Bug 56131 - ProxyPassReverse / zealously replaces Location headers
Summary: ProxyPassReverse / zealously replaces Location headers
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy (show other bugs)
Version: 2.4-HEAD
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-12 18:02 UTC by Igor Galić
Modified: 2014-02-16 08:17 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Igor Galić 2014-02-12 18:02:29 UTC
When using the following pattern to configure a reverse proxy in 2.4:

Listen 8080
ServerName proxy.local
ProxyPass / http://backend.local:9090/
<Location />
  ProxyPassReverse /
</Location>

a pattern that worked well under 2.2, and made sure the bogus Location headers would be fixed up, 2.4 will now replace *all* Location headers with http://proxy.local:8080/ -- that is not the desired effect, when the backend sent correct Location: headers such as:

Location: http://example.com/foo


to redirect to a third-party system.
Comment 1 Igor Galić 2014-02-12 18:05:02 UTC
please see also  https://gist.github.com/igalic/8960285                    https://gist.github.com/igalic/8960741 where I attempt to reproduce this for 2.2 and 2.4 respectively (+ the backend: https://gist.github.com/igalic/8960145 )
Comment 2 Igor Galić 2014-02-12 18:09:11 UTC
addendum: If we simply use   ProxyPassReverse http://backend.local:9090/ we don't get the fix-up of the Location: /redirect.html
It still produces "correcter" results, in that it doesn't override the example.com URL… Still, I'd consider this a regression.
Comment 3 Eric Covener 2014-02-12 18:39:53 UTC
2.2 won't apply / to any Location: header that doesn't start with /.

2.4 goes out of its way to strip the scheme and host from the Location: before checking that it starts-with, so it matches more often.

r893871 and r893955 and PR38864