Bug 61430 - mod_proxy_fcgi is not RFC 3875 compliant (section 6.2.2 Local Redirect Response)
Summary: mod_proxy_fcgi is not RFC 3875 compliant (section 6.2.2 Local Redirect Response)
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy_fcgi (show other bugs)
Version: 2.4.27
Hardware: PC Linux
: P2 normal with 3 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2017-08-16 21:54 UTC by Stefan Seidel
Modified: 2018-08-05 01:58 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Seidel 2017-08-16 21:54:02 UTC
Section 6.2.2 of the CGI Spec says (in a nutshell):

If the application sends a Location: header and a Status Code 200 header, then the webserver should serve the file specified by the Location header as if the client had requested the file.

Interestingly, it seems like mod_proxy_scgi has this implemented, at least I found some references to the Location header in the source code.

mod_fastcgi had this implemented.
Comment 1 Stefan Seidel 2017-08-17 13:23:26 UTC
Sorry, my previous comment wasn't completely correct. I try again:

if the script sends a "Location:" header with a local path (i.e. starting with /, not with a protocol), *then* the web server should interpret and fulfil this request as if the client had requested the file specified by the "Location:" header.

The code in  mod_proxy_scgi which I suspect to do the same is:

And here is the respective bug report which was fixed (after some years) by lighttpd:
Comment 2 John Wellesz 2018-08-05 01:58:11 UTC
Just to add that with PHP-FPM + mod_FastCGI one could use this local internal redirection feature doing something like this:

header("Location: /triop.gif", true, 200);

Then the reply would be direct, without 30x client redirection, just as if triop.gif had been directly requested... This is very useful to hide the URI of a downloaded files, for example.

Here is a link to the CGI RFC section 6.2.2: