Bug #37467
Change in class.t3lib_div.php may break things for HTTPS via reverse proxy
100%
Description
The change introduced in TYPO3 4.5.16 as fix for bug #36004 makes working in backend impossible for some HTTPS reverse-proxy configurations.
It may be a misconfiguration on our end, but as far as I can see, since the change HTTPS will only work with reverse proxy, if X-Forwarded-For contains local and proxy IP and
$['TYPO3_CONF_VARS']['SYS']['reverseProxyHeaderMultiValue' = "last";
Login to backend works, but then a network connections error is displayed ("Verbindungsproblem Bei dem Versuch eine Verbindung zum Server herzustellen ist ein Fehler aufgetreten. Bitte überprüfen Sie Ihre Netzwerkverbindung.")
Analyzing this shows that the changed line 4151 in class.t3lib_div.php has caused this problem:
older version:
if (self::cmpIP($_SERVER['REMOTE_ADDR'], $proxySSL)) {
newer version:
if (self::cmpIP(self::getIndpEnv('REMOTE_ADDR'), $proxySSL)) {
Related issues
Associated revisions
[BUGFIX] getIndpEnv('TYPO3_SSL') fails to detect reverseProxyIp
When running TYPO3 behind a reverse proxy, which also handles SSL,
the setting reverseProxySSL should check if the site is requested
from one of the reverse proxies in order to determine whether
the site is using SSL.
It incorrectly does this check via getIndpEnv('REMOTE_ADDR') which has
already translated the proxy IP to the end-users IP, thus always
returning FALSE.
Resolves: #37467
Release: 6.2, 6.1
Change-Id: I95615b0fea94e0ef0222e958e4e0bba5e6e9f60a
Reviewed-on: https://review.typo3.org/30581
Reviewed-by: Wouter Wolters
Reviewed-by: Mattias Nilsson
Tested-by: Mattias Nilsson
Reviewed-by: Jan-Erik Revsbech
Tested-by: Jan-Erik Revsbech
Reviewed-by: Markus Klein
Tested-by: Markus Klein
[BUGFIX] getIndpEnv('TYPO3_SSL') fails to detect reverseProxyIp
When running TYPO3 behind a reverse proxy, which also handles SSL,
the setting reverseProxySSL should check if the site is requested
from one of the reverse proxies in order to determine whether
the site is using SSL.
It incorrectly does this check via getIndpEnv('REMOTE_ADDR') which has
already translated the proxy IP to the end-users IP, thus always
returning FALSE.
Resolves: #37467
Releases: 6.2, 6.1
Change-Id: I95615b0fea94e0ef0222e958e4e0bba5e6e9f60a
Reviewed-on: https://review.typo3.org/30604
Reviewed-by: Markus Klein
Tested-by: Markus Klein
History
#1
Updated by Sybille Peters over 7 years ago
Updated by Further debugging:
$_SERVER['REMOTE_ADDR'] : reverse-proxy ip
$_SERVER['HTTP_X_FORWARDED_FOR'] : client ip
$_SERVER['HTTPS'] : off (because revere-proxy uses normal HTTP session between reverse-proxy and server)
$_SERVER['SSL_SESSION_ID] : empty
Due to this, in the code, because value of self::getIndpEnv('REMOTE_ADDR') is different from proxy, the else branch is executed and $retVal is set to FALSE.
