-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Location header https rewrite is too broad #5807
Comments
Maybe the simplest solution is to revert #5574 and accept any extra http->https redirects. |
Hi! I'm Træfiker 🤖 the bot in charge of communication regulation. Thanks for your interest in Traefik! Issue templates help us help you by providing all necessary information. Please edit your issue and use the available templates: And remember: each time someone ignores the template, a cute little bunny dies. |
Hi @keesverruijt ! We're not sure what you mean 🤔 Do you mean that when a port is specified, the HTTP->HTTPS rewrite should NOT be done? Or that it should and it isn't? Thanks in advance :) |
@keesverruijt I have opened issue unrolled/secure#61 for this issue, and will submit a PR shortly. Once merged, we will update the dependency here, and will link back to this issue. |
@Ullaakut yes, when a port is specified the rewrite should not be done. @dtomcej has understood my points correctly in his issue unrolled/secure#61. |
Closed by #5835. |
Closed by #5857. |
Can we get a new release of 1.7.. I've wasted almost 2 days because of this bug. |
Thanks. |
Bug
Traefik change #5574 rewrites HTTP to HTTPS whenever it finds an HTTP scheme and the Traefik is running in SSL mode. This is too broad, it should only apply this when the URL is under the control of the Traefik server and contains no port number.
What did you do?
Backend returned an HTTP 302 redirect to Traefik with a
Location
header that refers to an external website that is available only on HTTP, not HTTPS, and Traefik is running in SSL mode.What did you expect to see?
Unchanged
Location
header, as the URL is outside the span of control of my Traefik server.What did you see instead?
Traefik change #5574 makes it rewrite the
Location
header if Traefik is running in SSL mode and the URL in the header is not HTTPS.What this was supposed to fix
The change was meant to reduce the number of redirects so that the HTTP client immediately receives an HTTPS location.
For example, if the
Location
header containsit correctly rewrites this to
What the change broke as collateral damage
If the Location header contains a port, it should not do the rewrite (or know which port to substitute.) For example, the following should not be rewritten:
It should also not rewrite the header if the URL refers to a different server altogether:
as there may not be an https server at
other.company.site
.Output of
traefik version
: (What version of Traefik are you using?)The text was updated successfully, but these errors were encountered: