Bug #37467

Change in class.t3lib_div.php may break things for HTTPS via reverse proxy

Added by Sybille Peters over 7 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2012-05-24
Due date:
% Done:

100%

TYPO3 Version:
4.5
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The change introduced in TYPO3 4.5.16 as fix for bug #36004 makes working in backend impossible for some HTTPS reverse-proxy configurations.

It may be a misconfiguration on our end, but as far as I can see, since the change HTTPS will only work with reverse proxy, if X-Forwarded-For contains local and proxy IP and

 $['TYPO3_CONF_VARS']['SYS']['reverseProxyHeaderMultiValue' = "last";

Login to backend works, but then a network connections error is displayed ("Verbindungsproblem Bei dem Versuch eine Verbindung zum Server herzustellen ist ein Fehler aufgetreten. Bitte ├╝berpr├╝fen Sie Ihre Netzwerkverbindung.")

Analyzing this shows that the changed line 4151 in class.t3lib_div.php has caused this problem:

older version:

if (self::cmpIP($_SERVER['REMOTE_ADDR'], $proxySSL)) {

newer version:

if (self::cmpIP(self::getIndpEnv('REMOTE_ADDR'), $proxySSL)) {


Related issues

Related to TYPO3 Core - Bug #29693: Respect HTTP_X_FORWARDED_PROTO in SSL check Rejected 2011-09-12

Associated revisions

Revision b9cb4518 (diff)
Added by Jan-Erik Revsbech over 5 years ago

[BUGFIX] getIndpEnv('TYPO3_SSL') fails to detect reverseProxyIp

When running TYPO3 behind a reverse proxy, which also handles SSL,
the setting reverseProxySSL should check if the site is requested
from one of the reverse proxies in order to determine whether
the site is using SSL.

It incorrectly does this check via getIndpEnv('REMOTE_ADDR') which has
already translated the proxy IP to the end-users IP, thus always
returning FALSE.

Resolves: #37467
Release: 6.2, 6.1
Change-Id: I95615b0fea94e0ef0222e958e4e0bba5e6e9f60a
Reviewed-on: https://review.typo3.org/30581
Reviewed-by: Wouter Wolters
Reviewed-by: Mattias Nilsson
Tested-by: Mattias Nilsson
Reviewed-by: Jan-Erik Revsbech
Tested-by: Jan-Erik Revsbech
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Revision 0f9bd665 (diff)
Added by Jan-Erik Revsbech over 5 years ago

[BUGFIX] getIndpEnv('TYPO3_SSL') fails to detect reverseProxyIp

When running TYPO3 behind a reverse proxy, which also handles SSL,
the setting reverseProxySSL should check if the site is requested
from one of the reverse proxies in order to determine whether
the site is using SSL.

It incorrectly does this check via getIndpEnv('REMOTE_ADDR') which has
already translated the proxy IP to the end-users IP, thus always
returning FALSE.

Resolves: #37467
Releases: 6.2, 6.1
Change-Id: I95615b0fea94e0ef0222e958e4e0bba5e6e9f60a
Reviewed-on: https://review.typo3.org/30604
Reviewed-by: Markus Klein
Tested-by: Markus Klein

History

#1 Updated by Sybille Peters over 7 years ago

Further debugging:

$_SERVER['REMOTE_ADDR'] : reverse-proxy ip
$_SERVER['HTTP_X_FORWARDED_FOR'] : client ip
$_SERVER['HTTPS'] : off (because revere-proxy uses normal HTTP session between reverse-proxy and server)
$_SERVER['SSL_SESSION_ID] : empty

Due to this, in the code, because value of self::getIndpEnv('REMOTE_ADDR') is different from proxy, the else branch is executed and $retVal is set to FALSE.

