[BSERV-3120] HTTP 302 Redirect from HTTP to HTTPS is possible invalid

Type: Bug
Resolution: Resolved Locally
Priority: Low
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
None

Bug Fix Policy:
View Atlassian Server bug fix policy

$ wget -O - 'http://stash.acme.com/'
--2013-02-14 15:27:32--  http://stash.acme.com/
Resolving stash.acme.com... [skipped]
Connecting to stash.acme.com|xx.xx.xx.xx|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://stash.acme.com/login [following]
--2013-02-14 15:27:32--  https://stash.acme.com/login
Connecting to stash.acme.com|xx.xx.xx.xx|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6056 (5.9K) [text/html]
Saving to: ‘STDOUT’

See what happened:
1. Browser send GET on HTTP (80 port), cookies does not send, cos cookies is setup for HTTPS domain.
2. Stash not found remember_me and session cookie and send redirect to /login.
3. Tomcat forward HTTP to HTTPS.

As result user have page on HTTPS domain, with valid session cookies, but Stash show him 'Login' page as his is not logged in.

Also see ~~STASH-3118~~ — it for the same error but from other side.

Form Name

Stefan Saasen (Inactive) added a comment - 25/Feb/2013 10:26 PM

Thanks for providing your workaround.

Stefan Saasen (Inactive) added a comment - 25/Feb/2013 10:26 PM Thanks for providing your workaround.

Alexey Efimov added a comment - 14/Feb/2013 3:46 PM

I fixed this by permanent nginx (we used nginx as frontend) redirect before Stash (java/tomcat).

server {
    listen 80;

    location / {
        return 302 https://$hostname$request_uri;
    }
}

For SSL:

server {
    listen 443 ssl;

    ssl on;
    ssl_certificate /etc/nginx/ssl/stash.crt;
    ssl_certificate_key /etc/nginx/ssl/stash.key;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 SSLv3;
    ssl_ciphers !aNULL:!LOW:!MD5:!EXP:RC4:CAMELLIA:AES128:3DES:SEED:AES256;

    client_header_timeout  10m;
    client_body_timeout    10m;
    client_max_body_size   1g;
    send_timeout           10m;

    location / {
        proxy_pass http://127.0.0.1:7990;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_read_timeout  900;
    }
}

Then wget-ing:

$ wget -nv -S -O /dev/null http://stash.acme.com/projects
  HTTP/1.1 302 Moved Temporarily
  Server: nginx/1.2.1
  Date: Thu, 14 Feb 2013 15:42:29 GMT
  Content-Type: text/html
  Content-Length: 160
  Connection: keep-alive
  Location: https://stash.acme.com/projects
  HTTP/1.1 302 Found
  Server: nginx/1.2.1
  Date: Thu, 14 Feb 2013 15:42:29 GMT
  Content-Length: 0
  Connection: keep-alive
  X-AREQUESTID: 1122x16067x1
  Set-Cookie: JSESSIONID=D86B7BC6814643529C5CAA20566F98BA; Path=/; Secure; HttpOnly
  Location: https://stash.acme.com/login
  HTTP/1.1 200 OK
  Server: nginx/1.2.1
  Date: Thu, 14 Feb 2013 15:42:29 GMT
  Content-Type: text/html;charset=UTF-8
  Content-Length: 6056
  Connection: keep-alive
  X-AREQUESTID: 1122x16068x1
  X-ASESSIONID: 1rjvv2h
  X-XSS-Protection: 1; mode=block
  X-Frame-Options: SAMEORIGIN
  X-Content-Type-Options: nosniff
  Content-Language: en-US
  Vary: Accept-Encoding
2013-02-14 19:42:29 URL:https://stash.acme.com/login [6056/6056] -> "/dev/null" [1]

Alexey Efimov added a comment - 14/Feb/2013 3:46 PM I fixed this by permanent nginx (we used nginx as frontend) redirect before Stash (java/tomcat). server { listen 80; location / { return 302 https: //$hostname$request_uri; } } For SSL: server { listen 443 ssl; ssl on; ssl_certificate /etc/nginx/ssl/stash.crt; ssl_certificate_key /etc/nginx/ssl/stash.key; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 SSLv3; ssl_ciphers !aNULL:!LOW:!MD5:!EXP:RC4:CAMELLIA:AES128:3DES:SEED:AES256; client_header_timeout 10m; client_body_timeout 10m; client_max_body_size 1g; send_timeout 10m; location / { proxy_pass http: //127.0.0.1:7990; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_read_timeout 900; } } Then wget-ing: $ wget -nv -S -O /dev/ null http: //stash.acme.com/projects HTTP/1.1 302 Moved Temporarily Server: nginx/1.2.1 Date: Thu, 14 Feb 2013 15:42:29 GMT Content-Type: text/html Content-Length: 160 Connection: keep-alive Location: https: //stash.acme.com/projects HTTP/1.1 302 Found Server: nginx/1.2.1 Date: Thu, 14 Feb 2013 15:42:29 GMT Content-Length: 0 Connection: keep-alive X-AREQUESTID: 1122x16067x1 Set-Cookie: JSESSIONID=D86B7BC6814643529C5CAA20566F98BA; Path=/; Secure; HttpOnly Location: https: //stash.acme.com/login HTTP/1.1 200 OK Server: nginx/1.2.1 Date: Thu, 14 Feb 2013 15:42:29 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 6056 Connection: keep-alive X-AREQUESTID: 1122x16068x1 X-ASESSIONID: 1rjvv2h X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Language: en-US Vary: Accept-Encoding 2013-02-14 19:42:29 URL:https: //stash.acme.com/login [6056/6056] -> "/dev/ null " [1]

Details

Description

Attachments

Forms

Activity

Collapse comment: Stefan Saasen (Inactive) added a comment - 25/Feb/2013 10:26 PM

Expand comment: Stefan Saasen (Inactive) added a comment - 25/Feb/2013 10:26 PM

Collapse comment: Alexey Efimov added a comment - 14/Feb/2013 3:46 PM

Expand comment: Alexey Efimov added a comment - 14/Feb/2013 3:46 PM

People

Dates

Backbone Issue Sync