Opened at 2013-03-11T08:33:11Z
Last modified at 2016-01-31T23:54:57Z
#1928 assigned defect
web redirects should use relative URLs — at Version 3
| Reported by: | leif | Owned by: | davidsarah |
|---|---|---|---|
| Priority: | normal | Milestone: | soon |
| Component: | code-frontend-web | Version: | 1.9.2 |
| Keywords: | http redirect webapi | Cc: | tahoe-lafs.org@… |
| Launchpad Bug: |
Description (last modified by daira)
Certain uses of the web interface result in unfollowable redirects.
This request to the web interface returns a redirect to a newly created directory, as a relative URL:
curl -v -F t=mkdir -F redirect_to_result=true http://localhost:3456/uri
< Location: uri/URI%3ADIR2%3Ajhjqp....
I think this is good. Unfortunately, this relative URL does not include a trailing slash, so when it is followed the response is another redirect, to append the slash. This second redirect is not relative. It begins with http://hostname:port/uri/URI.... where "hostname" is the host part of the value in the request's Host header and "port" is the configured web.port. Even if the request's Host header includes a port number, the web.port is used in the absolute URL constructed.
I think all redirects should use relative URLs, because according to https://en.wikipedia.org/wiki/HTTP_location "most popular web browsers tolerate the passing of a relative URL as the value for a Location header.[citation needed]".
If absolute URLs must be constructed for some reason, the port from the Host header should be used.
The motivation for this request is to make the web interface more usable on ports that are not the configured web.port, for example via SSH port forwarding or a Tor hidden service.
This also makes it easier to run tahoe as an unprivileged user while proxying port 80 to it.
If I'm not mistaken, currently, such a proxying configuration would require rewriting the absolute redirects in Tahoe's responses (perhaps with Apache's ProxyPassReverse? directive) to avoid having certain functions (like the 2nd redirect after creating a directory) fail.
By always using relative redirects, simple TCP proxies (like SSH port forwarding) can be accommodated and the web ui shouldn't need to think about port numbers in URLs at all.
Change History (3)
comment:1 Changed at 2013-03-14T20:14:39Z by davidsarah
- Component changed from unknown to code-frontend-web
- Keywords http redirect webapi added
- Milestone changed from undecided to 1.11.0
- Status changed from new to assigned
comment:2 Changed at 2013-03-15T23:48:42Z by bsd
I'm trying to reverse proxy the tahoe web frontend through nginx in order to use nginx's built-in auth_basic functionality, since there currently isn't a way to authenticate access to the web interface. I can successfully look at the welcome page, but if I want to access a tahoe URI, it'll try to use the port configured in tahoe.cfg, instead of passing through nginx. Since tahoe is running on localhost, my connection fails.
[node] web.port = tcp:4567:interface=127.0.0.1 web.static = public_html
proxy_pass http://127.0.0.1:4567/;
autoindex off;
proxy_set_header Accept-Encoding '';
proxy_ignore_headers Cache-Control Expires;
proxy_set_header Referer $http_referer;
proxy_set_header Host $host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
auth_basic "Restricted";
auth_basic_user_file /path/to/htpasswd;
These are the relevant configuration bits for tahoe and nginx, respectively.
comment:3 Changed at 2013-09-14T22:39:08Z by daira
- Description modified (diff)
#1861 seems to be in conflict with this ticket.
+1.