Internal Apache port leaks when using proxy

Config updates pushed here:

http://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/berick/lp1648234-apache-proxy-leaks-port

1. As written, these changes further bake into the configuration the assumption that the browser will be requesting standard 80/443 ports. However, these are not the only configuration bits that assume this. And it's still possible to use non-standard ports on the client side, but would require additional changes Apache config changes.

2. There are a number of JSPAC => TPAC redirects that I did not address in this patch. Are we planning to keep these in the stock configuration indefinitely?

From the commit:

Paths affected by this patch:

/
/eg/staff
/opac/extras/slimpac/start.html
/opac/extras/slimpac/advanced.html
/opac/extras/slimpac/.*?locale=.*

To test:

1. Configure Apache to use non-standard ports for port 80/443 (e.g. 7080
and 70443).
2. Confirm the issue by navigating to http://HOST/
3. This should redirect the browser to http://HOST:7080/eg/opac/home
4. Apply the Apache config changes and reload/restart Apache.
5. Clear the browser cache to reset any redirects
6. Navigate to http://HOST/
7. Confirm it redirects the browser to http://HOST/eg/opac/home

Tested the issue and fix and all seemed well.

Not sure to push this out yet though given the couple of questions berick asks about JSPAC -> TPAC redirects. I think we can cover that in another branch later on, this fixes the immediate issues.

Signed-off: user/bshum/lp1648234-signoff

http://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/bshum/lp1648234-signoff

Oh, and while this does affect other versions of Evergreen, I think it mainly affects systems that are using OpenSRF 2.5 series. For now, Evergreen 2.11 is pointed back at OpenSRF 2.4, so I think we don't necessarily have to backport this fix to those versions, though I guess it probably wouldn't hurt.

The Apache 2.2 configuration doesn't work, as 2.2 doesn't set REQUEST_SCHEME. I've pushed an update to the branch user/gmcharlt/lp1648234.

Given that and the fact that the JSPAC URL redirects either should be changed or dropped, I'm moving the target to 2.10.1 to allow more time for baking. We can direct people to this bug if they're in a hurry to implement that kind of proxy in 2.12.0.

I propose that we remove the JSPAC redirects from the stock Apache config. New sites won't need them and existing sites can of course keep theirs in place. A sentence or two in the release notes explaining the rationale should suffice, I think.

I also just discovered that OpenILS::WWW::Redirect uses the $cgi->server_port to construct its redirects. Need to teach it to use the request port.

Started yet another branch here:

http://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/berick/lp1648234-apache-proxy-leaks-port-continued

Includes sign-off for Galen's Apache 2.2 fix, plus a fix for the Redirector issue noted in the previous comment. The test plan for the Redirect issue is identical to the original test plan, with the addition that OpenILS::WWW::Redirect is configured to respond to requests on "/".

Pushed another commit to remove the JSPAC redirects from both sample Apache configuration files. Includes release notes entry explaining that existing sites likely want to keep redirects in place.

Signed off on the continued patch changes here: user/bshum/lp1648234-signoff

http://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/bshum/lp1648234-signoff

Given that Evergreen 2.12 series required OpenSRF 2.5, I'm inclined to backport these fixes to rel_2_12 as well, even though we're also introducing the removal of those JSPAC redirects. JSPAC has been deprecated and removed so long ago though, less worried and there is a note. Maybe an upgrade note?

Upon examination of the Apache access logs from yesterday for a number of our customers, I see a few things:

- only a tiny, tiny portion of requests hit the rdetail.xml and myopac.xml redirects, so for folks who just copy the latest eg_vhost.conf into place during upgrades, I agree that we're not at much risk of complaints about un-COOL URIs.
- relatively speaking, though, most of the hits are to myopac.xml, and that seems to be the one that people are most likely to have bookmarked.

Consequently, I suggest a couple tweaks:

- consider adding the myopac.xml redirect back
- put a copy of the old JSPAC redirection rules somewhere where admins can find them if they still need them, say in Open-ILS/examples or in documentation that can be linked to from the release notes.

Thanks for checking that, Galen. Here's another branch (based on bshum's branch) that implements theses changes.

http://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/berick/lp1648234-leaky-ports-jspac

* puts proxy-proofed myopac.xml back into eg_vhost.conf
* puts all original redirects into Open-ILS/examples/jspac_redirects.conf

Also beware that port-leaking (specifically RedirectMatch 301 ^/$ /eg/opac/home) causes the XUL client to be unable to add an SSL Exception for a self-signed certificate. The hostname in the login window assumes 443 (unless manually overridden), but it's getting a certificate from :7443, so it can never link the exception to the cert it's retrieving, resulting in a perpetual "there was an error testing this hostname" error.

Tested JSPAC redirect for myopac commit and that worked for me. Added my signoff in branch:

user/bshum/lp1648234-signoff2

http://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/bshum/lp1648234-signoff2

I've pushed to master and rel_2_12. Thanks, Bill and Ben!