diff --git a/README.md b/README.md index 1722559..be18146 100644 --- a/README.md +++ b/README.md @@ -634,6 +634,20 @@ MellonDiagnosticsEnable Off # Default: rsa-sha256 # MellonSignatureMethod + # Force all generated URLs to be using HTTPS, not HTTP, regardless of the detected + # inbound protocol. This is really useful if mod_auth_mellon is running on a server which + # has an SSL reverse proxy sitting in front of it. Because the SSL connection terminates + # at the proxy, Apache needs to be explicitly told "yes, this is really HTTPS, even though + # you can't detect it". + # + # Note: This configuration variable is NOT "force use of HTTPS to my server for inbound + # connections". That can be done in a variety of ways with the base Apache configuration. + # This directive only deals with the case where Apache can't autodetect the scheme used + # by the client correctly. + # + # Default: Off + # MellonForceHttpsUrlRewrites On + ``` diff --git a/auth_mellon.h b/auth_mellon.h index c9e2748..dc6e7cd 100644 --- a/auth_mellon.h +++ b/auth_mellon.h @@ -334,6 +334,9 @@ typedef struct am_dir_cfg_rec { /* Send Expect Header. */ int send_expect_header; + /* Whether to force conversion of generated HTTP URLs to HTTPS */ + int force_https_rewrites; + } am_dir_cfg_rec; /* Bitmask for PAOS service options */ diff --git a/auth_mellon_config.c b/auth_mellon_config.c index cf896ab..ee6217f 100644 --- a/auth_mellon_config.c +++ b/auth_mellon_config.c @@ -118,6 +118,9 @@ static const int default_enabled_invalidation_session = 0; */ static const int default_send_expect_header = 1; +/* By default, do not force HTTP URLs to be rewritten to be HTTPS. */ +static const int default_force_https_rewrites = 0; + /* This function handles configuration directives which set a * multivalued string slot in the module configuration (the destination * strucure is a hash). @@ -1805,6 +1808,15 @@ const command_rec auth_mellon_commands[] = { "Send the Expect Header. Default is 'on'." ), + AP_INIT_FLAG( + "MellonForceHttpsUrlRewrites", + ap_set_flag_slot, + (void *)APR_OFFSETOF(am_dir_cfg_rec, force_https_rewrites), + OR_AUTHCFG, + "Whether to force conversion of generated HTTP URLs to HTTPS [on|off]" + " Default value is \"off\"." + ), + {NULL} }; @@ -1916,6 +1928,8 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d) dir->send_expect_header = default_send_expect_header; + dir->force_https_rewrites = default_force_https_rewrites; + return dir; } @@ -2187,6 +2201,11 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add) add_cfg->send_expect_header : base_cfg->send_expect_header); + new_cfg->force_https_rewrites = + (add_cfg->force_https_rewrites != default_force_https_rewrites ? + add_cfg->force_https_rewrites : + base_cfg->force_https_rewrites); + return new_cfg; } diff --git a/auth_mellon_diagnostics.c b/auth_mellon_diagnostics.c index b23b4b0..51e26fc 100644 --- a/auth_mellon_diagnostics.c +++ b/auth_mellon_diagnostics.c @@ -664,6 +664,10 @@ am_diag_log_dir_cfg(request_rec *r, int level, am_dir_cfg_rec *cfg, "%sMellonECPSendIDPList (ecp_send_idplist): %s\n", indent(level+1), CFG_VALUE(cfg, ecp_send_idplist) ? "On":"Off"); + apr_file_printf(diag_cfg->fd, + "%sMellonForceHttpsUrlRewrites (force_https_rewrites): %s\n", + indent(level+1), CFG_VALUE(cfg, force_https_rewrites) ? "On":"Off"); + for (n_items = 0; cfg->redirect_domains[n_items] != NULL; n_items++); apr_file_printf(diag_cfg->fd, "%sMellonRedirectDomains (redirect_domains): %d items\n", diff --git a/mod_auth_mellon.c b/mod_auth_mellon.c index e77a472..30028fb 100644 --- a/mod_auth_mellon.c +++ b/mod_auth_mellon.c @@ -205,6 +205,13 @@ static int am_create_request(request_rec *r) } +static const char *am_http_scheme(const request_rec *r) +{ + am_dir_cfg_rec *d = am_get_dir_cfg(r); + return d->force_https_rewrites ? "https" : NULL; +} + + static void register_hooks(apr_pool_t *p) { /* Our handler needs to run before mod_proxy so that it can properly @@ -218,6 +225,7 @@ static void register_hooks(apr_pool_t *p) ap_hook_post_config(am_global_init, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_child_init(am_child_init, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_create_request(am_create_request, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_http_scheme(am_http_scheme, NULL, NULL, APR_HOOK_MIDDLE); /* Add the hook to handle requests to the mod_auth_mellon endpoint. *