Edgewall Software
Modify

Opened 13 years ago

Closed 10 years ago

Last modified 10 years ago

#3208 closed defect (duplicate)

Multirepository on https redirect to http

Reported by: otik@… Owned by: Jonas Borgström
Priority: normal Milestone:
Component: general Version: 0.9.5
Severity: normal Keywords:
Cc: Branch:
Release Notes:
API Changes:

Description

I'm using Trac 0.9.5 on Debian etch, apache2, mod_python, https://SERVER/. I'm using multiple repositories. When I select repository trac link https://SERVER/project it redirect me to http://SERVER/project/. Then I have to rewrite http:// to https:// from this point it works well.

Attachments (0)

Change History (11)

comment:1 by otik@…, 13 years ago

You may try it trac@printflow

comment:2 by lindig@…, 13 years ago

This is the same issue as #3207. I'd argue that tracd should have an optional config entry to hard-code the URL scheme to use to avoid the guessing done in web/api.py.

comment:3 by otik@…, 13 years ago

  • This may be good. But more setup, make harder to use, but if without it does work it is necessary
  • sorry I'm not pythonist
  • Why in repository list is link to /project instead of /project/ ?

comment:4 by otik@…, 13 years ago

I was suppriced why addresses https://SERVER/project are rewrited to http://SERVER/project/ so

I hack this by adding to Apache:

  RedirectMatch ^/([^/]+)$ /$1/

I'm not sure what I done. I have just follow apache URL rewriting example. URL rewriting

I hope that somebody will add this to help or solve it in another (normal) way.

comment:5 by Ilia Kantor, 13 years ago

Trac learns that its using https by checking HTTPS env. Actually, it is set by mod_ssl, but AFTER trac already finished. So it sets scheme to http and uses it to make urls.

The right fix would be to use "SetEnv HTTPS 1" in your CGI config or another setting of same kind in another config, so trac will read it and be happy.

PS. bug exists at 0.10

comment:6 by otik@…, 13 years ago

TNX this hepls (too).

May you add this instruction to help about how to configure apache2 to work with trac ? New user will be informed before problems…

comment:7 by Christian Boos, 13 years ago

Resolution: duplicate
Status: newclosed

See #2553.

comment:8 by p.labushev@…, 10 years ago

Resolution: duplicate
Status: closedreopened

RedirectMatch magic makes things even worst - it gives you a false sense of protection instead of the real protection. How it works:

  1. You start the trusted HTTPS session.
  2. You click on some unprotected URL.
  3. Your browser connects to the host over untrusted HTTP.
  4. The host gives your browser untusted 302 Redirect because of RedirectMatch on the server side.
  5. Then your browser connects to the host over trusted HTTPS again and gets the final content over HTTPS.

There are possibility for MitM attack between 3 and 4. If an attacker would intercept your request over HTTP, he/she can reply to you with whatever content over the same untrusted HTTP session instead of the expected redirection. Then, if you didn't check the location bar to make sure there's https again and the URL is correct, you've been spoofed. Of course, the browser may give you a warning before you leave trusted HTTPS session, but the warning gives no extra safety if you still don't check the location bar later.

Besides, redirection magic and SetEnv stuff does not work for standalone Trac with HTTPS implemented on the frontend (like nginx).

So I think the real solution (with no unofficial scripts, patches and so on) would be to enforce https:// component for every generated URL and control that behavior per project from trac.ini.

comment:9 by p.labushev@…, 10 years ago

Oh, forgot to add. The untrusted URLs appears in Timeline's entries, for example. With no regard to base_url settings. It's a standalone Trac 0.11.2 frontended by nginx with HTTPS.

comment:10 by p.labushev@…, 10 years ago

Resolution: duplicate
Status: reopenedclosed

Found use_base_url_for_redirect directive, works for me. Sorry for bothering. :)

comment:11 by Christian Boos, 10 years ago

No problem, I was about to suggest that ;-)

FTR:


Have you checked the [trac] use_base_url_for_redirect setting? (see TracIni#trac-section). Together with base_url set to https://..., I suppose this would do what you're trying to achieve.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to as closed The owner will be changed from Jonas Borgström to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.