[TYPO3-v4] Problems with typo3 behind reverse proxy.

Ulrich.Herbst at t-systems.com Ulrich.Herbst at t-systems.com
Tue Oct 4 22:23:58 CEST 2011 

Both actions (description of reverseProxyIP and default value of reverseProxyHeaderMultiValue) would had save me some major debugging sessions.....

I think, that are good ideas.

Uli
 

-----Ursprüngliche Nachricht-----
Von: typo3-project-v4-bounces at lists.typo3.org [mailto:typo3-project-v4-bounces at lists.typo3.org] Im Auftrag von Steffen Gebert
Gesendet: Dienstag, 4. Oktober 2011 20:14
An: typo3-project-v4 at lists.typo3.org
Betreff: Re: [TYPO3-v4] Problems with typo3 behind reverse proxy.

Hi Ulrich,

thanks for your feedback!

 > 2. reverseProxyHeaderMultiValue has to be first or last, but NOT  > empty or "none"
Yes, I noticed that, too. first would be IMHO a better default value.

> 1. reverseProxyIP has to be the IP-interface in direction to the typo3 server (this is just important for multi-homed reverse proxies). Only then the first condition ( if (self::cmpIP($_SERVER['REMOTE_ADDR'], $GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyIP']))) will be true.
Indeed.. it sounds a bit unlogic, however this check is required to ensure that no cache poisoning can happen. Otherwise you could just send a "X-Forwarded-Host: evil.com" header, which is cached and also sent to other users (which then load CSS etc. from that host).

Do you agree that everything is fine, if we
(1) change the description of reverseProxyIP to clearly state that this is the IP address of the proxy seen by TYPO3 (can be done for 4.5/4.6)
(2) change the default value of reverseProxyHeaderMultiValue to "first" 
or better "last"? I guess, when multiple proxies are used, there is no best value, as it highly depends on the setup. Only for people using one single proxy (hopefully the most? ;)) wouldn't have to change this value.

Steffen

--
Steffen Gebert
TYPO3 v4 Core Team Member
TYPO3 Server Administration Team Member

TYPO3 .... inspiring people to share!
Get involved: http://typo3.org

>
> -----Ursprüngliche Nachricht-----
> Von: typo3-project-v4-bounces at lists.typo3.org 
> [mailto:typo3-project-v4-bounces at lists.typo3.org] Im Auftrag von 
> Herbst, Ulrich
> Gesendet: Dienstag, 4. Oktober 2011 18:02
> An: typo3-project-v4 at lists.typo3.org
> Betreff: Re: [TYPO3-v4] Problems with typo3 behind reverse proxy.
>
> Hi Steffen,
>
> ok, so I checked in typo3:
>
> 1. reverseProxyIP is set - to the "official" internet ip adress of my 
> reverse proxy 2. reverseProxyHeaderMultiValue is (now) set to first
>
> 3. I check with tcpdump/wireshark:
> For packets from reverse proxy ->  typo3-server, X-Forwarded-Host is set with the "official" domain-name.
> X-Forwarded-For is set with "unknown,a.b.c.d" (a.b.c.d = internal ip address of reverse proxy".
>
>
> 4. Given the code from the issue 26088:
> case 'HTTP_HOST':
>      $retVal = $_SERVER['HTTP_HOST'];
>      if (self::cmpIP($_SERVER['REMOTE_ADDR'], $GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyIP'])) {
>          $host = self::trimExplode(',', $_SERVER['HTTP_X_FORWARDED_HOST']);
>              // choose which host in list to use
>          if (count($host)) {
>              switch ($GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyHeaderMultiValue']) {
>                  case 'last':
>                      $host = array_pop($host);
>                      break;
>                  case 'first':
>                      $host = array_shift($host);
>                      break;
>                  case 'none':
>                  default:
>                      $host = '';
>                      break;
>              }
>          }
>          if ($host) {
>              $retVal = $host;
>          }
>      }
>
> =>  Is $_SERVER['HTTP_X_FORWARDED_HOST'] set from "X-Forwarded-Host"-HTTP-Header ?
> If yes - than this code isn't working or isn't called.
>
> I'm not very familiar with php - if you can give me some advice about debugging (or logging some values to a logfile or something similar), I can try this.
>
> What exactly do you mean with "clearing the cache" ?
> I did:
> - call "Delete temp_CACHED* files "
> - delete / recreate the whole typo3temp-directory Is there more than 
> that in "clearing the cache" ?
>
> Uli
>
> -----Ursprüngliche Nachricht-----
> Von: typo3-project-v4-bounces at lists.typo3.org 
> [mailto:typo3-project-v4-bounces at lists.typo3.org] Im Auftrag von 
> Steffen Gebert
> Gesendet: Dienstag, 4. Oktober 2011 12:27
> An: typo3-project-v4 at lists.typo3.org
> Betreff: Re: [TYPO3-v4] Problems with typo3 behind reverse proxy.
>
> Hi Ulrich,
>
>> we have a typo3 - installation with private IP-addresses behind a reverse proxy (with official IP addresses).
> please have a look at
> http://forge.typo3.org/issues/26088
> and provide feedback. Otherwise I will close the issue soon, as I think there's not really a bug or nobody supports resolving it.
>
>
> Kind regards
> Steffen
>
_______________________________________________
TYPO3-project-v4 mailing list
TYPO3-project-v4 at lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-project-v4

More information about the TYPO3-project-v4 mailing list