Discussion:
[Exist-open] Insecure redirect?
Martin Holmes
2017-04-18 18:55:22 UTC
Permalink
Hi all,

If I type a URL like this in my browser:

https://myexistapp.uvic.ca/exist/apps/dashboard/

with explicit https, but without specifying the index.html file, I get
redirected here:

http://myexistapp.uvic.ca/exist/apps/dashboard/index.html

In other words, the connection is redirected from secure to insecure.
This is a bit risky -- you can easily forget you're on an insecure
connection and send admin passwords in the clear. I can't figure out
where this is happening; the controller for the dashboard XAR has this:

else if ($exist:path = "/") then
(: forward root path to index.xql :)
<dispatch xmlns="http://exist.sourceforge.net/NS/exist">
{
if (request:get-uri() eq "/exist/apps/dashboard/" and
request:get-header("X-Forwarded-URI") eq "/apps/dashboard/")
then
<redirect url="/apps/dashboard/index.html"/>
else
<redirect url="index.html"/>
}
</dispatch>

but I don't see how that would be switching https to http. Can anyone
shed light on this?

Cheers,
Martin
Dannes Wessels
2017-04-18 19:18:53 UTC
Permalink
Please could you check with curl what is happening? Do you have a reverse proxy in front?

curl -kiv https://myexistapp.uvic.ca/exist/apps/dashboard/
https://myexistapp.uvic.ca/exist/apps/dashboard/ <https://myexistapp.uvic.ca/exist/apps/dashboard/>
with explicit https, but without specifying the index.html file, I get
http://myexistapp.uvic.ca/exist/apps/dashboard/index.html <http://myexistapp.uvic.ca/exist/apps/dashboard/index.html>
Martin Holmes
2017-04-18 20:42:22 UTC
Permalink
We do have Apache in front of Jetty. This is the curl response:

curl -kiv https://myexistapp.uvic.ca/apps/dashboard/
* Trying xxx.xxx.xxx.xxx...
* Connected to xxx.xxx.xxx.xxx (c) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 698 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: *.uvic.ca (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=CA,ST=British Columbia,L=Victoria,O=University of
Victoria,CN=*.uvic.ca
* start date: Tue, 12 May 2015 16:31:05 GMT
* expire date: Sat, 23 Jun 2018 17:45:04 GMT
* issuer: C=BE,O=GlobalSign nv-sa,CN=GlobalSign Organization
Validation CA - SHA256 - G2
* compression: NULL
* ALPN, server did not agree to a protocol
GET /apps/dashboard/ HTTP/1.1
Host: myexistapp.uvic.ca
User-Agent: curl/7.47.0
Accept: */*
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Date: Tue, 18 Apr 2017 20:19:13 GMT
Date: Tue, 18 Apr 2017 20:19:13 GMT
< Server: Jetty(9.3.9.v20160517)
Server: Jetty(9.3.9.v20160517)
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Location: http://myexistapp.uvic.ca/apps/dashboard/index.html
Location: http://myexistapp.uvic.ca/apps/dashboard/index.html
< Content-Length: 0
Content-Length: 0
< Set-Cookie: JSESSIONID=1la5w9rb2zxxxxxxxxxxxxxzu;Path=/
Set-Cookie: JSESSIONID=1la5w9rb2zxxxxxxxxxxxxxzu;Path=/
< Content-Type: text/plain
Content-Type: text/plain
< Set-Cookie: [...]; path=/
Set-Cookie: [...]; path=/

<
* Connection #0 to host myexistapp.uvic.ca left intact

I can't tell from this whether the issue is caused by Apache or not, but
it happens identically on our main server setup and also on my local
machine when I run eXist behind Apache. Apache is always talking to
eXist on port 8080; I see nothing in the virtual host definition that
looks like it would cause a switch to http.