---------------------------------------------------
case 'TYPO3_SSL':
$proxySSL = trim($GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxySSL']);
if ($proxySSL == '*') {
$proxySSL = $GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyIP'];
}
if (self::cmpIP(self::getIndpEnv('REMOTE_ADDR'), $proxySSL)) {
$retVal = TRUE;
} else {
$retVal = $_SERVER['SSL_SESSION_ID'] || !strcasecmp($_SERVER['HTTPS'], 'on') || !strcmp($_SERVER['HTTPS'], '1') ? TRUE : FALSE; // see http://bugs.typo3.org/view.php?id=3909
}
break;
-------------------------------------------------------

#2 Updated by Sybille Peters over 7 years ago

Same problem with TYPO3 4.6.9

#3 Updated by Sybille Peters over 7 years ago

Workaround: Issue can be resolved by changing configuration on server:

1) Append IP of reverse-proxy to "X-Forwarded-For" header

2) change typo3conf/localconf.php:

$TYPO3_CONF_VARS['SYS']['reverseProxyHeaderMultiValue'] = 'last';

#4 Updated by Christian Opitz about 7 years ago

Sybille Peters wrote:

Workaround: Issue can be resolved by changing configuration on server:

1) Append IP of reverse-proxy to "X-Forwarded-For" header

2) change typo3conf/localconf.php:

$TYPO3_CONF_VARS['SYS']['reverseProxyHeaderMultiValue'] = 'last';

That would result in a wrong t3lib_div::getIndpEnv('REMOTE_ADDR') which is not very helpful - another (also awkward) workarround would be:

$TYPO3_CONF_VARS['SYS']['reverseProxyHeaderMultiValue'] = 'first';
$TYPO3_CONF_VARS['SYS']['reverseProxySSL'] = array_shift(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 1));
$TYPO3_CONF_VARS['SYS']['reverseProxyIP'] = '10.1.1.10';

Anyway, to me it's obvious that comparing the $_SERVER['REMOTE_ADDR'] instead of self::getIndpEnv('REMOTE_ADDR') with $proxyIp would be the way to go.

#5 Updated by Xavier Perseguers about 7 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

#6 Updated by Sybille Peters almost 7 years ago

Issue still persists in 4.5.22

Both proposed work-arounds are crude and not to be recommendended in the long run (in my opinion).

#7 Updated by Xavier Perseguers almost 7 years ago

  • Status changed from Resolved to Needs Feedback
  • % Done changed from 100 to 0

Don't know why I set it to resolved

#8 Updated by Sybille Peters almost 7 years ago

What feedback?

#9 Updated by Alexander Opitz over 6 years ago

Hi,

this issue is very old, does it still exists with newer versions of TYPO3 CMS (4.5 or 6.1)?

#10 Updated by kelsaka no-lastname-given over 6 years ago

For Typo3 4.5.27 the issue still exists.

#11 Updated by Sybille Peters over 6 years ago

Reproduced with TYPO3 CMS 4.7.12 and 4.5.27.

For now, we found a configuration that works. For the future, I would not recommend using a reverse proxy with TYPO3.

#12 Updated by Alexander Opitz over 6 years ago

  • Status changed from Needs Feedback to New

#13 Updated by Christian Ludwig over 6 years ago

This bug exists in all versions of TYPO3 (4.7.12 and 6.1.1 checked).

if (self::cmpIP(self::getIndpEnv('REMOTE_ADDR'), $proxySSL)) {

should be changed to
if (self::cmpIP($_SERVER['REMOTE_ADDR'], $proxySSL)) {

as it is used in case 'TYPO3_REV_PROXY':

/t3lib/class.t3lib_div.php (v4.7.12 on line 3651)
/typo3/sysext/core/Classes/Utility/GeneralUtility.php (v6.1.1 on line 3311)

Issues #29693 fixes it and respects HTTP_X_FORWARDED_PROTO.

#14 Updated by Jan-Erik Revsbech over 5 years ago

I can confirm that this is indeed a problem. I seem to have other problems when solving this, so I will dig a little further into this problem, but otherwise I will submit a patchet that fixes this.

#15 Updated by Gerrit Code Review over 5 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30581

#16 Updated by Gerrit Code Review over 5 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30581

#17 Updated by Gerrit Code Review over 5 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30581

#18 Updated by Gerrit Code Review over 5 years ago

Patch set 1 for branch TYPO3_6-1 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30604

#19 Updated by Jan-Erik Revsbech over 5 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#20 Updated by Sybille Peters almost 2 years ago

  • Description updated (diff)

#21 Updated by Benni Mack about 1 year ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF