4

I have endpoint termination setup on my Google Cloud Platform HTTP Load Balancer and HTTPS set as the protocol for communication with my backends.

This means that all requests, HTTP or HTTPS, is HTTPS to apache. The problem with this is that the HTTPS environment variable is set to on even when X-Forwarded-Proto is set to http.

All of my research and testing only points to the inverse case (setting HTTPS to on when X-Forwarded-Proto is https via a SetEnvIf X-Forwarded-Proto https HTTPS=on rule).

But, I need something to unset HTTPS when X-Forwarded-Proto is http.

I've tried setting SSLOptions -StdEnvVars as well as many combinations of SetEnvIf, SetEnv, and UnsetEnv. Setting it via mod_rewrite is not an option for me (I don't know if it would work anyway). An interesting note about turning off StdEnvVars is that even when it is off, all the SSL related variables are gone except HTTPS and I can confirm nothing else is setting it in any of my config files.

Edit:

Some examples of directives I've tried in my server config, vhost, and htaccess:

SetEnvIf X-Forwarded-Proto http HTTPS=Off
SetEnvIf X-Forwarded-Proto http HTTPS=0
SetEnvIf X-Forwarded-Proto http !HTTPS
SetEnv HTTPS Off
SetEnv HTTPS 0
SetEnv HTTPS
UnsetEnv HTTPS

Using these directives with other variables, including tests like foo works just fine.

serv-inc
  • 35,772
  • 9
  • 166
  • 188
nathanjosiah
  • 4,441
  • 4
  • 35
  • 47

1 Answers1

0

Using these directives with other variables, including tests like foo works just fine.

Just an idea first (gladly retracted if someone has a better idea)

Target proxies

Target proxies terminate HTTP(S) connections from clients, and are referenced by one or more global forwarding rules and route the incoming requests to a URL map.

The proxies set HTTP request/response headers as follows:

  • Via: 1.1 google (requests and responses)
  • X-Forwarded-Proto: [http | https] (requests only)
  • X-Forwarded-For: <client IP(s)>, <global forwarding rule external IP> (requests only) Can be a comma-separated list of IP addresses depending on the X-Forwarded-For entries appended by the intermediaries the client is traveling through. The first element in the section shows the origin address.

The question is where this is set. If in the apache config files, you could just alter the config. If it is set somewhere else, you need to find out where.

The TargetHttpsProxies resource did not list any ways to alter it either. So how about you post the config files that lead to above behavior?

serv-inc
  • 35,772
  • 9
  • 166
  • 188