Cheers,
Martin
Please could you check with curl what is happening? Do you have a reverse proxy in front?
curl -kiv https://myexistapp.uvic.ca/exist/apps/dashboard/
Post by Martin Holmes
https://myexistapp.uvic.ca/exist/apps/dashboard/
with explicit https, but without specifying the index.html file, I get
http://myexistapp.uvic.ca/exist/apps/dashboard/index.html
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
https://lists.sourceforge.net/lists/listinfo/exist-open
Joe Wicentowski
2017-04-18 21:55:31 UTC
Permalink
Hi Martin,

Which version of eXist, and Dashboard at that? On my local system
(pure eXist 3.1.1 without any reverse proxy, Dashboard 0.4.7), here's
what I see:

- requesting https://localhost:8443/exist/apps/dashboard
- returns a 302 to https://localhost:8443/exist/apps/dashboard/
- which returns another 302 to
https://localhost:8443/exist/apps/dashboard/index.html

Joe
Post by Martin Holmes
curl -kiv https://myexistapp.uvic.ca/apps/dashboard/
* Trying xxx.xxx.xxx.xxx...
* Connected to xxx.xxx.xxx.xxx (c) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 698 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: *.uvic.ca (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=CA,ST=British Columbia,L=Victoria,O=University of
Victoria,CN=*.uvic.ca
* start date: Tue, 12 May 2015 16:31:05 GMT
* expire date: Sat, 23 Jun 2018 17:45:04 GMT
* issuer: C=BE,O=GlobalSign nv-sa,CN=GlobalSign Organization
Validation CA - SHA256 - G2
* compression: NULL
* ALPN, server did not agree to a protocol
GET /apps/dashboard/ HTTP/1.1
Host: myexistapp.uvic.ca
User-Agent: curl/7.47.0
Accept: */*
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Date: Tue, 18 Apr 2017 20:19:13 GMT
Date: Tue, 18 Apr 2017 20:19:13 GMT
< Server: Jetty(9.3.9.v20160517)
Server: Jetty(9.3.9.v20160517)
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Location: http://myexistapp.uvic.ca/apps/dashboard/index.html
Location: http://myexistapp.uvic.ca/apps/dashboard/index.html
< Content-Length: 0
Content-Length: 0
< Set-Cookie: JSESSIONID=1la5w9rb2zxxxxxxxxxxxxxzu;Path=/
Set-Cookie: JSESSIONID=1la5w9rb2zxxxxxxxxxxxxxzu;Path=/
< Content-Type: text/plain
Content-Type: text/plain
< Set-Cookie: [...]; path=/
Set-Cookie: [...]; path=/
<
* Connection #0 to host myexistapp.uvic.ca left intact
I can't tell from this whether the issue is caused by Apache or not, but
it happens identically on our main server setup and also on my local
machine when I run eXist behind Apache. Apache is always talking to
eXist on port 8080; I see nothing in the virtual host definition that
looks like it would cause a switch to http.
Cheers,
Martin
Please could you check with curl what is happening? Do you have a reverse proxy in front?
curl -kiv https://myexistapp.uvic.ca/exist/apps/dashboard/
Post by Martin Holmes
https://myexistapp.uvic.ca/exist/apps/dashboard/
with explicit https, but without specifying the index.html file, I get
http://myexistapp.uvic.ca/exist/apps/dashboard/index.html
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
https://lists.sourceforge.net/lists/listinfo/exist-open
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
https://lists.sourceforge.net/lists/listinfo/exist-open
Martin Holmes
2017-04-18 22:31:10 UTC
Permalink
Thanks all.

This is eXist 3.1.1, dashboard 0.4.7. Looks like it must be something to
do with Apache, but I can't figure out what. This:

ALPN, server did not agree to a protocol

shows up in the curl output, but there doesn't seem to be anything
analogous when I look at the browser communication with the site,
monitored with Firebug; I just see 302 Found, then the request for
index.html without TLS.

If I figure it out I'll post. If anyone else has eXist proxied behind
Apache, could you try an https request to:

/exist/apps/dashboard/

and see if you see the same thing?

Cheers,
Martin
Post by Joe Wicentowski
Hi Martin,
Which version of eXist, and Dashboard at that? On my local system
(pure eXist 3.1.1 without any reverse proxy, Dashboard 0.4.7), here's
- requesting https://localhost:8443/exist/apps/dashboard
- returns a 302 to https://localhost:8443/exist/apps/dashboard/
- which returns another 302 to
https://localhost:8443/exist/apps/dashboard/index.html
Joe
Post by Martin Holmes
curl -kiv https://myexistapp.uvic.ca/apps/dashboard/
* Trying xxx.xxx.xxx.xxx...
* Connected to xxx.xxx.xxx.xxx (c) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 698 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: *.uvic.ca (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=CA,ST=British Columbia,L=Victoria,O=University of
Victoria,CN=*.uvic.ca
* start date: Tue, 12 May 2015 16:31:05 GMT
* expire date: Sat, 23 Jun 2018 17:45:04 GMT
* issuer: C=BE,O=GlobalSign nv-sa,CN=GlobalSign Organization
Validation CA - SHA256 - G2
* compression: NULL
* ALPN, server did not agree to a protocol
GET /apps/dashboard/ HTTP/1.1
Host: myexistapp.uvic.ca
User-Agent: curl/7.47.0
Accept: */*
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Date: Tue, 18 Apr 2017 20:19:13 GMT
Date: Tue, 18 Apr 2017 20:19:13 GMT
< Server: Jetty(9.3.9.v20160517)
Server: Jetty(9.3.9.v20160517)
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Location: http://myexistapp.uvic.ca/apps/dashboard/index.html
Location: http://myexistapp.uvic.ca/apps/dashboard/index.html
< Content-Length: 0
Content-Length: 0
< Set-Cookie: JSESSIONID=1la5w9rb2zxxxxxxxxxxxxxzu;Path=/
Set-Cookie: JSESSIONID=1la5w9rb2zxxxxxxxxxxxxxzu;Path=/
< Content-Type: text/plain
Content-Type: text/plain
< Set-Cookie: [...]; path=/
Set-Cookie: [...]; path=/
<
* Connection #0 to host myexistapp.uvic.ca left intact
I can't tell from this whether the issue is caused by Apache or not, but
it happens identically on our main server setup and also on my local
machine when I run eXist behind Apache. Apache is always talking to
eXist on port 8080; I see nothing in the virtual host definition that
looks like it would cause a switch to http.
Cheers,
Martin
Please could you check with curl what is happening? Do you have a
reverse proxy in front?
curl -kiv https://myexistapp.uvic.ca/exist/apps/dashboard/
Post by Martin Holmes
https://myexistapp.uvic.ca/exist/apps/dashboard/
with explicit https, but without specifying the index.html file, I get
http://myexistapp.uvic.ca/exist/apps/dashboard/index.html
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
https://lists.sourceforge.net/lists/listinfo/exist-open
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
https://lists.sourceforge.net/lists/listinfo/exist-open
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Olaf Schreck
2017-04-18 22:49:12 UTC
Permalink
Post by Martin Holmes
ALPN, server did not agree to a protocol
shows up in the curl output, but there doesn't seem to be anything
analogous when I look at the browser communication with the site,
monitored with Firebug; I just see 302 Found, then the request for
index.html without TLS.
Looks like this to me:

- you seem to send HTTP/2 requests (via proxy?)
- your Apache seems to incorrectly handle HTTP/2
- TLS goes broke on that -> error, fallback to plaintext
- you end up with plain HTTP

Check your proxy logs if you have access.


Olaf
Martin Holmes
2017-04-19 00:27:26 UTC
Permalink
This only happens when accessing the dashboard/ URL, though. Any other
https: url is handled perfectly, including a direct request for
dashboard/index.html.

It has to be something to do with Apache's handling of the default files
for folders.
Post by Olaf Schreck
Post by Martin Holmes
ALPN, server did not agree to a protocol
shows up in the curl output, but there doesn't seem to be anything
analogous when I look at the browser communication with the site,
monitored with Firebug; I just see 302 Found, then the request for
index.html without TLS.
- you seem to send HTTP/2 requests (via proxy?)
- your Apache seems to incorrectly handle HTTP/2
- TLS goes broke on that -> error, fallback to plaintext
- you end up with plain HTTP
Check your proxy logs if you have access.
Olaf
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Olaf Schreck
2017-04-18 21:46:09 UTC
Permalink
Hi Martin,
Post by Martin Holmes
* ALPN, server did not agree to a protocol
Olaf
Loading...