Bug 851270 - $_SERVER['SERVER_PORT'] returns 80 indirectly causing ssl_error_rx_record_too_long errors
$_SERVER['SERVER_PORT'] returns 80 indirectly causing ssl_error_rx_record_too...
Status: CLOSED CANTFIX
Product: OpenShift Origin
Classification: Red Hat
Component: Containers (Show other bugs)
2.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Rob Millner
libra bugs
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-23 11:57 EDT by clive darra
Modified: 2015-05-14 18:58 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-13 19:47:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description clive darra 2012-08-23 11:57:43 EDT
Description of problem:
Secure Connection Failed
An error occurred during a connection to myapp-mydom.rhcloud.com:80.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)

Version-Release number of selected component (if applicable):


How reproducible:
everytime

Steps to Reproduce:
1. create a php app
2. git clone
3. cd php
3. untar wikkawiki.tgz
4. git add .
5. git push
6. browser to myapp-mydom.rhcloud.com
7. enter wikkawiki setup credentials inc db credentials
8. click ok
9. click do maintenance link
10. get "SSL received a record that exceeded the maximum permissible length error"
11. navigate to https://myapp-mydom.rhcloud.com:80/wikka.php?wakka=HomePage
12. get "SSL received a record that exceeded the maximum permissible length error"

Actual results:
Secure Connection Failed
An error occurred during a connection to myapp-mydom.rhcloud.com:80.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)

Expected results:
see website/webpages

Additional info:
cant see any errors in myapp/logs/error
Comment 1 clive darra 2012-08-23 12:25:06 EDT
wikka.config.php now fixed

WORKS
https://lamp1-fsse8info.rhcloud.com/wikka.php?wakka=PageIndex
https://lamp1-fsse8info.rhcloud.com:443/wikka.php?wakka=PageIndex

RETURNS ssl_error_rx_record_too_long ERROR
https://lamp1-fsse8info.rhcloud.com:80/y.y
https://lamp1-fsse8info.rhcloud.com:80/wikka.php?wakka=PageIndex

somewhere something is appending :80 to the hostname
Comment 2 clive darra 2012-08-23 12:28:40 EDT
https://lamp1-fsse8info.rhcloud.com/pi.php

says

SERVER_PORT 	80 
OPENSHIFT_INTERNAL_PORT 	8080 

shouldnt that be 

SERVER_PORT 	443
Comment 3 Adam Miller 2012-08-23 13:00:29 EDT
Verified.

Interesting thing to note though, the application setup and functionality appears to work just fine until you navigate directly to that URL. 

I was able to setup and configure a few users and navigate the site/application, create pages, etc. but as soon as I went to :80/wikka.php?wakka=HomePage it all went bad, I get the same ssl error and when I try to go anywhere else on the site I now either get the ssl error or the CSS doesn't load and its just a very garbled web page.

I believe this to be related to the Rewrite Rules in the WikkaWiki .htaccess file because as soon as I delete the .htaccess from my git repo, commit, and push then the URL takes me back to the WikkaWiki install/setup page. 

I assume this to be a combination of assumptions from WikkaWiki and the way OpenShift sets up the php environment/cartridge.
Comment 4 Rob Millner 2012-08-23 14:37:18 EDT
SSL terminates at the front-end Apache and the request is proxied to the back-end Apache+PHP as http on port 8080.

As a hint to the application (WSGI requires this, its set as a courtesy on other frameworks), the Apache environment variable "HTTPS" is set.  We may need to force SERVER_PORT as well.
Comment 5 Rob Millner 2012-08-23 18:21:54 EDT
I'm not able to force SERVER_PORT in the configuration.

Tried setting UseCanonicalPhysicalPort, UseCanonicalName, ServerName and X_Forwarded_Port to have it inferred properly.  Tried using SetEnv and SetEnvIF to force it.

These appear to be related:
https://bugs.php.net/bug.php?id=40579
http://forum.modrewrite.com/viewtopic.php?f=10&t=39684

Will keep doing more research; but you may just have to modify the wiki code.  In wikka.php and setup/test/test-mod-rewrite.php, comment out the portion where SERVER_PORT is used.

Ex: change line 131 in wikka.php to read:

// $t_port = ':'.$_SERVER['SERVER_PORT'];
$t_port = '';


I'll try to find a solution that sets SERVER_PORT properly.
Comment 6 clive darra 2012-08-24 04:41:44 EDT
many thanks for all your research

the problem is that openshift seems to run both http and https over port 80 
(or maybe port 8080 ?) 

anyhow $_SERVER['SERVER_PORT'] is returning 80 regardless

wikkawiki assumes that http runs over port 80 and https runs over port 443 

so if after the wikka.php url checker line

if ((('http://' == $t_scheme) && (':80' == $t_port)) || (('https://' == $t_scheme) && (':443' == $t_port)))

i add as you suggest

$t_port = '';

it should work fine
Comment 7 clive darra 2012-08-24 04:57:58 EDT
and theres a second ref to $_SERVER['SERVER_PORT'] that you need to modify too on line 176

$server_port = ':'.$_SERVER['SERVER_PORT'];
if ((('http://' == $scheme) && (':80' == $server_port)) || (('https://' == $scheme) && (':443' == $server_port)))
{
        $server_port = '';
}
$server_port = '';
Comment 8 Mike McGrath 2012-08-29 14:37:11 EDT
Instead of server port, The X-Forwarded-Proto header should be used to determine if http or https is being used.
Comment 9 Rob Millner 2012-09-13 19:47:21 EDT
I'm not able to find a way to override SERVER_PORT.  Terminating SSL on the front-end and using http to communicate to the back-end is fundamental to our current architecture.

Unfortunately, any applications that use SERVER_PORT to determine whether they are on SSL need to be modified to check for SSL or X-Forwarded-Proto.

Note You need to log in before you can comment on or make changes to this bug.