Apache redirect loop with Pound

I have starting using Pound to provide HTTPS connectivity for alasdairsmith.uk. Pound is handling the SSL encryption at the public IP address and relaying the unencrypted HTTP internally to Apache on 127.0.0.1:8080.

This was straightforward to set up and I had it working quite quickly. However I then noticed that visiting alasdairsmith.com would result in a redirect loop, rather than redirection to alasdairsmith.uk.

I use a separate virtual host definition to perform the redirection.

File: /etc/apache2/sites-enabled/alasdairsmith.conf
<VirtualHost *:8080>
    ServerName alasdairsmith.com
    Redirect permanent / https://alasdairsmith.uk/
</VirtualHost>

<VirtualHost *:8080>
    ServerName alasdairsmith.uk
    …
</VirtualHost>

So I was baffled to find that the redirect header was redirecting to exactly the same location.

Location: https://alasdairsmith.com/

I checked my DNS, Pound and Apache configuration but I couldn't find anything that would cause any further redirection. I then tried redirecting to the Google homepage instead and this time was redirected as intended. My conclusion was that Pound must be altering the headers for some reason.

Reading the … manual

I believe that Pound thinks there is a protocol mismatch because the connection to Apache is in HTTP but the response header is for an HTTPS location.

This behaviour is due to the default value (1) of the RewriteLocation option.

RewriteLocation 0|1|2
If 1 force Pound to change the Location: and Content-location: headers in responses. If they point to the back-end itself or to the listener (but with the wrong protocol) the response will be changed to show the virtual host in the request. Default: 1 (active). If the value is set to 2 only the back-end address is compared; this is useful for redirecting a request to an HTTPS listener on the same server as the HTTP listener

Updating Pound's configuration

I added “RewriteLocation 0” to Pound's configuration so that it won't alter the location in the header responses.

File: /etc/pound/pound.cfg
ListenHTTPS
    Address 178.79.164.39
    Port 80
    Cert "/etc/letsencrypt/live/pound.pem"
    RewriteLocation 0
    Service
        BackEnd
            Address 127.0.0.1
            Port 8080
        End
    End
End

The unaltered header is now correctly redirecting visitors to alasdairsmith.uk.

Comments

Your email address will not be published. I need it to send you a verification link. It will also be sent to Gravatar to check if you have one.