in https mod a httpd redirection to wrong url

[ghassanius]

Scenario is an ec2 instance that contains httpd as reverse proxy linked to okta openid connect. It is working as expected when the connection is through http instead of https, but when using https with aws's certificate manager it authenticates successfully against okta when connecting to https://example.io but then redirects to https://example.io:80/ which eventually fails to resolve. (should be https://example.io)

Below is the httpd configuration, not sure what is missing there.

<VirtualHost *:80>
RequestHeader set X-Forwarded-Proto "https" early
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:9000/
ProxyPassReverse / http://localhost:9000/

ErrorLog /var/log/oidc/error.log
CustomLog /var/log/oidc/access.log combined

OIDCProviderMetadataURL https://EXAMPLE.okta.com/.well-known/openid-configuration
OIDCClientID EXAMPLE_ID
OIDCClientSecret EXAMPLE_PASS
OIDCRedirectURI https://example.io/_codexch
OIDCCryptoPassphrase EXAMPLE_PASS
OIDCJWKSRefreshInterval 3600
OIDCPassClaimsAs both

<Location />
    AuthType openid-connect
    Require valid-user
</Location>
</VirtualHost>

Any idea what is missing there? Many thanks in advance!

[zandbelt]

you also need:

RequestHeader set X-Forwarded-Port "443" early

or alternatively drop ProxyPreserveHost On and use:

RequestHeader set X-Forwarded-Host "example.io:443" early

see also:
https://github.com/zmartzone/mod_auth_openidc/wiki#8-how-do-i-run-mod_auth_openidc-behind-a-reverse-proxy
and remember to set OIDCXForwardedHeaders for recent versions of the module

[ghassanius]

Magical! thanks Zandbelt that's what I was looking for