Hello,

I try to use Drupal 5.2 on a reverse proxy. I report an issue already reported in node/63947 and /node/88599.

I have identified code issue but I am not sure what will be the consequence of modifying it.

Description
********
Drupal is installed at the following address :

http://server1.domain.com/dir/

Reverse Proxy configuration
********************

http://subdomain1.domain.com/dir/ => http://server2.domain.com/dir/
http://subdomain1.domain.com/www2/dir/ => http://server1.domain.com/dir/

Form API
*******
On the Drupal 5 Form API documentation, we can read:
Properties: #action (default: request_uri())...

What happened
************

Using the above configuration, Drupal will install properly but all action in forms using the 'default action path' are wrong. Example, for the node ?q=user, drupal will return <form action="/dir/?q=user... which not work, should be /dir/www2/?q=user in my example.

The problem is in the request_uri() function :

function request_uri() {

  if (isset($_SERVER['REQUEST_URI'])) {
    $uri = $_SERVER['REQUEST_URI'];
  }
  else {
    if (isset($_SERVER['argv'])) {
      $uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['argv'][0];
    }
    else {
      $uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['QUERY_STRING'];
    }
  }

  return $uri;
}

This function will not be able to get the reverse proxy configuration /www2/.

Can anyone discuss of this situation ?

Thanks

Bertrand

CommentFileSizeAuthor
#8 bootstrap.patch788 bytesBertrand_Lefort

Comments

Bertrand_Lefort’s picture

Bertrand_Lefort commented

I forgot:

The config is using
Apache/2.2.3, PHP Version 5.1.6, MySQL 4.1
Reverse proxy is Apache

Bertrand

Bertrand_Lefort’s picture

Bertrand_Lefort commented

Sorry again, the page has been cut when I have submitted it (first time I post an issue). I continue here

Using the above configuration, Drupal will install properly but all action in forms using the 'default action path' are wrong. Example, for the node ?q=user, drupal will return form action="/dir/?q=user" but the right action path should be form action ="/www2/?q=user".

The problem comes form request_uri() function. The php server variable $_SERVER['REQUEST_URI'] will not return the www2 "virtual" directory.

Can anyone discuss on this situation ?

Thanks

Bertrand

Bertrand_Lefort’s picture

Bertrand_Lefort commented
Title: Form API does not fully work with reverse proxy » system_elements

I finally found that system_elements() is the function that is udes to set up default value for forms. Am I right ?

function system_elements() {
  // Top level form
  $type['form'] = array('#method' => 'post', '#action' => request_uri());

...

Setting #action to an absolute path may correct the problem

I do not know what would be the best practice at this point.

Bertrand

Bertrand_Lefort’s picture

Bertrand_Lefort commented
Title: system_elements » Form API does not fully work with reverse proxy > request_uri

Additional info: list of entry for request_uri() function in drupal core
**************************************************

bootstrap.inc
**********

Line 467 : $cache = cache_get($base_root . request_uri(), 'cache_page');
Line 638 : function request_uri() {
Line 675 : $request_uri = $base_root . request_uri();

common.inc
*********

Line 1891 : cache_set($base_root . request_uri(), 'cache_page', $data, CACHE_TEMPORARY, drupal_get_headers());

locale.module
**********

Line 206 : db_query("INSERT INTO {locales_source} (location, source) VALUES ('%s', '%s')", request_uri(), $string);

system.module
***********
Line 58 : $type['form'] = array('#method' => 'post', '#action' => '/www2' . request_uri());
Line 601 : if (strpos(request_uri(), '?q=') !== FALSE) {

code-style.pl
**********
Line 73 : $msg = "the use of REQUEST_URI is prone to XSS exploits and does not work on IIS; use request_uri() instead";
Line 76 : $msg = "the use of REQUEST_URI is prone to XSS exploits and does not work on IIS; use request_uri() instead";

Bertrand_Lefort’s picture

Bertrand_Lefort commented
Version: 5.2 » 6.4

The bug still exist in 6.4.

I can provide links to demonstrate the problem (contact me using my e-mail address please).

I try to clarify the problem.

Imagine that you have a Drupal installation in the following directory:

dev/drupal

In a standard installation, you can reach the drupal login page at :

subdomain.domain.com/dev/drupal/user/login

In this case, the request_uri function will return:

/dev/drupal/user/login

which is correct to for the attributes action of the user login form

Using reverse proxy, we can configure domains to act differently

Example1:
Reverse Proxy configuration
www.yourdomain.com => subdomain.domain.com/dev/drupal/

If you try to reach the login page, everything is ok:
The reverse proxy received : www.yourdomain.com/user/login
The reverse proxy will send to the user the page : subdomain.domain.com/dev/drupal/user/login
In this case, the request_uri function will return /dev/drupal/user/login which is NOT correct to for the attributes action of the user login form (in this case /user/login is expected)

Example 2:
Reverse Proxy configuration
www.yourdomain1.com/www2/ => subdomain.domain.com/dev/drupal/
Note the www2 is not a directory, it is a reverse proxy rule

If you try to reach the login page, everything is ok:
The reverse proxy received : www.yourdomain.com/www2/user/login
The reverse proxy will send to the user the page : subdomain.domain.com/dev/drupal/user/login
In this case, the request_uri function will return /dev/drupal/user/login which is NOT correct to for the attributes action of the user login form. (in this case /www2/user/login is expected)

In this scenario, request_uri should be based on $base_uri (defined manually in this scenario) and the php variable $_SERVER["REQUEST_URI"]

Hope it clarify

Bertrand_Lefort’s picture

Bertrand_Lefort commented
Priority: Critical » Normal
Status: Postponed (maintainer needs more info) » Active

 

Bertrand_Lefort’s picture

Bertrand_Lefort commented
Title: Form API does not fully work with reverse proxy > request_uri » Reverse Proxy Bug with request_uri (form, stylesheet...)

