Bug #37467
Change in class.t3lib_div.php may break things for HTTPS via reverse proxy
100%
Description
The change introduced in TYPO3 4.5.16 as fix for bug #36004 makes working in backend impossible for some HTTPS reverse-proxy configurations.
It may be a misconfiguration on our end, but as far as I can see, since the change HTTPS will only work with reverse proxy, if X-Forwarded-For contains local and proxy IP and
$['TYPO3_CONF_VARS']['SYS']['reverseProxyHeaderMultiValue' = "last";
Login to backend works, but then a network connections error is displayed ("Verbindungsproblem Bei dem Versuch eine Verbindung zum Server herzustellen ist ein Fehler aufgetreten. Bitte überprüfen Sie Ihre Netzwerkverbindung.")
Analyzing this shows that the changed line 4151 in class.t3lib_div.php has caused this problem:
older version:
if (self::cmpIP($_SERVER['REMOTE_ADDR'], $proxySSL)) {
newer version:
if (self::cmpIP(self::getIndpEnv('REMOTE_ADDR'), $proxySSL)) {
Related issues
Updated by Sybille Peters almost 9 years ago
Further debugging:
$_SERVER['REMOTE_ADDR'] : reverse-proxy ip
$_SERVER['HTTP_X_FORWARDED_FOR'] : client ip
$_SERVER['HTTPS'] : off (because revere-proxy uses normal HTTP session between reverse-proxy and server)
$_SERVER['SSL_SESSION_ID] : empty
Due to this, in the code, because value of self::getIndpEnv('REMOTE_ADDR') is different from proxy, the else branch is executed and $retVal is set to FALSE.
---------------------------------------------------
case 'TYPO3_SSL':
$proxySSL = trim($GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxySSL']);
if ($proxySSL == '*') {
$proxySSL = $GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyIP'];
}
if (self::cmpIP(self::getIndpEnv('REMOTE_ADDR'), $proxySSL)) {
$retVal = TRUE;
} else {
$retVal = $_SERVER['SSL_SESSION_ID'] || !strcasecmp($_SERVER['HTTPS'], 'on') || !strcmp($_SERVER['HTTPS'], '1') ? TRUE : FALSE; // see http://bugs.typo3.org/view.php?id=3909
}
break;
-------------------------------------------------------
Updated by Sybille Peters almost 9 years ago
Workaround: Issue can be resolved by changing configuration on server:
1) Append IP of reverse-proxy to "X-Forwarded-For" header
2) change typo3conf/localconf.php:
$TYPO3_CONF_VARS['SYS']['reverseProxyHeaderMultiValue'] = 'last';
Updated by Christian Opitz over 8 years ago
Sybille Peters wrote:
Workaround: Issue can be resolved by changing configuration on server:
1) Append IP of reverse-proxy to "X-Forwarded-For" header
2) change typo3conf/localconf.php:
$TYPO3_CONF_VARS['SYS']['reverseProxyHeaderMultiValue'] = 'last';
That would result in a wrong t3lib_div::getIndpEnv('REMOTE_ADDR') which is not very helpful - another (also awkward) workarround would be:
$TYPO3_CONF_VARS['SYS']['reverseProxyHeaderMultiValue'] = 'first'; $TYPO3_CONF_VARS['SYS']['reverseProxySSL'] = array_shift(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 1)); $TYPO3_CONF_VARS['SYS']['reverseProxyIP'] = '10.1.1.10';
Anyway, to me it's obvious that comparing the $_SERVER['REMOTE_ADDR'] instead of self::getIndpEnv('REMOTE_ADDR') with $proxyIp would be the way to go.
Updated by Xavier Perseguers over 8 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
Updated by Sybille Peters over 8 years ago
Issue still persists in 4.5.22
Both proposed work-arounds are crude and not to be recommendended in the long run (in my opinion).
Updated by Xavier Perseguers over 8 years ago
- Status changed from Resolved to Needs Feedback
- % Done changed from 100 to 0
Don't know why I set it to resolved
Updated by Alexander Opitz almost 8 years ago
Hi,
this issue is very old, does it still exists with newer versions of TYPO3 CMS (4.5 or 6.1)?
Updated by kelsaka no-lastname-given almost 8 years ago
For Typo3 4.5.27 the issue still exists.
Updated by Sybille Peters almost 8 years ago
Reproduced with TYPO3 CMS 4.7.12 and 4.5.27.
For now, we found a configuration that works. For the future, I would not recommend using a reverse proxy with TYPO3.
Updated by Christian Ludwig almost 8 years ago
This bug exists in all versions of TYPO3 (4.7.12 and 6.1.1 checked).
if (self::cmpIP(self::getIndpEnv('REMOTE_ADDR'), $proxySSL)) {
should be changed to
if (self::cmpIP($_SERVER['REMOTE_ADDR'], $proxySSL)) {
as it is used in case 'TYPO3_REV_PROXY':
/t3lib/class.t3lib_div.php (v4.7.12 on line 3651)
/typo3/sysext/core/Classes/Utility/GeneralUtility.php (v6.1.1 on line 3311)
Issues #29693 fixes it and respects HTTP_X_FORWARDED_PROTO.
Updated by Jan-Erik Revsbech almost 7 years ago
I can confirm that this is indeed a problem. I seem to have other problems when solving this, so I will dig a little further into this problem, but otherwise I will submit a patchet that fixes this.
Updated by Gerrit Code Review almost 7 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30581
Updated by Gerrit Code Review almost 7 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30581
Updated by Gerrit Code Review almost 7 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30581
Updated by Gerrit Code Review almost 7 years ago
Patch set 1 for branch TYPO3_6-1 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30604
Updated by Jan-Erik Revsbech almost 7 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 0f9bd665fba2fa0240c5bba38bdfbbf6214cad47.
Updated by