Bug 851270

Summary:	$_SERVER['SERVER_PORT'] returns 80 indirectly causing ssl_error_rx_record_too_long errors
Product:	OKD	Reporter:	clive darra <cdrh>
Component:	Containers	Assignee:	Rob Millner <rmillner>
Status:	CLOSED CANTFIX	QA Contact:	libra bugs <libra-bugs>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	2.x	CC:	admiller, mfisher, mmcgrath
Target Milestone:	---	Keywords:	FutureFeature
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Enhancement
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-09-13 23:47:21 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description clive darra 2012-08-23 15:57:43 UTC

Description of problem:
Secure Connection Failed
An error occurred during a connection to myapp-mydom.rhcloud.com:80.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)

Version-Release number of selected component (if applicable):


How reproducible:
everytime

Steps to Reproduce:
1. create a php app
2. git clone
3. cd php
3. untar wikkawiki.tgz
4. git add .
5. git push
6. browser to myapp-mydom.rhcloud.com
7. enter wikkawiki setup credentials inc db credentials
8. click ok
9. click do maintenance link
10. get "SSL received a record that exceeded the maximum permissible length error"
11. navigate to https://myapp-mydom.rhcloud.com:80/wikka.php?wakka=HomePage
12. get "SSL received a record that exceeded the maximum permissible length error"

Actual results:
Secure Connection Failed
An error occurred during a connection to myapp-mydom.rhcloud.com:80.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)

Expected results:
see website/webpages

Additional info:
cant see any errors in myapp/logs/error

Comment 1 clive darra 2012-08-23 16:25:06 UTC

wikka.config.php now fixed

WORKS
https://lamp1-fsse8info.rhcloud.com/wikka.php?wakka=PageIndex
https://lamp1-fsse8info.rhcloud.com:443/wikka.php?wakka=PageIndex

RETURNS ssl_error_rx_record_too_long ERROR
https://lamp1-fsse8info.rhcloud.com:80/y.y
https://lamp1-fsse8info.rhcloud.com:80/wikka.php?wakka=PageIndex

somewhere something is appending :80 to the hostname

Comment 2 clive darra 2012-08-23 16:28:40 UTC

https://lamp1-fsse8info.rhcloud.com/pi.php

says

SERVER_PORT 	80 
OPENSHIFT_INTERNAL_PORT 	8080 

shouldnt that be 

SERVER_PORT 	443

Comment 3 Adam Miller 2012-08-23 17:00:29 UTC

Verified.

Interesting thing to note though, the application setup and functionality appears to work just fine until you navigate directly to that URL. 

I was able to setup and configure a few users and navigate the site/application, create pages, etc. but as soon as I went to :80/wikka.php?wakka=HomePage it all went bad, I get the same ssl error and when I try to go anywhere else on the site I now either get the ssl error or the CSS doesn't load and its just a very garbled web page.

I believe this to be related to the Rewrite Rules in the WikkaWiki .htaccess file because as soon as I delete the .htaccess from my git repo, commit, and push then the URL takes me back to the WikkaWiki install/setup page. 

I assume this to be a combination of assumptions from WikkaWiki and the way OpenShift sets up the php environment/cartridge.

Comment 4 Rob Millner 2012-08-23 18:37:18 UTC

SSL terminates at the front-end Apache and the request is proxied to the back-end Apache+PHP as http on port 8080.

As a hint to the application (WSGI requires this, its set as a courtesy on other frameworks), the Apache environment variable "HTTPS" is set.  We may need to force SERVER_PORT as well.

Comment 5 Rob Millner 2012-08-23 22:21:54 UTC

I'm not able to force SERVER_PORT in the configuration.

Tried setting UseCanonicalPhysicalPort, UseCanonicalName, ServerName and X_Forwarded_Port to have it inferred properly.  Tried using SetEnv and SetEnvIF to force it.

These appear to be related:
https://bugs.php.net/bug.php?id=40579
http://forum.modrewrite.com/viewtopic.php?f=10&t=39684

Will keep doing more research; but you may just have to modify the wiki code.  In wikka.php and setup/test/test-mod-rewrite.php, comment out the portion where SERVER_PORT is used.

Ex: change line 131 in wikka.php to read:

// $t_port = ':'.$_SERVER['SERVER_PORT'];
$t_port = '';


I'll try to find a solution that sets SERVER_PORT properly.

Comment 6 clive darra 2012-08-24 08:41:44 UTC

many thanks for all your research

the problem is that openshift seems to run both http and https over port 80 
(or maybe port 8080 ?) 

anyhow $_SERVER['SERVER_PORT'] is returning 80 regardless

wikkawiki assumes that http runs over port 80 and https runs over port 443 

so if after the wikka.php url checker line

if ((('http://' == $t_scheme) && (':80' == $t_port)) || (('https://' == $t_scheme) && (':443' == $t_port)))

i add as you suggest

$t_port = '';

it should work fine

Comment 7 clive darra 2012-08-24 08:57:58 UTC

and theres a second ref to $_SERVER['SERVER_PORT'] that you need to modify too on line 176

$server_port = ':'.$_SERVER['SERVER_PORT'];
if ((('http://' == $scheme) && (':80' == $server_port)) || (('https://' == $scheme) && (':443' == $server_port)))
{
        $server_port = '';
}
$server_port = '';

Comment 8 Mike McGrath 2012-08-29 18:37:11 UTC

Instead of server port, The X-Forwarded-Proto header should be used to determine if http or https is being used.

Comment 9 Rob Millner 2012-09-13 23:47:21 UTC

I'm not able to find a way to override SERVER_PORT.  Terminating SSL on the front-end and using http to communicate to the back-end is fundamental to our current architecture.

Unfortunately, any applications that use SERVER_PORT to determine whether they are on SSL need to be modified to check for SSL or X-Forwarded-Proto.