Bug 56131

Summary: ProxyPassReverse / zealously replaces Location headers
Product: Apache httpd-2 Reporter: Igor Galić <i.galic>
Component: mod_proxyAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal CC: apache
Priority: P2    
Version: 2.4-HEAD   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Igor Galić 2014-02-12 18:02:29 UTC
When using the following pattern to configure a reverse proxy in 2.4:

Listen 8080
ServerName proxy.local
ProxyPass / http://backend.local:9090/
<Location />
  ProxyPassReverse /

a pattern that worked well under 2.2, and made sure the bogus Location headers would be fixed up, 2.4 will now replace *all* Location headers with http://proxy.local:8080/ -- that is not the desired effect, when the backend sent correct Location: headers such as:

Location: http://example.com/foo

to redirect to a third-party system.
Comment 1 Igor Galić 2014-02-12 18:05:02 UTC
please see also  https://gist.github.com/igalic/8960285                    https://gist.github.com/igalic/8960741 where I attempt to reproduce this for 2.2 and 2.4 respectively (+ the backend: https://gist.github.com/igalic/8960145 )
Comment 2 Igor Galić 2014-02-12 18:09:11 UTC
addendum: If we simply use   ProxyPassReverse http://backend.local:9090/ we don't get the fix-up of the Location: /redirect.html
It still produces "correcter" results, in that it doesn't override the example.com URL… Still, I'd consider this a regression.
Comment 3 Eric Covener 2014-02-12 18:39:53 UTC
2.2 won't apply / to any Location: header that doesn't start with /.

2.4 goes out of its way to strip the scheme and host from the Location: before checking that it starts-with, so it matches more often.

r893871 and r893955 and PR38864