63357 – Allowing generated URLs to be relative

Bug 63357 - Allowing generated URLs to be relative

Summary: Allowing generated URLs to be relative

Status:	NEW

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	All (show other bugs)
Version:	2.4-HEAD
Hardware:	All All

Importance:	P2 normal with 3 votes (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-04-17 04:12 UTC by Mark Nottingham
Modified:	2021-06-02 15:44 UTC (History)
CC List:	2 users (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Nottingham 2019-04-17 04:12:30 UTC

Various parts of httpd currently generate the Location response header and other links as absolute URLs, even when the input (e.g., in a Redirect directive) is a relative URL, using a call to ap_construct_url().

This can cause operational difficulties for the site if it's deployed with a reverse proxy or CDN in front of it. 

E.g., if the outward-facing site is www.example.com and the origin has a separate name, origin.example.com, the reverse proxy/CDN will need to rewrite Location headers and other generated URLs to match the outward-facing site.

RFC7231 specified that relative URLs are allowed in the Location header, recognising that this was universally supported:

  https://httpwg.org/specs/rfc7231.html#header.location

So, it would be very helpful if Apache were to allow these URLs to be generated as relative, rather than forcing them to be absolute. This would avoid not only configuration problems when sitting behind a CDN or reverse proxy, but also avoid the need to rewrite headers, allowing the site to be served more efficiently.

If changing behaviour is a concern, this could be put behind a configuration option, although the default should be to allow relative URLs.

AFAICT the affected modules are:

- mod_dav - Location generation in dav_created()
- mod_alias - Location generation in translate_alias_redir() and fixup_redir()
- mod_dir - Location generation in fixup_dir() x2
- mod_imagemap - image map generation in imap_url() x2
- mod_speling - Location generation in check_speling()

Comment 1 Jack 2019-09-20 06:09:08 UTC

I would like to BUMP this issue. It makes Apache useless as an application reverse proxy behind say, a corporate reverse proxy.

The solution as follows is at best a hack:
RedirectMatch 301 ^/$ "/cx/"
Header edit Location "(^http[s]?://)([a-zA-Z0-9\.\-]+)(:\d+)?/" "/"

If we configure a redirect to /foo then Apache should not be changing this to a URI since it reveals an internal domain to an external client which is unreachable.

https://stackoverflow.com/questions/57993786/apache-httpd-adding-full-hostname-to-redirect-we-want-only-path

Comment 2 galt 2020-08-29 09:01:34 UTC

Bump. Being able to use have Apache return relative URLs in the http response Location header would make it much easier to test http client code.

Comment 3 galt 2020-08-29 09:04:00 UTC

nginx supports a flag for relative redirect Location URLs.

There is an nginx directive absolute_redirect available from nginx version 1.11.8, which is enabled by default. 
If disabled, redirects issued by nginx will be relative. 

 absolute_redirect off;