[Bug 63357] New: Allowing generated URLs to be relative

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 63357] New: Allowing generated URLs to be relative

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63357

            Bug ID: 63357
           Summary: Allowing generated URLs to be relative
           Product: Apache httpd-2
           Version: 2.4-HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: All
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Various parts of httpd currently generate the Location response header and
other links as absolute URLs, even when the input (e.g., in a Redirect
directive) is a relative URL, using a call to ap_construct_url().

This can cause operational difficulties for the site if it's deployed with a
reverse proxy or CDN in front of it.

E.g., if the outward-facing site is www.example.com and the origin has a
separate name, origin.example.com, the reverse proxy/CDN will need to rewrite
Location headers and other generated URLs to match the outward-facing site.

RFC7231 specified that relative URLs are allowed in the Location header,
recognising that this was universally supported:

  https://httpwg.org/specs/rfc7231.html#header.location

So, it would be very helpful if Apache were to allow these URLs to be generated
as relative, rather than forcing them to be absolute. This would avoid not only
configuration problems when sitting behind a CDN or reverse proxy, but also
avoid the need to rewrite headers, allowing the site to be served more
efficiently.

If changing behaviour is a concern, this could be put behind a configuration
option, although the default should be to allow relative URLs.

AFAICT the affected modules are:

- mod_dav - Location generation in dav_created()
- mod_alias - Location generation in translate_alias_redir() and fixup_redir()
- mod_dir - Location generation in fixup_dir() x2
- mod_imagemap - image map generation in imap_url() x2
- mod_speling - Location generation in check_speling()

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63357] Allowing generated URLs to be relative

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63357

Jack <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #1 from Jack <[hidden email]> ---
I would like to BUMP this issue. It makes Apache useless as an application
reverse proxy behind say, a corporate reverse proxy.

The solution as follows is at best a hack:
RedirectMatch 301 ^/$ "/cx/"
Header edit Location "(^http[s]?://)([a-zA-Z0-9\.\-]+)(:\d+)?/" "/"

If we configure a redirect to /foo then Apache should not be changing this to a
URI since it reveals an internal domain to an external client which is
unreachable.

https://stackoverflow.com/questions/57993786/apache-httpd-adding-full-hostname-to-redirect-we-want-only-path

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63357] Allowing generated URLs to be relative

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63357

--- Comment #2 from [hidden email] ---
Bump. Being able to use have Apache return relative URLs in the http response
Location header would make it much easier to test http client code.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63357] Allowing generated URLs to be relative

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63357

--- Comment #3 from [hidden email] ---
nginx supports a flag for relative redirect Location URLs.

There is an nginx directive absolute_redirect available from nginx version
1.11.8, which is enabled by default.
If disabled, redirects issued by nginx will be relative.

 absolute_redirect off;

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]