Bug 60558 - %{HTTPS} and %{REQUEST_SCHEME} sometimes inconsistent
Summary: %{HTTPS} and %{REQUEST_SCHEME} sometimes inconsistent
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_rewrite (show other bugs)
Version: 2.4.25
Hardware: PC Linux
: P2 minor (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2017-01-06 12:08 UTC by Ulrich Schwarz
Modified: 2017-03-02 11:23 UTC (History)
2 users (show)

minimal httpd configuration to exhibit bug (1.28 KB, text/plain)
2017-01-06 12:08 UTC, Ulrich Schwarz

Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Schwarz 2017-01-06 12:08:22 UTC
Created attachment 34598 [details]
minimal httpd configuration to exhibit bug

With the attached example.conf, I get situations where the variable %{HTTPS} is "on", but the variable %{REQUEST_SCHEME} is "http", not "https".

To reproduce:
bin/httpd -f example.conf
(please provide dummy certificate pair; you may also need to LoadModule your MPM of choice)

wget --no-check-certificate --server-response -O- http://localhost
Location: [...]?port=80&scheme=http&https=off
as expected, while
wget --no-check-certificate --server-response -O- https://localhost
Location: [...]?port=443&scheme=http&https=on

If disabling UseCanonicalPhysicalPort, you get port=80 in the second case as well. A simple workaround is to not use %{REQUEST_SCHEME} at all but instead set  an environment variable by inspecting %{HTTPS} and use that.

(I realize that having a single VirtualHost definition for ports 80 and 443 in the way shown here probably only works by accident, not design, but it does that from at least 2.2.3 up to 2.4.25 and provides the much-desired possibility to avoid duplicating the entire content of the definition. Still, I guess "we will make that use-case fail" would "fix" it.)