should, at each proxy, have the host requested by the
>> last client (real client or proxy) added to the list.
>>
>> So if the request goes through 2 proxies, the first will set the
>> header to the host requested by the original client, and the second
>> will add on the host requested by the first proxy (whether that's the
>> same or not).
>
> Ah lovely. :-/
>
> So if we strip off everything from the first comma, that should do what
> you need? I suppose that's reasonable, although I dislike having to rely
> on non-standard headers at all.
>
> Cheers,
> Gavin
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> modauthtkt-users mailing list
> modauthtkt-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
>
------------------------------
Message: 6
Date: Thu, 25 Mar 2010 17:06:10 +0000
From: Gavin Carr <ga...@openfusion.com.au>
Subject: Re: [modauthtkt-users] x_forwarded_host & redirects
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <20100325170608.gc6...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii
On Thu, Mar 25, 2010 at 04:21:08PM +0000, Charles Colbourn wrote:
> Probably - the header I'm looking at just has the same hostname twice,
> separated by commas. Personally I'd be just as happy to use HTTP_HOST
> instead of X-FORWARDED-HOST. I'm curious, what's the reasoning behind
> preferring to populate the hostname from the latter?
It's that in a proxy situation, the HTTP_HOST should be the host (and port)
as seen by the proxy, which may be quite different from the host and port
you present outside. Are yours the same?
Cheers,
Gavin
------------------------------
Message: 7
Date: Thu, 25 Mar 2010 21:03:46 +0000
From: Charles Colbourn <charles.colbo...@googlemail.com>
Subject: Re: [modauthtkt-users] x_forwarded_host & redirects
To: modauthtkt-users@lists.sourceforge.net
Message-ID:
<3e3448551003251403g4c5c7ae8xeb5921e3eb02e...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Silly of me, I should have realised. Ours are very probably set up
that way, there are effectively 2 proxies between the servers and the
outside, and the internal hostnames will differ from the externally
facing ones.
I don't know what order the hostnames are added into the
x-forwarded-host header in - whether they're tagged on the end or
prepended. I'd guess they'd be added, so the first in the list should
be the external name the client is asking for.
cheers,
Charles.
On 25 March 2010 17:06, Gavin Carr <ga...@openfusion.com.au> wrote:
> On Thu, Mar 25, 2010 at 04:21:08PM +0000, Charles Colbourn wrote:
>> Probably - the header I'm looking at just has the same hostname twice,
>> separated by commas. Personally I'd be just as happy to use HTTP_HOST
>> instead of X-FORWARDED-HOST. I'm curious, what's the reasoning behind
>> preferring to populate the hostname from the latter?
>
> It's that in a proxy situation, the HTTP_HOST should be the host (and port)
> as seen by the proxy, which may be quite different from the host and port
> you present outside. Are yours the same?
>
> Cheers,
> Gavin
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> modauthtkt-users mailing list
> modauthtkt-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
>
------------------------------
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 25, Issue 2
***********************************************
