/ Zope / Apsis / Pound Mailing List / Archive / 2008 / 2008-07 / HTTPS URI recognition

[ << ] [ >> ]

[ Pound session pinning / "Alfonso ... ] [ RE: [Pound Mailing List] Re: HTTPS URI ... ]

HTTPS URI recognition
"Gaël de Villeblanche" <gaeldevilleblanche(at)gmail.com>		 2008-07-24 15:36:11 [ FULL ] 
Hi,

I configured Pound like this :

ListenHTTPS
            Address 0.0.0.0
            Port 443
            Cert "/pound/V243/certificates/local.server.pem"
            xHTTP 2
            RewriteLocation 2

            Service
                URL ".*"
                BackEnd
                        Address xxx.xxx.xxx.xxx
                        Port 80
                End
            End
End



For each hit on my web application, an extraction in the HTTP header is made
in order to get the called URI and to check if it is known by the system or
not. If not, the user can't enter de web application, the access is denied.
Don't mind about the relevance of this checking, i just simplify the
explanations....

And here is my problem, when i call "https://web-application.intranet.fr"
in
my browser, the identified URL passed by Pound is "
http://web-application.intranet.fr".
So my application deny the access
because it knows the HTTPS URI but not the HTTP one.

What did i do wrong? Is there a parameter in the configuration to fix to get
the right recognition of my URL in the HTTP headers? I tried to fix a value
for RewriteDestination, it doesn't resolved my problem...

Any help would be appreciated,

Best regards,

Gaël de Villeblanche
Attachments:  
text.html text/html 2407 Bytes
Re: HTTPS URI recognition
"Gaël de Villeblanche" <gaeldevilleblanche(at)gmail.com>		 2008-07-25 14:30:24 [ FULL ] 
By doing some tests i got a list of the parameters in the header :

