Bug #37467

Change in class.t3lib_div.php may break things for HTTPS via reverse proxy

Added by Sybille Peters about 9 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2012-05-24
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The change introduced in TYPO3 4.5.16 as fix for bug #36004 makes working in backend impossible for some HTTPS reverse-proxy configurations.

It may be a misconfiguration on our end, but as far as I can see, since the change HTTPS will only work with reverse proxy, if X-Forwarded-For contains local and proxy IP and

 $['TYPO3_CONF_VARS']['SYS']['reverseProxyHeaderMultiValue' = "last";

Login to backend works, but then a network connections error is displayed ("Verbindungsproblem Bei dem Versuch eine Verbindung zum Server herzustellen ist ein Fehler aufgetreten. Bitte ├╝berpr├╝fen Sie Ihre Netzwerkverbindung.")

Analyzing this shows that the changed line 4151 in class.t3lib_div.php has caused this problem:

older version:

if (self::cmpIP($_SERVER['REMOTE_ADDR'], $proxySSL)) {

newer version:

if (self::cmpIP(self::getIndpEnv('REMOTE_ADDR'), $proxySSL)) {


Related issues

Related to TYPO3 Core - Bug #29693: Respect HTTP_X_FORWARDED_PROTO in SSL checkRejectedMichael Stucki2011-09-12

Actions
#1

Updated by Sybille Peters about 9 years ago

Further debugging:

$_SERVER['REMOTE_ADDR'] : reverse-proxy ip
$_SERVER['HTTP_X_FORWARDED_FOR'] : client ip
$_SERVER['HTTPS'] : off (because revere-proxy uses normal HTTP session between reverse-proxy and server)
$_SERVER['SSL_SESSION_ID] : empty

Due to this, in the code, because value of self::getIndpEnv('REMOTE_ADDR') is different from proxy, the else branch is executed and $retVal is set to FALSE.

---------------------------------------------------
case 'TYPO3_SSL':
$proxySSL = trim($GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxySSL']);
if ($proxySSL == '*') {
$proxySSL = $GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyIP'];
}
if (self::cmpIP(self::getIndpEnv('REMOTE_ADDR'), $proxySSL)) {
$retVal = TRUE;
} else {
$retVal = $_SERVER['SSL_SESSION_ID'] || !strcasecmp($_SERVER['HTTPS'], 'on') || !strcmp($_SERVER['HTTPS'], '1') ? TRUE : FALSE; // see http://bugs.typo3.org/view.php?id=3909
}
break;
-------------------------------------------------------

#2

Updated by Sybille Peters about 9 years ago

Same problem with TYPO3 4.6.9

#3

Updated by Sybille Peters about 9 years ago

Workaround: Issue can be resolved by changing configuration on server:

1) Append IP of reverse-proxy to "X-Forwarded-For" header

2) change typo3conf/localconf.php:

$TYPO3_CONF_VARS['SYS']['reverseProxyHeaderMultiValue'] = 'last';

#4

Updated by Christian Opitz over 8 years ago

Sybille Peters wrote:

Workaround: Issue can be resolved by changing configuration on server:

1) Append IP of reverse-proxy to "X-Forwarded-For" header

2) change typo3conf/localconf.php:

$TYPO3_CONF_VARS['SYS']['reverseProxyHeaderMultiValue'] = 'last';

That would result in a wrong t3lib_div::getIndpEnv('REMOTE_ADDR') which is not very helpful - another (also awkward) workarround would be:

$TYPO3_CONF_VARS['SYS']['reverseProxyHeaderMultiValue'] = 'first';
$TYPO3_CONF_VARS['SYS']['reverseProxySSL'] = array_shift(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 1));
$TYPO3_CONF_VARS['SYS']['reverseProxyIP'] = '10.1.1.10';

Anyway, to me it's obvious that comparing the $_SERVER['REMOTE_ADDR'] instead of self::getIndpEnv('REMOTE_ADDR') with $proxyIp would be the way to go.

#5

Updated by Xavier Perseguers over 8 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100
#6

Updated by Sybille Peters over 8 years ago

Issue still persists in 4.5.22

Both proposed work-arounds are crude and not to be recommendended in the long run (in my opinion).

#7

Updated by Xavier Perseguers over 8 years ago

  • Status changed from Resolved to Needs Feedback
  • % Done changed from 100 to 0

Don't know why I set it to resolved

#8

Updated by Sybille Peters over 8 years ago

What feedback?

#9

Updated by Alexander Opitz almost 8 years ago

Hi,

this issue is very old, does it still exists with newer versions of TYPO3 CMS (4.5 or 6.1)?

#10

Updated by kelsaka no-lastname-given almost 8 years ago

For Typo3 4.5.27 the issue still exists.

#11

Updated by Sybille Peters almost 8 years ago

Reproduced with TYPO3 CMS 4.7.12 and 4.5.27.

For now, we found a configuration that works. For the future, I would not recommend using a reverse proxy with TYPO3.

#12

Updated by Alexander Opitz almost 8 years ago

  • Status changed from Needs Feedback to New
#13

Updated by Christian Ludwig almost 8 years ago

This bug exists in all versions of TYPO3 (4.7.12 and 6.1.1 checked).

if (self::cmpIP(self::getIndpEnv('REMOTE_ADDR'), $proxySSL)) {

should be changed to
if (self::cmpIP($_SERVER['REMOTE_ADDR'], $proxySSL)) {

as it is used in case 'TYPO3_REV_PROXY':

/t3lib/class.t3lib_div.php (v4.7.12 on line 3651)
/typo3/sysext/core/Classes/Utility/GeneralUtility.php (v6.1.1 on line 3311)

Issues #29693 fixes it and respects HTTP_X_FORWARDED_PROTO.

#14

Updated by Jan-Erik Revsbech about 7 years ago

I can confirm that this is indeed a problem. I seem to have other problems when solving this, so I will dig a little further into this problem, but otherwise I will submit a patchet that fixes this.

#15

Updated by Gerrit Code Review about 7 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30581

#16

Updated by Gerrit Code Review about 7 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30581

#17

Updated by Gerrit Code Review about 7 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30581

#18

Updated by Gerrit Code Review about 7 years ago

Patch set 1 for branch TYPO3_6-1 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30604

#19

Updated by Jan-Erik Revsbech about 7 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#20

Updated by Sybille Peters over 3 years ago

  • Description updated (diff)
#21

Updated by Benni Mack over 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF