Support

Admin Tools

#31042 HSTS directives fail on a server with a proxy

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by guzabi on Friday, 08 March 2019 09:37 CST

Thursday, 07 March 2019 09:58 CST

guzabi
Hello,
I just encountered a strange configuration problem with the htaccess maker in Admin Tools Pro. My client's website runs on a server that is behind a proxy. Everything works fine but one htaccess maker feature triggers a bug : HSTS headers.

Attached are two versions of the .htaccess file : one (ko) is generated by Admin Tools' htaccess maker. The other one was tweaked to work ok. The only difference is on line 35 :

RewriteCond %{HTTP:X-Forwarded-Proto} =http

has to be changed to

RewriteCond %{HTTP:X-Forwarded-Proto} !=https

If I don't do that, I get a 500 error. The sysop says something about the header being changed dureing redirection between proxy and Apache server. If you want me to ask questions to him I can, here I'm just repeating something I don't quite understand.

It's probably in part the proxy's fault, but maybe it could be addressed in Admin Tools too?

Best regards,

Friday, 08 March 2019 01:54 CST

nicholas
This has to do with the configuration of the proxy. I won't change that because it breaks most other servers.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 08 March 2019 02:28 CST

guzabi
I agree, it's the proxy's problem. I was just referencing it because if it's happening on other proxies, it might be interesting to know about it (include warning on config page or something else). I don't know how common this problem may be.

By the way, could this be related with the "IP workarounds" setting in WAF? I can't seem to find details on how these work, therefore I don't know if they should be applied to my settings here…

Thanks.

Friday, 08 March 2019 09:05 CST

nicholas
It is the first time that I see this issue so I guess it's not very common. Normally the proxy should set a header to tell us what is the protocol it was asked to forward.

Regarding IP workaround, it is completely irrelevant as it operates in a different layer. You have an issue with .htaccess directives which work at the web server level before PHP, Joomla and Admin Tools load. The IP workarounds is something that works inside Admin Tools which runs inside Joomla which runs inside PHP which runs inside Apache. You don't need to enable that option unless you see that all reported security exceptions come from just one IP or from a bunch of internal (non-Internet-routable) IP addresses.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 08 March 2019 09:37 CST

guzabi
ok. Thanks a lot for the explanations.
Best regards !

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!