DOCUMENT_ROOT : /var/www/html
GATEWAY_INTERFACE : CGI/1.1
HTTP_ACCEPT :
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_CHARSET : ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_ACCEPT_ENCODING : gzip,deflate
HTTP_ACCEPT_LANGUAGE : fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
HTTP_CACHE_CONTROL : no-cache
HTTP_CONNECTION : keep-alive
HTTP_HOST : web-application.intranet.fr:445
HTTP_KEEP_ALIVE : 300
HTTP_PRAGMA : no-cache
HTTP_USER_AGENT : Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.1)
Gecko/2008070208 Firefox/3.0.1
HTTP_X_FORWARDED_FOR : xxx.xxx.xxx.xxx
HTTP_X_SSL_CERTIFICATE : -----BEGIN CERTIFICATE-----
MIIDoDCCAwmgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCRlIx
DDAKBgNVBAgTA0lkRjEOMAwGA1UEBxMFUGFyaXMxDTALBgNVBAoTBEJ1bGwxEzAR
BgNVBAsTClBsYXF1ZSBJZEYxEzARBgNVBAMUCmNhX21hcnRpYWwxIzAhBgkqhkiG
9w0BCQEWFGNhX21hcnRpYWxAc2l2MDIub3JnMB4XDTA4MDQyMjE0MzA1M1oXDTA5
MDQyMjE0MzA1M1owgYgxCzAJBgNVBAYTAkZSMQwwCgYDVQQIEwNJZEYxDTALBgNV
BAoTBEJ1bGwxEzARBgNVBAsTClBsYXF1ZSBJZEYxHTAbBgNVBAMTFHBldWdlb3Qt
dmlsbGV0YW5hdXNlMSgwJgYJKoZIhvcNAQkBFhlwZXVnZW90LXZpbGxldGFuYXVz
ZUBzaXYyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDq15ld6bkIPa7c19lv
GYa54UjAWEeOo9B4qQKR7QGTC9RDGkHtewYK4/I/Vz+u2jE5ncl7PBevdrv9h7PB
Y6O41kqpw9lzecY9bdhWm3lNmyyNo8j37nGK5YLqJdbdUoJGd/P3NE/HZiWpqTHu
luPLjVWxD2oqC0dBOoCzBRj+sQIDAQABo4IBFTCCAREwCQYDVR0TBAIwADAsBglg
hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O
BBYEFHMowEpX+ItgU4CshQgGmMC/kay1MIG2BgNVHSMEga4wgauAFCk+aqkqPIyL
ROX3X5ScPPxwo2TqoYGPpIGMMIGJMQswCQYDVQQGEwJGUjEMMAoGA1UECBMDSWRG
MQ4wDAYDVQQHEwVQYXJpczENMAsGA1UEChMEQnVsbDETMBEGA1UECxMKUGxhcXVl
IElkRjETMBEGA1UEAxQKY2FfbWFydGlhbDEjMCEGCSqGSIb3DQEJARYUY2FfbWFy
dGlhbEBzaXYwMi5vcmeCAQAwDQYJKoZIhvcNAQEEBQADgYEAnfQjLoGuEDZmYJL+
pF4IFmEUluC17GTkwNwDxaneX9vOhKS9tffllB5yYgUqbPIP0ralclZsPojAmaUh
7Vtzj1nwY5fntP505DJ4pgl0mD5FwmQmyUDlqIcafHsMgs5xD8dy6iH6cPTra1u4
2ZBWYmvVgGLpvArA0CEV4GbxLAI= -----END CERTIFICATE-----
HTTP_X_SSL_CIPHER : AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
HTTP_X_SSL_ISSUER : C = FR, ST = IdF, L = Paris, O = Bull, OU = Plaque IdF,
CN = ca_martial, emailAddress = ca_martial(at)siv02.org
HTTP_X_SSL_NOTAFTER : Apr 22 14:30:53 2009 GMT
HTTP_X_SSL_NOTBEFORE : Apr 22 14:30:53 2008 GMT
HTTP_X_SSL_SERIAL : 2
HTTP_X_SSL_SUBJECT : C = FR, ST = IdF, O = Bull, OU = Plaque IdF, CN = xxxx,
emailAddress = xxx(at)siv2
PATH :
/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin
QUERY_STRING :
REMOTE_ADDR : 129.181.20.13
REMOTE_PORT : 46805
REQUEST_METHOD : GET
REQUEST_URI : /cgi/headers.cgi
SCRIPT_FILENAME : /var/www/html/cgi/headers.cgi
SCRIPT_NAME : /cgi/headers.cgi
SERVER_ADDR : xxx.xxx.xxx.xxx
SERVER_ADMIN : root(at)localhost
SERVER_NAME : web-application.intranet.fr
SERVER_PORT : 445
SERVER_PROTOCOL : HTTP/1.1
SERVER_SIGNATURE : Apache/2.0.52 (Red Hat) Server at
siv-vabf-part.interieur.gouv.fr Port 445
SERVER_SOFTWARE : Apache/2.0.52 (Red Hat)



It seems that SERVER_PROTOCOL is not overwritten. That's why my java
application rebuild the requested url with the wrong protocol (It should be
HTTPS).

Here is the implementation of the method used on the java side :

    public static StringBuffer getRequestURL(HttpServletRequest req) {
        StringBuffer url = new StringBuffer();
        String scheme = req.getScheme();
        int port = req.getServerPort();
        String urlPath = req.getRequestURI();

        //String servletPath = req.getServletPath ();
        //String pathInfo = req.getPathInfo ();

        url.append(scheme); // http, https (SERVER_PROTOCOL)
        url.append("://");
        url.append(req.getServerName()); // (SERVER_NAME)
        if ((scheme.equals("http") && port != 80)
                || (scheme.equals("https") && port != 443)) {
            url.append(':');
            url.append(req.getServerPort()); // (SERVER_PORT)
        }
        //if (servletPath != null)
        //    url.append (servletPath);
        //if (pathInfo != null)
        //    url.append (pathInfo);
        url.append(urlPath);  (REQUEST_URI)
        return url;


Is there a solution to get the right value for SERVER_PROTOCOL?


2008/7/24 Gaël de Villeblanche <gaeldevilleblanche(at)gmail.com>
[...]

[...]
Attachments:  
text.html text/html 8553 Bytes
MailBoxer