'[Bug 63357] New: Allowing generated URLs to be relative'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-bugs
Subject:    [Bug 63357] New: Allowing generated URLs to be relative
From:       bugzilla () apache ! org
Date:       2019-04-17 4:12:30
Message-ID: bug-63357-7868 () https ! bz ! apache ! org/bugzilla/
[Download RAW message or body]

https://bz.apache.org/bugzilla/show_bug.cgi?id=63357

            Bug ID: 63357
           Summary: Allowing generated URLs to be relative
           Product: Apache httpd-2
           Version: 2.4-HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: All
          Assignee: bugs@httpd.apache.org
          Reporter: mnot@mnot.net
  Target Milestone: ---

Various parts of httpd currently generate the Location response header and
other links as absolute URLs, even when the input (e.g., in a Redirect
directive) is a relative URL, using a call to ap_construct_url().

This can cause operational difficulties for the site if it's deployed with a
reverse proxy or CDN in front of it. 

E.g., if the outward-facing site is www.example.com and the origin has a
separate name, origin.example.com, the reverse proxy/CDN will need to rewrite
Location headers and other generated URLs to match the outward-facing site.

RFC7231 specified that relative URLs are allowed in the Location header,
recognising that this was universally supported:

  https://httpwg.org/specs/rfc7231.html#header.location

So, it would be very helpful if Apache were to allow these URLs to be generated
as relative, rather than forcing them to be absolute. This would avoid not only
configuration problems when sitting behind a CDN or reverse proxy, but also
avoid the need to rewrite headers, allowing the site to be served more
efficiently.

If changing behaviour is a concern, this could be put behind a configuration
option, although the default should be to allow relative URLs.

AFAICT the affected modules are:

- mod_dav - Location generation in dav_created()
- mod_alias - Location generation in translate_alias_redir() and fixup_redir()
- mod_dir - Location generation in fixup_dir() x2
- mod_imagemap - image map generation in imap_url() x2
- mod_speling - Location generation in check_speling()

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic