Fix mod_auth_mellon failures behind SSL terminating reverse proxy server #128
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR aims to solve the same problem posed in PR #33, where the Apache server that mod_auth_mellon is running on is behind a reverse proxy that terminates the SSL connection (meaning it's plain HTTP between the reverse proxy and the server mod_auth_mellon is running on). This causes Apache to believe it is running plain HTTP, hence mod_auth_mellon (using Apache APIs) generates URLs for things like
ReturnTo
andRelayState
set with the wrong protocol / scheme.The main objection to PR #33 was the security considerations of relying on an HTTP header to determine whether the server should alter this or not. The patch @smartalock put forward relies on the reverse proxy injecting a header in the request, which works, but perhaps isn't the best way.
Instead, this PR adds the MellonForceHttpsUrlRewrites configuration directive. This makes the behaviour a configuration file element, set by the admin, fixing the security issue above.
This works for cases where you can't set ServerName (ie. it has several reverse proxies in front of it). Edge case, I know. But in SimpleSAMLphp land (which I know @thijskh is familiar with) we've done this by setting the baseUrl dynamically in config.php (in PHP code) to cover up for this case, which of course you can't do here (ServerName can't be set per-request). So, this PR would be the next best thing.