impact of Google Chrome "HTTPS upgrades" on slow http login urls
50 views
Skip to first unread message
Pascal Rigaux
Nov 7, 2023, 7:18:04 AM11/7/23
to cas-...@apereo.org
Hi,
Google Chrome has started trying https when asked http URLs : https://blog.chromium.org/2023/08/towards-https-by-default.html
What is not clearly mentioned is the fallback on http: it will also happen if the https response is too slow (3 seconds).
This impacted an application here that works on both https&http :
https://cas/login?service=http://foo/
-> 302 http://foo/?ticket=XXX
# Chrome tries https
https://foo/?ticket=XXX
-> the app calls serviceValidate with ticket=XXX
-> the app also computes many slow things
-> after 3s, Chrome aborts (you will see HTTP 499 in server logs)
# Chrome retries in http
http://foo/?ticket=XXX
-> the app calls serviceValidate with ticket=XXX
-> which fails
In our cases, we did not really want the application to use http.
The pb was due to a http/https rev-proxy in front of a http application.
Correctly forcing the application to generate https service urls (*) fixes the issue.
cu
(*) with "SetEnv HTTPS on" for the Drupal
Google Chrome has started trying https when asked http URLs : https://blog.chromium.org/2023/08/towards-https-by-default.html
What is not clearly mentioned is the fallback on http: it will also happen if the https response is too slow (3 seconds).
This impacted an application here that works on both https&http :
https://cas/login?service=http://foo/
-> 302 http://foo/?ticket=XXX
# Chrome tries https
https://foo/?ticket=XXX
-> the app calls serviceValidate with ticket=XXX
-> the app also computes many slow things
-> after 3s, Chrome aborts (you will see HTTP 499 in server logs)
# Chrome retries in http
http://foo/?ticket=XXX
-> the app calls serviceValidate with ticket=XXX
-> which fails
In our cases, we did not really want the application to use http.
The pb was due to a http/https rev-proxy in front of a http application.
Correctly forcing the application to generate https service urls (*) fixes the issue.
cu
(*) with "SetEnv HTTPS on" for the Drupal
Ray Bon
Nov 7, 2023, 12:46:12 PM11/7/23
to cas-...@apereo.org
Pascal,
Are you saying that cas redirects to http://foo... and chrome changes the protocol to
https://foo... ?
And then it only waits 3s for a response???
That sounds like stupid chrome behaviour (but not unexpected).
When serviceValidate is called, it has to be called from
https://foo...
Are you sure there was no redirect to cas between the two tries (the ST would be different)?
Simplest solution would be to configure your foo web server to change any http into https.
Ray
On Tue, 2023-11-07 at 12:44 +0100, 'Pascal Rigaux' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f688aa1c-0475-49be-b490-c6fdf05b2950%40univ-paris1.fr.
Reply all
Reply to author
Forward
0 new messages