From a147f5349d33b27b6eeac3279cba289c952ee835 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Mon, 8 Jan 2018 10:53:32 +0000 Subject: [PATCH] Don't send relative redirect URLs when behind a reverse proxy --- CHANGELOG | 6 ++++++ IkiWiki/CGI.pm | 2 +- doc/bugs/cgi_redirecting_to_non-https_URL.mdwn | 10 +++++----- t/relativity.t | 3 --- 4 files changed, 12 insertions(+), 9 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 1456810e0..0ffbd4579 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,9 @@ +ikiwiki (3.20180106) UNRELEASED; urgency=medium + + * core: Don't send relative redirect URLs when behind a reverse proxy + + -- Simon McVittie Mon, 08 Jan 2018 10:51:10 +0000 + ikiwiki (3.20180105) upstream; urgency=medium * emailauth: Fix cookie problem when user is on https and the cgiurl diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm index 64f5c6b8c..2c5b4a84d 100644 --- a/IkiWiki/CGI.pm +++ b/IkiWiki/CGI.pm @@ -91,7 +91,7 @@ sub redirect ($$) { my $q=shift; eval q{use URI}; - my $topurl; + my $topurl = $config{cgiurl}; if (defined $q && ! $config{w3mmode} && ! $config{reverse_proxy}) { $topurl = $q->url; } diff --git a/doc/bugs/cgi_redirecting_to_non-https_URL.mdwn b/doc/bugs/cgi_redirecting_to_non-https_URL.mdwn index 58b4a0137..02c04900f 100644 --- a/doc/bugs/cgi_redirecting_to_non-https_URL.mdwn +++ b/doc/bugs/cgi_redirecting_to_non-https_URL.mdwn @@ -42,11 +42,11 @@ that so as to have the path for letsencrypt negotiation not redirected.-- [[User > Is the connection between nginx and lighttpd http or https? > > I think this is maybe a bug in `IkiWiki::redirect` when used in conjunction with -> `reverse_proxy: 1`. I've added a failing test case marked as TODO to `t/relativity.t`, -> although I haven't been able to fix the bug yet. The bug I found is that when marked -> as behind a reverse proxy, `IkiWiki::redirect` sends `Location: /foo/bar/`, which -> your backend web server might be misinterpreting. It should send -> `Location: https://redacted/foo/bar/` instead. +> `reverse_proxy: 1`: when marked as behind a reverse proxy, +> `IkiWiki::redirect` sent `Location: /phd/foo/bar/`, which your backend web +> server might be misinterpreting. ikiwiki git master now sends +> `Location: https://redacted/phd/foo/bar/` instead: does that resolve this +> for you? > > Assuming nginx has a reasonable level of configuration, you can redirect http to https > for the entire server except `/.well-known/acme-challenge/` as a good way to bootstrap diff --git a/t/relativity.t b/t/relativity.t index 3fd55375a..1dda19687 100755 --- a/t/relativity.t +++ b/t/relativity.t @@ -403,10 +403,7 @@ sub test_site6_behind_reverse_proxy { like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); like($bits{basehref}, qr{^(?:(?:https:)?//example\.com)?/wiki/$}); like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); - TODO: { - local $TODO = "https://ikiwiki.info/bugs/cgi_redirecting_to_non-https_URL/"; check_goto(qr{^https://example\.com/wiki/a/b/c/$}, HTTP_HOST => 'localhost'); - } # previewing a page %bits = parse_cgi_content(run_cgi(is_preview => 1, HTTP_HOST => 'localhost'));