---------------------------------------------------
case 'TYPO3_SSL':
$proxySSL = trim($GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxySSL']);
if ($proxySSL == '*') {
$proxySSL = $GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyIP'];
}
if (self::cmpIP(self::getIndpEnv('REMOTE_ADDR'), $proxySSL)) {
$retVal = TRUE;
} else {
$retVal = $_SERVER['SSL_SESSION_ID'] || !strcasecmp($_SERVER['HTTPS'], 'on') || !strcmp($_SERVER['HTTPS'], '1') ? TRUE : FALSE; // see http://bugs.typo3.org/view.php?id=3909
}
break;
-------------------------------------------------------
#2
Updated by Sybille Peters over 7 years ago
Same problem with TYPO3 4.6.9
#3
Updated by Sybille Peters over 7 years ago
Workaround: Issue can be resolved by changing configuration on server:
1) Append IP of reverse-proxy to "X-Forwarded-For" header
2) change typo3conf/localconf.php:
$TYPO3_CONF_VARS['SYS']['reverseProxyHeaderMultiValue'] = 'last';
#4
Updated by Christian Opitz about 7 years ago
Updated by Sybille Peters wrote:
Workaround: Issue can be resolved by changing configuration on server:
1) Append IP of reverse-proxy to "X-Forwarded-For" header
2) change typo3conf/localconf.php:
$TYPO3_CONF_VARS['SYS']['reverseProxyHeaderMultiValue'] = 'last';
That would result in a wrong t3lib_div::getIndpEnv('REMOTE_ADDR') which is not very helpful - another (also awkward) workarround would be:
$TYPO3_CONF_VARS['SYS']['reverseProxyHeaderMultiValue'] = 'first'; $TYPO3_CONF_VARS['SYS']['reverseProxySSL'] = array_shift(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 1)); $TYPO3_CONF_VARS['SYS']['reverseProxyIP'] = '10.1.1.10';
Anyway, to me it's obvious that comparing the $_SERVER['REMOTE_ADDR'] instead of self::getIndpEnv('REMOTE_ADDR') with $proxyIp would be the way to go.
#5
Updated by Xavier Perseguers about 7 years ago
Updated by - Status changed from New to Resolved
- % Done changed from 0 to 100
#6
Updated by Sybille Peters almost 7 years ago
Issue still persists in 4.5.22
Both proposed work-arounds are crude and not to be recommendended in the long run (in my opinion).
#7
Updated by Xavier Perseguers almost 7 years ago
- Status changed from Resolved to Needs Feedback
- % Done changed from 100 to 0
Don't know why I set it to resolved
#8
Updated by Sybille Peters almost 7 years ago
What feedback?
#9
Updated by Alexander Opitz over 6 years ago
Updated by Hi,
this issue is very old, does it still exists with newer versions of TYPO3 CMS (4.5 or 6.1)?
#10
Updated by kelsaka no-lastname-given over 6 years ago
Updated by For Typo3 4.5.27 the issue still exists.
#11
Updated by Sybille Peters over 6 years ago
Reproduced with TYPO3 CMS 4.7.12 and 4.5.27.
For now, we found a configuration that works. For the future, I would not recommend using a reverse proxy with TYPO3.
#12
Updated by Alexander Opitz over 6 years ago
- Status changed from Needs Feedback to New
#13
Updated by Christian Ludwig over 6 years ago
Updated by This bug exists in all versions of TYPO3 (4.7.12 and 6.1.1 checked).
if (self::cmpIP(self::getIndpEnv('REMOTE_ADDR'), $proxySSL)) {
should be changed to
if (self::cmpIP($_SERVER['REMOTE_ADDR'], $proxySSL)) {
as it is used in case 'TYPO3_REV_PROXY':
/t3lib/class.t3lib_div.php (v4.7.12 on line 3651)
/typo3/sysext/core/Classes/Utility/GeneralUtility.php (v6.1.1 on line 3311)
Issues #29693 fixes it and respects HTTP_X_FORWARDED_PROTO.
#14
Updated by Jan-Erik Revsbech over 5 years ago
Updated by I can confirm that this is indeed a problem. I seem to have other problems when solving this, so I will dig a little further into this problem, but otherwise I will submit a patchet that fixes this.
#15
Updated by Gerrit Code Review over 5 years ago
Updated by - Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30581
#16
Updated by Gerrit Code Review over 5 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30581
#17
Updated by Gerrit Code Review over 5 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30581
#18
Updated by Gerrit Code Review over 5 years ago
Patch set 1 for branch TYPO3_6-1 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30604
#19
Updated by Jan-Erik Revsbech over 5 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 0f9bd665fba2fa0240c5bba38bdfbbf6214cad47.
#20
Updated by Sybille Peters almost 2 years ago
- Description updated (diff)
#21
Updated by Benni Mack about 1 year ago
Updated by - Status changed from Resolved to Closed