Am 07.01.2017 um 23:53 schrieb Yann Ylavic:
On Sat, Jan 7, 2017 at 11:25 PM, Reindl Harald <h.rei...@thelounge.net> wrote:
Am 07.01.2017 um 22:53 schrieb Yann Ylavic:
Wouldn't something like this work?
RewriteRule on
RewriteCond %{ENV:remoteip-proxy-ip-list} .
RewriteCond %{HTTP:X-TLS-Offloading} ^true$
RewriteRule ^ - [E=HTTPS:on,E=REQUEST_SCHEME:https]
That wouldn't work anyway, both variables will be overridden later
when the env is constructed.
Given that remoteip-proxy-ip-list is filled by mod_remoteip if (and
only if) RemoteIPInternalProxy matches
currently not because nothing provides "X-TLS-Offloading" which is the
reason for add both parties to this conversation
OK, that's a prerequisite in any case..
such global rewrite rules are not very appealing while the intention of get
this handeled by mod_remoteip is that for the admin this would be the
central place to deal with backendsservers with a proxy in front
Admittedly.
it is handeled perfectly for the REMOTE_ADDR where for every access(deny
rules, loggings, mod_security-rules and within applications you can trust
it's the clients IP and not one from own infrastructure
Right, but HTTPS and REQUEST_SCHEME have a meaning for the httpd
server, and they refer to its *local* configuration, so overriding
them is very misleading (and does not work as mentioned above).
Thus RemoteTLSHeader cannot be something that overrides them, and the
best it could do is to unset the header if not trusted.
end-to-end-encryption (one argunmet which came against it) is something one
needs to consider anyways if TLS-offloading come into the mix and the
connection between proxy and backend needs to be 100% trusted, but it's a
great way to spread load of generate dynamic content and encryption to
different machines and should be 100% transparent to the application
From the above, the app would have to rely on the (un)defined
RemoteTLSHeader instead of HTTPS/REQUEST_SCHEME, so it can't be as
transparent you'd like...
A new mod_remoteip feature for what you could do with mod_rewrite or
mod_headers is less appealing then
ok, so we need to continue the code below and set the option in every
tls-offloaded application - intention of this thread was maybe get this
transparent which seems not to be possible
if(!empty($cms_tls_offload))
{
$_SERVER['REQUEST_SCHEME'] = 'https';
$_SERVER['HTTPS'] = 'on';
}