The same problem occurs with css. Path are not correct with the above configuration

Bertrand_Lefort’s picture

Bertrand_Lefort commented
Title: Reverse Proxy Bug with request_uri (form, stylesheet...) » Reverse Proxy Bug - request_uri - form css links
Component: forms system » base system
Status: Active » Needs review
StatusFileSize
new bootstrap.patch788 bytes

I tested this morning this code and it works fine. The use of $_SERVER["REQUEST_URI"] is not necessary.

function request_uri() {
  global $base_url;
  $parts = parse_url($base_url);
  return $parts['path'] . "/" . $_REQUEST['q'];
}

The code works fine in two installation with and without reverse proxy. Both are under linux installations.

I add a patch (first time I make one, then if not correct, just explain why)

Bertrand_Lefort’s picture

Bertrand_Lefort commented
Version: 6.4 » 7.x-dev

The same problem exists in version 7.x-dev

Bertrand_Lefort’s picture

Bertrand_Lefort commented
Title: Reverse Proxy Bug - request_uri - form css links » Bug: request_uri using Reverse Proxy affects form submit, css and js links
Anonymous’s picture

Anonymous (not verified) commented
Status: Needs review » Needs work

The last submitted patch failed testing.

Anonymous’s picture

Anonymous (not verified) commented

subscribe

Bertrand_Lefort’s picture

Bertrand_Lefort commented
Priority: Normal » Minor
Status: Needs work » Closed (won't fix)

This problems occurs if you use a reverse proxy with ProxyPreserveHost Off or commented in your config and if you do not use virtual host on the host server.

If you want to keep you config, you will have to patch Drupal else re configure the reverse proxy to have

ProxyPreserveHost On

and create a virtual host on your server:

Exemple :


ServerName domain.com
DocumentRoot /var/www/html/http/directory/


ServerName domain.com
ProxyPreserveHost On
ProxyPass / http://servername/
ProxyPassReverse / http://servername/
CustomLog logs/current/domain.com/access.log vcombined
ErrorLog logs/current/domain.com/error.log

guignonv’s picture

guignonv
Primary language French
Location Montpellier
commented
Version: 7.x-dev » 6.9
Priority: Minor » Normal
Status: Closed (won't fix) » Reviewed & tested by the community

I tested it on the server I work on and it works fine: it fixes the forms action URL issue.

My config:
I have a "www.server.org" with a virtualhost and proxypass forwarding "/" to "www.otherserver.fr/somedir/".

Before the patch: all form actions (and maybe some other elements) where pointing to "www.server.org/somedir/..." instead of "www.server.org/...".

After the patch: I got the correct URL for form actions.

I hope this fix will be applied to newer versions of Drupal (so I won't have to patch each time I update the site).

guignonv’s picture

guignonv
Primary language French
Location Montpellier
commented

...everything is fine except update.php. I can't update drupal: I can access the first form with the "continue" button, then the second form with the "update" button" but then, it redirects me to the site home without updating.

UPDATE: appears to be fixed on drupal-6.x-dev snapshot.

gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented
Version: 6.9 » 7.x-dev
Status: Reviewed & tested by the community » Needs work

Well, this would need to be fixed in Drupal 7 first indeed. Also, the patch removes support for query string parameters as well as other things form request_uri(), saying outright that it is not required without more explanation.

Anonymous’s picture

Anonymous (not verified) commented

See http://drupal.org/node/244593 for a similar issue where a patch has been submitted and passed.

Liberation’s picture

Liberation commented

I had a similar problem when using Apache in forward proxy mode to a clone of my production site on localhost where I do my development and testing. I use a Firefox profile to access via the proxy and it works very neatly, however the form actions were broken as above. My fix:

function request_uri() {

  if (isset($_SERVER['REQUEST_URI'])) {
    $uri = $_SERVER['REQUEST_URI'];
    $uri = preg_replace('%^(http://|https://).*?/%', '/', $uri);
  }
  else {
...

I'd prefer to fix via Apache conf or .htaccess, but it wasn't clear to me how to do this.

arhak’s picture

arhak commented
Issue tags: +Ancient

tag

damien tournoud’s picture

damien tournoud commented
Issue tags: -Ancient

Marked #244593: Document how to configure Drupal for reverse proxies as a duplicate.

arhak’s picture

arhak commented

@#20 I disapprove your attitude http://drupal.org/node/7881#comment-2983710

damien tournoud’s picture

damien tournoud commented

What about reviewing the patch here, instead of discussing about my "attitude"?

Anonymous’s picture

Anonymous (not verified) commented
Priority: Normal » Critical
Status: Needs work » Closed (duplicate)

As before - see See http://drupal.org/node/244593 for a similar issue where a patch has been submitted and passed.