Problem with port number in final redirect / UseCanonicalName ignored?

[candlerb]

Hello,

I have a problem which I'm not sure I can configure around, or if it needs a change in mod_auth_openidc. I'm using Apache 2.4.41 and mod_auth_openidc 2.4.1 from out-of-the-box Ubuntu 20.04.

Here's the scenario:

              ext.example.net
+--------+               :443 +----------+             :10443 +--------+
| client | -----------------> | sniproxy | -----------------> | Apache |
+--------+       https        +----------+   proxy_protocol   +--------+
                                                + https

• Client connects to https://ext.example.net/ (standard port 443)
• Proxy forwards this connection to Apache port 10443. It appends the proxy_protocol prefix, but otherwise the rest of the TCP stream is completely untouched.
• Apache uses mod_remoteip to remove the proxy_protocol prefix (and extract the source IP for logs, ACLs etc)

Now I add mod_auth_openidc on the Apache server, and I can almost get this to work. The client is redirected to the IDP, is redirected back with auth code, and I'm pretty sure mod_auth_openidc is exchanging the auth code for an ID token. But at the very final step, mod_auth_openidc is redirecting the client to https://ext.example.net:10443 instead of https://ext.example.net, so it fails :-(

Here are the relevant parts of my config. Firstly, a dummy vhost to enable proxy_protocol on port 10443 only:

Listen 10443
<VirtualHost *:10443>
    RemoteIPProxyProtocol on
    ServerName localhost
    ...
</VirtualHost>

Then the real vhost for ext.example.net (aside: some clients are also allowed to contact this server directly on port 443, without the proxy_protocol; that works fine, including OIDC):

<VirtualHost *:443 *:10443>
    ServerName ext.example.net:443
    UseCanonicalName On
    UseCanonicalPhysicalPort Off
    OIDCRedirectURI https://ext.example.net/oauth2callback

    <Location />
        AuthType openid-connect
        Require claim groups:blah
    </Location>
</VirtualHost>

The OIDC configuration settings are global:

ErrorDocument 401 " "

OIDCProviderMetadataURL ...
OIDCClientID ...
OIDCClientSecret ...

OIDCRedirectURI /oauth2callback
OIDCCryptoPassphrase ...
OIDCScope "openid email profile groups"
OIDCSessionInactivityTimeout 43200

OIDCRemoteUserClaim preferred_username
OIDCPassUserInfoAs claims
OIDCPassClaimsAs headers

Note that I have overridden OIDCRedirectURI in the virtualhost. Without this, the redirect_uri passed to the IDP was https://ext.example.net:10443/oauth2callback which was wrong; putting the explicit redirect_uri in the vhost fixed that.

As I say, it works right up to the very last step. The client gets redirected back to https://ext.example.net/oauth2callback with auth code, and presumably at the backend mod_auth_openidc exchanges the code for an ID token. But then mod_auth_openidc redirects the user to:

Location: https://ext.example.net:10443/

I was hoping that a combination of

    ServerName ext.example.net:443    # explicit port here
    UseCanonicalName On
    UseCanonicalPhysicalPort Off

would make the redirect go to the right place, but it doesn't, and I can't find any more settings which might affect this.

Any clues? Thanks!

P.S. mod_auth_openidc is awesome: it's the one OIDC RP implementation that I can consistently rely on :-)

[zandbelt]

the proxy needs to set X-Forwarded-Port to make mod_auth_openidc aware of the external port number, see: https://github.com/zmartzone/mod_auth_openidc/wiki#8-how-do-i-run-mod_auth_openidc-behind-a-reverse-proxy

[candlerb]

Unfortunately, that doesn't apply here.

sniproxy is not a HTTP proxy: it's a pure TCP proxy. It inspects the TLS Server Name Indication to decide where to send the connection on, and then sends it on byte-for-byte identically - apart from optionally prepending the proxy_protocol header.

This means that TLS is end-to-end, not man-in-the-middle, and it can neither inspect nor modify any HTTP headers.

However, I might be able to spoof it at the Apache side by using mod_headers in early mode, let me give that a try...

[candlerb]

Tested. This doesn't work:

RequestHeader set X-Forwarded-Port 443

But this does:

RequestHeader set X-Forwarded-Port 443 early

Many thanks for pointing me in the right direction!