Pound rewrites "Location" header after logon
Hello all
Is anyone using Pound as part of a load-balancing setup? We're experiencing a strange problem that happens during the logon sequence.
For HTTP requests, we have a load balancer running HAProxy that passes client requests to one of our Apache/PHP servers.
For HTTPS requests, we have Pound listening on port 443, which translates requests to plain HTTP, passes them to HAProxy and thence to the application servers.
We have "loginhttps" set to true, so all login requests are secured. But after users log in, they are redirected to an HTTPS address. Because Moodle has absolute URLs referencing CSS and images (using $CFG->wwwroot), the user receives a partially-encrypted page. On IE8, especially, this generates a confusing dialog:

The "correct" answer is "No". Clicking "Yes" breaks CSS and images.
It doesn't seem like Moodle is the cause. When a user requests a resource on the Moodle server that requires a login, they are redirected to /login/index.php over TLS. The address of the original request is stored in a session variable called "wantsurl".
Once a user is authenticated, their browser is redirected with a "303 See Other" header, followed by a "Location:" header containing the value of "wantsurl". I've logged this value on the application server, and it is always plain HTTP.
However, when I check the headers received by the browser, the Location field has been rewritten:
HTTP/1.1 303 See Other
Date: Fri, 11 Sep 2009 12:11:54 GMT
Server: Apache
X-Powered-By: PHP
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: https://moodle.lse.ac.uk/course/view.php?id=305
Content-Length: 220
Connection: close
Content-Type: text/html
Has anyone else encountered this, and has anyone discovered a solution?
Is anyone using Pound as part of a load-balancing setup? We're experiencing a strange problem that happens during the logon sequence.
For HTTP requests, we have a load balancer running HAProxy that passes client requests to one of our Apache/PHP servers.
For HTTPS requests, we have Pound listening on port 443, which translates requests to plain HTTP, passes them to HAProxy and thence to the application servers.
We have "loginhttps" set to true, so all login requests are secured. But after users log in, they are redirected to an HTTPS address. Because Moodle has absolute URLs referencing CSS and images (using $CFG->wwwroot), the user receives a partially-encrypted page. On IE8, especially, this generates a confusing dialog:

The "correct" answer is "No". Clicking "Yes" breaks CSS and images.
It doesn't seem like Moodle is the cause. When a user requests a resource on the Moodle server that requires a login, they are redirected to /login/index.php over TLS. The address of the original request is stored in a session variable called "wantsurl".
Once a user is authenticated, their browser is redirected with a "303 See Other" header, followed by a "Location:" header containing the value of "wantsurl". I've logged this value on the application server, and it is always plain HTTP.
However, when I check the headers received by the browser, the Location field has been rewritten:
HTTP/1.1 303 See Other
Date: Fri, 11 Sep 2009 12:11:54 GMT
Server: Apache
X-Powered-By: PHP
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: https://moodle.lse.ac.uk/course/view.php?id=305
Content-Length: 220
Connection: close
Content-Type: text/html
Has anyone else encountered this, and has anyone discovered a solution?
Re: Pound rewrites "Location" header after logon
Replying to my own post seems a bit daft, but I needed to set RewriteLocation 0 in Pound's configuration. From the man pages:
- RewriteLocation 0|1|2
- If 1 force Pound to change the Location: and Content-location: headers in responses. If they point to the back-end itself or to the listener (but with the wrong protocol) the response will be changed to show the virtual host in the request. Default: 1 (active). If the value is set to 2 only the back-end address is compared; this is useful for redirecting a request to an HTTPS listener on the same server as the HTTP listener.
Re: Pound rewrites "Location" header after logon
I am having the same or similar problem.
But it has nothing to do with Pound.
I am using loginhttps, which means that only the loginpage begins https, but my theme contains reference to two images that start with
$CFG->wwwroot
which starts with http. Hence the students browsers give a message that says "do you want to download the unsecure contents" the correct answer is yes. It does not really matter if they click no. But it is going to confuse a lot of students.
The solution?
- Get rid of images from my theme? I will do this for the timebeing.
- The theme serves a special content for the homepage using
"if ($home)"
is there a function "if ($loginpage)" ?
it might be nice if there were one. - Otherwise I can use (using other people's hacks)
if (stristr($_SERVER['SCRIPT_FILENAME']."X", "login/index.phpX"))
to find out if I am on the loginpage. - However, even then I will have to (preg)replace the "http" in $CFG->wwwroot with
"https" and create a temporary variable $tempwwwroot
Or is there an easier way?
Tim
Re: Pound rewrites "Location" header after logon
Easy fix I believe:
<?php echo $CFG->httpswwwroot.'/theme/'.current_theme() ?>/image.jpg
instead of:
<?php echo "$CFG->wwwroot/theme/$CFG->theme/image.jpg" ?>
for more info see here.