[TYPO3-v4] Problems with typo3 behind reverse proxy.
Steffen Gebert
steffen.gebert at typo3.org
Tue Oct 4 20:13:49 CEST 2011
Hi Ulrich,
thanks for your feedback!
> 2. reverseProxyHeaderMultiValue has to be first or last, but NOT
> empty or "none"
Yes, I noticed that, too. first would be IMHO a better default value.
> 1. reverseProxyIP has to be the IP-interface in direction to the typo3 server (this is just important for multi-homed reverse proxies). Only then the first condition ( if (self::cmpIP($_SERVER['REMOTE_ADDR'], $GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyIP']))) will be true.
Indeed.. it sounds a bit unlogic, however this check is required to
ensure that no cache poisoning can happen. Otherwise you could just send
a "X-Forwarded-Host: evil.com" header, which is cached and also sent to
other users (which then load CSS etc. from that host).
Do you agree that everything is fine, if we
(1) change the description of reverseProxyIP to clearly state that this
is the IP address of the proxy seen by TYPO3 (can be done for 4.5/4.6)
(2) change the default value of reverseProxyHeaderMultiValue to "first"
or better "last"? I guess, when multiple proxies are used, there is no
best value, as it highly depends on the setup. Only for people using one
single proxy (hopefully the most? ;)) wouldn't have to change this value.
Steffen
--
Steffen Gebert
TYPO3 v4 Core Team Member
TYPO3 Server Administration Team Member
TYPO3 .... inspiring people to share!
Get involved: http://typo3.org
>
> -----Ursprüngliche Nachricht-----
> Von: typo3-project-v4-bounces at lists.typo3.org [mailto:typo3-project-v4-bounces at lists.typo3.org] Im Auftrag von Herbst, Ulrich
> Gesendet: Dienstag, 4. Oktober 2011 18:02
> An: typo3-project-v4 at lists.typo3.org
> Betreff: Re: [TYPO3-v4] Problems with typo3 behind reverse proxy.
>
> Hi Steffen,
>
> ok, so I checked in typo3:
>
> 1. reverseProxyIP is set - to the "official" internet ip adress of my reverse proxy 2. reverseProxyHeaderMultiValue is (now) set to first
>
> 3. I check with tcpdump/wireshark:
> For packets from reverse proxy -> typo3-server, X-Forwarded-Host is set with the "official" domain-name.
> X-Forwarded-For is set with "unknown,a.b.c.d" (a.b.c.d = internal ip address of reverse proxy".
>
>
> 4. Given the code from the issue 26088:
> case 'HTTP_HOST':
> $retVal = $_SERVER['HTTP_HOST'];
> if (self::cmpIP($_SERVER['REMOTE_ADDR'], $GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyIP'])) {
> $host = self::trimExplode(',', $_SERVER['HTTP_X_FORWARDED_HOST']);
> // choose which host in list to use
> if (count($host)) {
> switch ($GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyHeaderMultiValue']) {
> case 'last':
> $host = array_pop($host);
> break;
> case 'first':
> $host = array_shift($host);
> break;
> case 'none':
> default:
> $host = '';
> break;
> }
> }
> if ($host) {
> $retVal = $host;
> }
> }
>
> => Is $_SERVER['HTTP_X_FORWARDED_HOST'] set from "X-Forwarded-Host"-HTTP-Header ?
> If yes - than this code isn't working or isn't called.
>
> I'm not very familiar with php - if you can give me some advice about debugging (or logging some values to a logfile or something similar), I can try this.
>
> What exactly do you mean with "clearing the cache" ?
> I did:
> - call "Delete temp_CACHED* files "
> - delete / recreate the whole typo3temp-directory
> Is there more than that in "clearing the cache" ?
>
> Uli
>
> -----Ursprüngliche Nachricht-----
> Von: typo3-project-v4-bounces at lists.typo3.org [mailto:typo3-project-v4-bounces at lists.typo3.org] Im Auftrag von Steffen Gebert
> Gesendet: Dienstag, 4. Oktober 2011 12:27
> An: typo3-project-v4 at lists.typo3.org
> Betreff: Re: [TYPO3-v4] Problems with typo3 behind reverse proxy.
>
> Hi Ulrich,
>
>> we have a typo3 - installation with private IP-addresses behind a reverse proxy (with official IP addresses).
> please have a look at
> http://forge.typo3.org/issues/26088
> and provide feedback. Otherwise I will close the issue soon, as I think there's not really a bug or nobody supports resolving it.
>
>
> Kind regards
> Steffen
>
More information about the TYPO3-project-v4
mailing list