cgi https value not passing properly
2 views
Skip to first unread message
Randy Johnson
Jul 29, 2024, 5:16:08 PMJul 29
to mod_cfml
Hello,
Today I installed NGINX and Lucee on Linux using the Lucee installer from lucee.org. I followed the directions here:
https://viviotech.github.io/mod_cfml/install-nginx.html
surrounding the `$cgi_https` variable.
I have the tomcat valve installed using https://viviotech.github.io/mod_cfml/install-valve-lin.html.
I use the using lucee and lucee-proxy files specified in the docs here https://viviotech.github.io/mod_cfml/install-nginx.html
No errors, the site is working fine.
But when I dump the CGI scope https is set to off.
If I dump the headers using `<cfdump var="#GetHttpRequestData()#">`
I do see the headers.https variable set to 'on'
I added a custom log format to verify that the $scheme is definitely https
Any idea on why the cgi variables are not being set despite the headers being set properly?
Today I installed NGINX and Lucee on Linux using the Lucee installer from lucee.org. I followed the directions here:
https://viviotech.github.io/mod_cfml/install-nginx.html
surrounding the `$cgi_https` variable.
I have the tomcat valve installed using https://viviotech.github.io/mod_cfml/install-valve-lin.html.
I use the using lucee and lucee-proxy files specified in the docs here https://viviotech.github.io/mod_cfml/install-nginx.html
No errors, the site is working fine.
But when I dump the CGI scope https is set to off.
If I dump the headers using `<cfdump var="#GetHttpRequestData()#">`
I do see the headers.https variable set to 'on'
I added a custom log format to verify that the $scheme is definitely https
Any idea on why the cgi variables are not being set despite the headers being set properly?
Thanks,
Randy
Jordan Michaels
Jul 29, 2024, 5:44:56 PMJul 29
to mod_cfml
Hi Randy,,
The CGI variables don't show an HTTPS connection because the request was proxied from NGINX to Tomcat over an unsecured HTTP connection rather than HTTPS. It is a local connection in most circumstances so it's not a security risk. So, the CGI variable is correct that the immediate connection that was used was a simple HTTP connection.
To adjust for this different environment you could either modify the application code to check the additional header in addition to the CGI value, or I believe Tomcat provides some valves that will inject additional HTTPS headers into the proxied request headers if you want to keep your code portable between environments.
Example Tomcat valve:
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/SSLValve.html
... however, I don't recall ever using those valves myself. Either way, you're not the first person to encounter this and solutions do exist.
You could install an SSL certificate on Tomcat and proxy over the HTTPS connection if you wanted to, but that'd kind of be a waste of CPU cycles IMO and you would also have the opposite issue of always getting a HTTPS connection in your CGI variables regardless of whether the original request was HTTP or HTTPS. So... personally I would just check for the extra headers if you want to verify SSL was used.
Headers are kind of an untamed beast in the HTTP world IMO. I have been working in the industry for decades now and I just recently learned that there's no official way (that I have found) for a server to communicate it's maximum request size to a client. I ended up using a custom response header in an OPTIONS request. The Internet is how old again? How is this still a thing?? lol
Anyway, hope this helps. =)
-Jordan
The CGI variables don't show an HTTPS connection because the request was proxied from NGINX to Tomcat over an unsecured HTTP connection rather than HTTPS. It is a local connection in most circumstances so it's not a security risk. So, the CGI variable is correct that the immediate connection that was used was a simple HTTP connection.
To adjust for this different environment you could either modify the application code to check the additional header in addition to the CGI value, or I believe Tomcat provides some valves that will inject additional HTTPS headers into the proxied request headers if you want to keep your code portable between environments.
Example Tomcat valve:
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/SSLValve.html
... however, I don't recall ever using those valves myself. Either way, you're not the first person to encounter this and solutions do exist.
You could install an SSL certificate on Tomcat and proxy over the HTTPS connection if you wanted to, but that'd kind of be a waste of CPU cycles IMO and you would also have the opposite issue of always getting a HTTPS connection in your CGI variables regardless of whether the original request was HTTP or HTTPS. So... personally I would just check for the extra headers if you want to verify SSL was used.
Headers are kind of an untamed beast in the HTTP world IMO. I have been working in the industry for decades now and I just recently learned that there's no official way (that I have found) for a server to communicate it's maximum request size to a client. I ended up using a custom response header in an OPTIONS request. The Internet is how old again? How is this still a thing?? lol
Anyway, hope this helps. =)
-Jordan
Brad Wood
Jul 29, 2024, 6:40:36 PMJul 29
to mod_...@googlegroups.com
Lucee server's cgi.https variable is based on the result of the isSecure() method from the HTTPServletRequest. If you are using CommandBox to run Lucee, you can actually enable the useProxyForwardedIP settings
server set web.useProxyForwardedIP=true
if you are behind a trusted proxy server. Then, set the standard HTTP "X-Forwarded-Proto" HTTP header inside NGINX to the value "HTTPS" for requests that came in over SSL. CommandBox will enable the Undertow handler (ForwardedHandler) that looks for headers such as X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Proto and use those values directly. This will actually cause your CGI scope to reflect the values from the forwarded headers.
I cover all this and show examples in my screencast here:
Thanks!
~Brad
Developer Advocate
Ortus Solutions, Corp
E-mail: br...@coldbox.org
ColdBox Platform: http://www.coldbox.org
--
You received this message because you are subscribed to the Google Groups "mod_cfml" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mod_cfml+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mod_cfml/3b6f5861-9375-40cd-9053-27c41fc847e7n%40googlegroups.com.
Randy Johnson
Jul 30, 2024, 11:08:37 AMJul 30
to mod_...@googlegroups.com
Thanks Guys.
The unsecure Tomcat connection makes sense based on the other CGI variables. Given that the information shows in the headers I can easily change out the few places we rely on that.
I will also give ModCFML a whirl with CommandBox. I seem to remember setting that up awhile ago, perhaps right after it was available.
Cheers,
Randy
You received this message because you are subscribed to a topic in the Google Groups "mod_cfml" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mod_cfml/kI1O7TmtTQ8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mod_cfml+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mod_cfml/CALbQ1o%3DiTT6TCKuwZRotcBzse-RbAYBNB0JHEDqggBtt2OUMJg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages