Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix mod_auth_mellon failures behind SSL terminating reverse proxy server #128

Closed
wants to merge 1 commit into from
Closed

Fix mod_auth_mellon failures behind SSL terminating reverse proxy server #128

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -634,6 +634,20 @@ MellonDiagnosticsEnable Off
# Default: rsa-sha256
# MellonSignatureMethod

# Force all generated URLs to be using HTTPS, not HTTP, regardless of the detected
# inbound protocol. This is really useful if mod_auth_mellon is running on a server which
# has an SSL reverse proxy sitting in front of it. Because the SSL connection terminates
# at the proxy, Apache needs to be explicitly told "yes, this is really HTTPS, even though
# you can't detect it".
#
# Note: This configuration variable is NOT "force use of HTTPS to my server for inbound
# connections". That can be done in a variety of ways with the base Apache configuration.
# This directive only deals with the case where Apache can't autodetect the scheme used
# by the client correctly.
#
# Default: Off
# MellonForceHttpsUrlRewrites On

</Location>
```

Expand Down
3 changes: 3 additions & 0 deletions auth_mellon.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -334,6 +334,9 @@ typedef struct am_dir_cfg_rec {
/* Send Expect Header. */
int send_expect_header;

/* Whether to force conversion of generated HTTP URLs to HTTPS */
int force_https_rewrites;

} am_dir_cfg_rec;

/* Bitmask for PAOS service options */
Expand Down
19 changes: 19 additions & 0 deletions auth_mellon_config.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,9 @@ static const int default_enabled_invalidation_session = 0;
*/
static const int default_send_expect_header = 1;

/* By default, do not force HTTP URLs to be rewritten to be HTTPS. */
static const int default_force_https_rewrites = 0;

/* This function handles configuration directives which set a
* multivalued string slot in the module configuration (the destination
* strucure is a hash).
Expand Down Expand Up @@ -1805,6 +1808,15 @@ const command_rec auth_mellon_commands[] = {
"Send the Expect Header. Default is 'on'."
),

AP_INIT_FLAG(
"MellonForceHttpsUrlRewrites",
ap_set_flag_slot,
(void *)APR_OFFSETOF(am_dir_cfg_rec, force_https_rewrites),
OR_AUTHCFG,
"Whether to force conversion of generated HTTP URLs to HTTPS [on|off]"
" Default value is \"off\"."
),

{NULL}
};

Expand Down Expand Up @@ -1916,6 +1928,8 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d)

dir->send_expect_header = default_send_expect_header;

dir->force_https_rewrites = default_force_https_rewrites;

return dir;
}

Expand Down Expand Up @@ -2187,6 +2201,11 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add)
add_cfg->send_expect_header :
base_cfg->send_expect_header);

new_cfg->force_https_rewrites =
(add_cfg->force_https_rewrites != default_force_https_rewrites ?
add_cfg->force_https_rewrites :
base_cfg->force_https_rewrites);

return new_cfg;
}

Expand Down
4 changes: 4 additions & 0 deletions auth_mellon_diagnostics.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -664,6 +664,10 @@ am_diag_log_dir_cfg(request_rec *r, int level, am_dir_cfg_rec *cfg,
"%sMellonECPSendIDPList (ecp_send_idplist): %s\n",
indent(level+1), CFG_VALUE(cfg, ecp_send_idplist) ? "On":"Off");

apr_file_printf(diag_cfg->fd,
"%sMellonForceHttpsUrlRewrites (force_https_rewrites): %s\n",
indent(level+1), CFG_VALUE(cfg, force_https_rewrites) ? "On":"Off");

for (n_items = 0; cfg->redirect_domains[n_items] != NULL; n_items++);
apr_file_printf(diag_cfg->fd,
"%sMellonRedirectDomains (redirect_domains): %d items\n",
Expand Down
8 changes: 8 additions & 0 deletions mod_auth_mellon.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,13 @@ static int am_create_request(request_rec *r)
}


static const char *am_http_scheme(const request_rec *r)
{
am_dir_cfg_rec *d = am_get_dir_cfg(r);
return d->force_https_rewrites ? "https" : NULL;
}


static void register_hooks(apr_pool_t *p)
{
/* Our handler needs to run before mod_proxy so that it can properly
Expand All @@ -218,6 +225,7 @@ static void register_hooks(apr_pool_t *p)
ap_hook_post_config(am_global_init, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_child_init(am_child_init, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_create_request(am_create_request, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_http_scheme(am_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);

/* Add the hook to handle requests to the mod_auth_mellon endpoint.
*
Expand Down