TYPO3 Core

Further debugging:

$_SERVER['REMOTE_ADDR'] : reverse-proxy ip
$_SERVER['HTTP_X_FORWARDED_FOR'] : client ip
$_SERVER['HTTPS'] : off (because revere-proxy uses normal HTTP session between reverse-proxy and server)
$_SERVER['SSL_SESSION_ID] : empty

Due to this, in the code, because value of self::getIndpEnv('REMOTE_ADDR') is different from proxy, the else branch is executed and $retVal is set to FALSE.

---------------------------------------------------
case 'TYPO3_SSL':
$proxySSL = trim($GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxySSL']);
if ($proxySSL == '*') {
$proxySSL = $GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyIP'];
}
if (self::cmpIP(self::getIndpEnv('REMOTE_ADDR'), $proxySSL)) {
$retVal = TRUE;
} else {
$retVal = $_SERVER['SSL_SESSION_ID'] || !strcasecmp($_SERVER['HTTPS'], 'on') || !strcmp($_SERVER['HTTPS'], '1') ? TRUE : FALSE; // see http://bugs.typo3.org/view.php?id=3909
}
break;
-------------------------------------------------------

Same problem with TYPO3 4.6.9

Workaround: Issue can be resolved by changing configuration on server:

1) Append IP of reverse-proxy to "X-Forwarded-For" header

2) change typo3conf/localconf.php:

$TYPO3_CONF_VARS['SYS']['reverseProxyHeaderMultiValue'] = 'last';

Sybille Peters wrote:

Workaround: Issue can be resolved by changing configuration on server:

1) Append IP of reverse-proxy to "X-Forwarded-For" header

2) change typo3conf/localconf.php:

$TYPO3_CONF_VARS['SYS']['reverseProxyHeaderMultiValue'] = 'last';

That would result in a wrong t3lib_div::getIndpEnv('REMOTE_ADDR') which is not very helpful - another (also awkward) workarround would be:

$TYPO3_CONF_VARS['SYS']['reverseProxyHeaderMultiValue'] = 'first';
$TYPO3_CONF_VARS['SYS']['reverseProxySSL'] = array_shift(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 1));
$TYPO3_CONF_VARS['SYS']['reverseProxyIP'] = '10.1.1.10';

Anyway, to me it's obvious that comparing the $_SERVER['REMOTE_ADDR'] instead of self::getIndpEnv('REMOTE_ADDR') with $proxyIp would be the way to go.

Issue still persists in 4.5.22

Both proposed work-arounds are crude and not to be recommendended in the long run (in my opinion).

What feedback?

Hi,

this issue is very old, does it still exists with newer versions of TYPO3 CMS (4.5 or 6.1)?

For Typo3 4.5.27 the issue still exists.

Reproduced with TYPO3 CMS 4.7.12 and 4.5.27.

For now, we found a configuration that works. For the future, I would not recommend using a reverse proxy with TYPO3.

This bug exists in all versions of TYPO3 (4.7.12 and 6.1.1 checked).

if (self::cmpIP(self::getIndpEnv('REMOTE_ADDR'), $proxySSL)) {

if (self::cmpIP($_SERVER['REMOTE_ADDR'], $proxySSL)) {

/t3lib/class.t3lib_div.php (v4.7.12 on line 3651)
/typo3/sysext/core/Classes/Utility/GeneralUtility.php (v6.1.1 on line 3311)

Issues #29693 fixes it and respects HTTP_X_FORWARDED_PROTO.

I can confirm that this is indeed a problem. I seem to have other problems when solving this, so I will dig a little further into this problem, but otherwise I will submit a patchet that fixes this.

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30581

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30581

Patch set 1 for branch TYPO3_6-1 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30604