Project

General

Profile

Actions

Bug #37467

closed

Change in class.t3lib_div.php may break things for HTTPS via reverse proxy

Added by Sybille Peters over 12 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2012-05-24
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The change introduced in TYPO3 4.5.16 as fix for bug #36004 makes working in backend impossible for some HTTPS reverse-proxy configurations.

It may be a misconfiguration on our end, but as far as I can see, since the change HTTPS will only work with reverse proxy, if X-Forwarded-For contains local and proxy IP and

 $['TYPO3_CONF_VARS']['SYS']['reverseProxyHeaderMultiValue' = "last";

Login to backend works, but then a network connections error is displayed ("Verbindungsproblem Bei dem Versuch eine Verbindung zum Server herzustellen ist ein Fehler aufgetreten. Bitte überprüfen Sie Ihre Netzwerkverbindung.")

Analyzing this shows that the changed line 4151 in class.t3lib_div.php has caused this problem:

older version:

if (self::cmpIP($_SERVER['REMOTE_ADDR'], $proxySSL)) {

newer version:

if (self::cmpIP(self::getIndpEnv('REMOTE_ADDR'), $proxySSL)) {


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #29693: Respect HTTP_X_FORWARDED_PROTO in SSL checkRejectedMichael Stucki2011-09-12

Actions
Actions #1

Updated by Sybille Peters over 12 years ago

Further debugging:

$_SERVER['REMOTE_ADDR'] : reverse-proxy ip
$_SERVER['HTTP_X_FORWARDED_FOR'] : client ip
$_SERVER['HTTPS'] : off (because revere-proxy uses normal HTTP session between reverse-proxy and server)
$_SERVER['SSL_SESSION_ID] : empty

Due to this, in the code, because value of self::getIndpEnv('REMOTE_ADDR') is different from proxy, the else branch is executed and $retVal is set to FALSE.

---------------------------------------------------
case 'TYPO3_SSL':
$proxySSL = trim($GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxySSL']);
if ($proxySSL == '*') {
$proxySSL = $GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyIP'];
}
if (self::cmpIP(self::getIndpEnv('REMOTE_ADDR'), $proxySSL)) {
$retVal = TRUE;
} else {
$retVal = $_SERVER['SSL_SESSION_ID'] || !strcasecmp($_SERVER['HTTPS'], 'on') || !strcmp($_SERVER['HTTPS'], '1') ? TRUE : FALSE; // see http://bugs.typo3.org/view.php?id=3909
}
break;
-------------------------------------------------------

Actions #2

Updated by Sybille Peters over 12 years ago

Same problem with TYPO3 4.6.9

Actions #3

Updated by Sybille Peters over 12 years ago

Workaround: Issue can be resolved by changing configuration on server:

1) Append IP of reverse-proxy to "X-Forwarded-For" header

2) change typo3conf/localconf.php:

$TYPO3_CONF_VARS['SYS']['reverseProxyHeaderMultiValue'] = 'last';

Actions #4

Updated by Christian Opitz about 12 years ago

Sybille Peters wrote:

Workaround: Issue can be resolved by changing configuration on server:

1) Append IP of reverse-proxy to "X-Forwarded-For" header

2) change typo3conf/localconf.php:

$TYPO3_CONF_VARS['SYS']['reverseProxyHeaderMultiValue'] = 'last';

That would result in a wrong t3lib_div::getIndpEnv('REMOTE_ADDR') which is not very helpful - another (also awkward) workarround would be:

$TYPO3_CONF_VARS['SYS']['reverseProxyHeaderMultiValue'] = 'first';
$TYPO3_CONF_VARS['SYS']['reverseProxySSL'] = array_shift(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 1));
$TYPO3_CONF_VARS['SYS']['reverseProxyIP'] = '10.1.1.10';

Anyway, to me it's obvious that comparing the $_SERVER['REMOTE_ADDR'] instead of self::getIndpEnv('REMOTE_ADDR') with $proxyIp would be the way to go.

Actions #5

Updated by Xavier Perseguers about 12 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100
Actions #6

Updated by Sybille Peters almost 12 years ago

Issue still persists in 4.5.22

Both proposed work-arounds are crude and not to be recommendended in the long run (in my opinion).

Actions #7

Updated by Xavier Perseguers almost 12 years ago

  • Status changed from Resolved to Needs Feedback
  • % Done changed from 100 to 0

Don't know why I set it to resolved

Actions #8

Updated by Sybille Peters almost 12 years ago

What feedback?

Actions #9

Updated by Alexander Opitz over 11 years ago

Hi,

this issue is very old, does it still exists with newer versions of TYPO3 CMS (4.5 or 6.1)?

Actions #10

Updated by kelsaka no-lastname-given over 11 years ago

For Typo3 4.5.27 the issue still exists.

Actions #11

Updated by Sybille Peters over 11 years ago

Reproduced with TYPO3 CMS 4.7.12 and 4.5.27.

For now, we found a configuration that works. For the future, I would not recommend using a reverse proxy with TYPO3.

Actions #12

Updated by Alexander Opitz over 11 years ago

  • Status changed from Needs Feedback to New
Actions #13

Updated by Christian Ludwig over 11 years ago

This bug exists in all versions of TYPO3 (4.7.12 and 6.1.1 checked).

if (self::cmpIP(self::getIndpEnv('REMOTE_ADDR'), $proxySSL)) {

should be changed to
if (self::cmpIP($_SERVER['REMOTE_ADDR'], $proxySSL)) {

as it is used in case 'TYPO3_REV_PROXY':

/t3lib/class.t3lib_div.php (v4.7.12 on line 3651)
/typo3/sysext/core/Classes/Utility/GeneralUtility.php (v6.1.1 on line 3311)

Issues #29693 fixes it and respects HTTP_X_FORWARDED_PROTO.

Actions #14

Updated by Jan-Erik Revsbech over 10 years ago

I can confirm that this is indeed a problem. I seem to have other problems when solving this, so I will dig a little further into this problem, but otherwise I will submit a patchet that fixes this.

Actions #15

Updated by Gerrit Code Review over 10 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30581

Actions #16

Updated by Gerrit Code Review over 10 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30581

Actions #17

Updated by Gerrit Code Review over 10 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30581

Actions #18

Updated by Gerrit Code Review over 10 years ago

Patch set 1 for branch TYPO3_6-1 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30604

Actions #19

Updated by Jan-Erik Revsbech over 10 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #20

Updated by Sybille Peters almost 7 years ago

  • Description updated (diff)
Actions #21

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF