Bug 60558

Summary: %{HTTPS} and %{REQUEST_SCHEME} sometimes inconsistent
Product: Apache httpd-2 Reporter: Ulrich Schwarz <schwarz>
Component: mod_rewriteAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: minor CC: schwarz, szg0000
Priority: P2    
Version: 2.4.25   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: minimal httpd configuration to exhibit bug

Description Ulrich Schwarz 2017-01-06 12:08:22 UTC
Created attachment 34598 [details]
minimal httpd configuration to exhibit bug

With the attached example.conf, I get situations where the variable %{HTTPS} is "on", but the variable %{REQUEST_SCHEME} is "http", not "https".

To reproduce:
bin/httpd -f example.conf
(please provide dummy certificate pair; you may also need to LoadModule your MPM of choice)

wget --no-check-certificate --server-response -O- http://localhost
Location: [...]?port=80&scheme=http&https=off
as expected, while
wget --no-check-certificate --server-response -O- https://localhost
Location: [...]?port=443&scheme=http&https=on

If disabling UseCanonicalPhysicalPort, you get port=80 in the second case as well. A simple workaround is to not use %{REQUEST_SCHEME} at all but instead set  an environment variable by inspecting %{HTTPS} and use that.

(I realize that having a single VirtualHost definition for ports 80 and 443 in the way shown here probably only works by accident, not design, but it does that from at least 2.2.3 up to 2.4.25 and provides the much-desired possibility to avoid duplicating the entire content of the definition. Still, I guess "we will make that use-case fail" would "fix" it.)