Support

Admin Tools

#31476 Change htaccess for Varnish cache (Too many redirects)

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Friday, 26 July 2019 17:17 CDT

Tuesday, 25 June 2019 12:17 CDT

WoodyF4u
Hi,
Today I tried to enable Varnish cache in my DirectAdmin panel.
After that my website was gone and I saw a message "Too many redirects".
It is a known issue and the support of my hosting company helped to fix it.
This is what I had to change in the gtaccess file:

Find:
RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{HTTP:X-Forwarded-Proto} =http

and replace it with:
RewriteCond %{HTTPS} !=on [NC]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
SetEnvIf X-Forwarded-Proto "https" HTTPS=on


So that was what I did manually,.
But when I start the htaccess maker in AdminTools and save the file, it overwrites the change I made manually in the htaccess file.
So where can I add these lines of code in the htaccess maker, so it will kept when I save the htaccess maker again?
Best regards,
Wouter (WoodyF4u)
Edited by WoodyF4u on 2019-06-25 12:21 CDT

Tuesday, 25 June 2019 13:19 CDT

nicholas
I believe you could add 
SetEnvIf X-Forwarded-Proto "https" HTTPS=on

in the "Custom .htaccess rules at the top of the file". Otherwise you have to edit your .htaccess file every time you regenerate it.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 25 June 2019 13:33 CDT

WoodyF4u
Hi, I tried your suggestion.
But I saw that it will not be totally on top of the file.
After saving the message of Too many redirects is back and in the gtaccess file I see that the Custom Rules is below the line that have to be overruled.
Can You explain that?
##### HTTP to HTTPS redirection
## Since you have enabled HSTS the first redirection rule will instruct the browser to visit the HTTPS version of your
## site. This prevents unsafe redirections through HTTP.
RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://vabs.nl%{REQUEST_URI} [L,R=301]

##### Custom Rules (Top of File) -- BEGIN
RewriteCond %{HTTPS} !=on [NC]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
SetEnvIf X-Forwarded-Proto "https" HTTPS=on
##### Custom Rules (Top of File) -- END

When I change the order of these blocks manually in the file, the site is back.
Best regards,
Wouter (WoodyF4u)
Edited by WoodyF4u on 2019-06-25 13:33 CDT

Wednesday, 26 June 2019 01:40 CDT

nicholas
Well, that's what I thought would happen, as I explained in the closing paragraph of my previous post. We cannot let you add stuff to the .htaccess file before the HSTS block since that would allow bypass of HTTPS in some cases which can be used for a successful cookie-stealing attack. That was a real issue that we fixed a few months ago. This is why the rules at the top of the file are added just below the rules which enforce HTTPS for all requests. We cannot reverse that decision, it creates an unsafe situation. Between making a change that addresses one broken hosts but puts hundreds of thousands of other sites at risk and keeping a change that requires you to manually edit your file but keeps hundreds of thousands of other sites safe I will choose the latter any day of the week, hands down, without any regret whatsoever.

The problem seems to be your host. They are not sending X-Forwarded-Proto at all for HTTP requests. This is wrong. Your host needs to fix it. I don't know what kind of SSL terminator they use in front of Varnish (I'd guess NginX) so I can't tell you what to tell them. If it's NginX they have two configuration blocks, one for HTTPS and one for HTTP. They need to edit the "location /" block in both places and add proxy_set_header X-Forwarded-Proto https; to the HTTPS one and proxy_set_header X-Forwarded-Proto http; to the plain HTTP one. This fixes the issue.

Meanwhile, you will have to edit the file by hand every time you generate it.

You may wonder why not change
RewriteCond %{HTTP:X-Forwarded-Proto} =http

with
RewriteCond %{HTTP:X-Forwarded-Proto} !https

It's because the latter allows spoofing of the HTTP header on hosts which do not use a cache or proxy in front of them, putting them at risk.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 26 June 2019 01:58 CDT

WoodyF4u
Hi nNicholas,
Thanks for your reply and technical ecplanation.
I can understand your choice for the ordering of the rules in the htaccess file.
I will copy your reply to my host, so they can fixed it.
If it id okay for you I will keep yhis ticket open for a couple of days.
Maybe the host has specific questions. Then I can post that here.
Best regards,
Wouter (WoodyF4u)

Wednesday, 26 June 2019 05:10 CDT

nicholas
All right! If they give you more details about their stack (SSL terminator, any Varnish configuration we should know about and which X-Forwarded-Proto header is added when) I can see if I can do something more :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 26 June 2019 13:38 CDT

WoodyF4u
Hi Nicholas,
This is a translation of the reply of my hosting company:
Why is this unsafe?

The 3 rules are nessesary for a header from Varnish (X-Forwarded-Proto) so it will be used before the HTTPS header.

So Apache will think it is loaded over HTTPS, while the internal communication between Apache and Varnish at the webserver is HTTP.

That is a restriction in Varnish.


For now I have to edit the rules in the htaccess file manually to get this block of rules:
##### Custom Rules (Top of File) -- BEGIN
RewriteCond %{HTTPS} !=on [NC]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
SetEnvIf X-Forwarded-Proto "https" HTTPS=on
##### Custom Rules (Top of File) -- END

above this block of rules:
##### HTTP to HTTPS redirection
## Since you have enabled HSTS the first redirection rule will instruct the browser to visit the HTTPS version of your
## site. This prevents unsafe redirections through HTTP.
RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://vabs.nl%{REQUEST_URI} [L,R=301]

otherwise I receive the error "Too many redirects" in my browser.

At the moment the hosting company doen't understand why it is unsafe as you wrote here.
Can you help me to explain it?
Best regards,
Wouter (WoodyF4u)

Wednesday, 26 June 2019 14:25 CDT

nicholas
I think something got lost in the translation.

If you are behind a proxy which sets the X-Forwarded-Proto HTTP header either rule set works fine.

However! Admin Tools is not written for your site or your host only. It's not even written only for sites which are behind a proxy. The overwhelming majority (think 95%+) of sites using Admin Tools DO NOT use a proxy AT ALL.

The way I've written my rule the site will have to be served by HTTPS. It cannot be manipulated and the site remains sage.

The rule set your host wrote allows attackers to send the HTTP header X-Forwarded-Proto set to "http" in the request. This makes Apache think that everything runs under HTTPS when it's not. As a result Joomla! thinks it's running under HTTPS and will happily serve HTTPS-only cookies to an unsecured connection. Therefore an attacker can use this for a connection downgrade attack and impersonate you as long as they can trick you to click a malicious link.

Again, this attack won't work on your particular host or any host behind a reverse proxy because the X-Forwarded-Proto header is guaranteed to be coming from a trusted source and, besides, there's an SSL terminator in front of the proxy which is in front of the web server, making a downgrade attack a moot point. It would work on the overwhelming majority of our clients, though. My job is to protect the many, not please the special one-off case to the detriment of the many. So, you have no choice but to be editing your .htaccess every time since your host doesn't understand why what they are doing is suboptimal and don't want to fix it.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 26 July 2019 17:17 CDT

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2019-07-26 17:17 CDT

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!