Bug 997105

Summary: Redirect from https to http
Product: OpenShift Online Reporter: matzew
Component: ContainersAssignee: Paul Morie <pmorie>
Status: CLOSED CURRENTRELEASE QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.xCC: bleanhar, bmeng, gmollett, kseifried, mpatel, yuzheng
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-19 16:47:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description matzew 2013-08-14 16:55:15 UTC 
Description of problem:

Getting a redirect from https to http

Version-Release number of selected component (if applicable):


How reproducible:

always

Steps to Reproduce:

Using a JBoss AS, on Openshift, and when accessing this URL:
https://secure-pushee.rhcloud.com/ag-push

So I end up http....


However, when I use a trailing slash:
https://secure-pushee.rhcloud.com/ag-push/

I stay on https, and I get no redirect (302)

Actual results:

withoyt the trailing slash, I get http

Expected results:

https was expected

Additional info:

Just a guess.... perhaps some mod_rewrite 'fu'is needed ? Or even something 'wrong' with the ROOT.war on JBoss AS
Comment 1 matzew 2013-08-15 08:57:13 UTC 
Now, I added the following for HSTS:
https://www.openshift.com/kb/kb-e1044-how-to-redirect-traffic-to-https

Now I notice two redirects (302):

Form https -> http:
https://blah/ag-push ---->  http://blah/ag-push/

And due to the HSTS, it goes back to https:
http://blah/ag-push/ ===>  https://blah/ag-push/
Comment 2 Rob Millner 2013-08-16 23:44:17 UTC 
After reviewing the discussion thread, I created a separate bug to pass X-Forwarded-Port through in order to construct self-referential URLs.


The application is making the redirect request.  Passing to one of our Jboss experts for further diagnosis.
Comment 3 matzew 2013-08-20 12:50:01 UTC 
This is not related to the 'push server' - it;s more a general thing.

Take a look at this CURL command:
curl -3 -v https://todo-aerogear.rhcloud.com/todo-server
(http and no trailing '/')

From the 302 response:
Location: http://todo-aerogear.rhcloud.com/todo-server/
Comment 4 Paul Morie 2013-08-22 17:31:40 UTC 
I was able to get the correct behavior on a new app in a devenv by following the instructions for this in the KB.  Checking on whether this was fixed by another bug.
Comment 5 matzew 2013-08-23 06:27:11 UTC 
I tested with a new application, same behavior:

curl -3 -v https://redirect-pushee.rhcloud.com/ag-push

and the 302 no longer contains the https:


HTTP/1.1 302 Moved Temporarily
Date: Fri, 23 Aug 2013 06:25:16 GMT
Server: Apache-Coyote/1.1
Location: http://redirect-pushee.rhcloud.com/ag-push/
Comment 6 Paul Morie 2013-09-08 23:05:25 UTC 
Should be fixed in online production now.
Comment 7 Meng Bo 2013-09-09 05:36:02 UTC 
The issue should be fixed.

[root@ip-10-147-219-9 ~]# curl -3 -v https://redirect-pushee.rhcloud.com/ag-push

< HTTP/1.1 302 Found
< Date: Mon, 09 Sep 2013 05:34:04 GMT
< Server: Apache/2.2.15 (Red Hat)
< Vary: Host
< X-Powered-By: PHP/5.3.3
< Location: https://redirect-pushee.rhcloud.com/ag-push
< Connection: close
< Content-Length: 0
< Content-Type: text/html
Comment 8 matzew 2013-09-11 10:08:15 UTC 
hrm,

I just tried it, but I am still getting the "old" result:

pluto:Mukke matzew$ curl -3 -v https://redirect-pushee.rhcloud.com/ag-push
* About to connect() to redirect-pushee.rhcloud.com port 443 (#0)
*   Trying 54.211.120.48...
* connected
* Connected to redirect-pushee.rhcloud.com (54.211.120.48) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* 	 subject: serialNumber=LnhzJHxcX0bIdlH2ITnDgaewey8ce5g3; C=US; ST=North Carolina; L=Raleigh; O=Red Hat Inc; OU=RHC Cloud Opoerations; CN=*.rhcloud.com
* 	 start date: 2013-02-02 19:15:37 GMT
* 	 expire date: 2015-05-08 01:49:13 GMT
* 	 subjectAltName: redirect-pushee.rhcloud.com matched
* 	 issuer: C=US; O=GeoTrust, Inc.; CN=GeoTrust SSL CA
* 	 SSL certificate verify ok.
> GET /ag-push HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5
> Host: redirect-pushee.rhcloud.com
> Accept: */*
> 
< HTTP/1.1 302 Moved Temporarily
< Date: Wed, 11 Sep 2013 10:07:48 GMT
< Server: Apache-Coyote/1.1
< Location: http://redirect-pushee.rhcloud.com/ag-push/
< Transfer-Encoding: chunked
< Content-Type: text/plain
< 
* Connection #0 to host redirect-pushee.rhcloud.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):