Redirect loop in Apache, not sure how to fix it

Question

I'm currently dealing with a redirect loop on Apache (Ubuntu 18.04) while trying to set up Varnish for my Magento website. If I turn Varnish off and move my Virtual Hosts to port 80, the website works fine. However, it's currently giving me the infinite loop which can be seen here.

My .conf file for port 8080:

<VirtualHost *:8080>
ServerAdmin webmaster@localhost
ServerName fontele.online
ServerAlias www.fontele.online
DocumentRoot /var/www/html/
Redirect permanent / https://fontele.online/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

My conf file for port 443:

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName fontele.online
ServerAlias www.fontele.online
DocumentRoot /var/www/html/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

ProxyPreserveHost On
ProxyPass / http://127.0.0.1:80/ 
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Proto "https"

SSLEngine On
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/fontele.online/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/fontele.online/privkey.pem

.htaccess file in the root directory:

RewriteEngine on
RewriteCond %{REQUEST_URI} !^/pub/
RewriteCond %{REQUEST_URI} !^/setup/
RewriteCond %{REQUEST_URI} !^/update/
RewriteCond %{REQUEST_URI} !^/dev/
RewriteRule .* /pub/$0 [L]
DirectoryIndex index.php

I really don't understand where the www redirection comes from. Should I just remove ServerAlias? I am also unsure about the constant HTTPS redirections. On my live domain, I solved this problem without any problems, but I have no idea how to set it up properly with Varnish. I assume that it's up to ProxyPass or something like that?

Any help would be welcome!

Thank you!

Answer 1

The solution

The solution is very simple. Add the following line to your .htaccess file:

Header append Vary: X-Forwarded-Proto

This will append the X-Forwarded-Proto value to the Vary header. Varnish will use these values to create separate cache objects for the various values of the X-Forwarded-Proto request header.

This will either be https or an empty value for regular HTTP traffic.

It would also be a good idea to add RequestHeader set X-Forwarded-Proto "http" to the <VirtualHost *:8080>.

Why are you getting this redirect loop?

I also want to explain what's going on and why you're stuck in this loop.

Varnish doesn't make a difference between HTTP or HTTPS when it comes to identifying objects in the cache.

Varnish uses 2 request properties to create the cache object hash:

• The URL (/contact for example)
• The Host header (fontele.online for example)

If access the http:// version, you'll get the 302 redirect, which will end up in the cache.

However, if you access the https:// version, you'll hit the same object and get the same redirect, despite using a differente protocol.

Thanks the Vary: X-Forwarded-Proto response header you can tell Varnish to store 2 different versions based on the value of the X-Forwarded-Proto request header.

An alternative solution using VCL

If you don't want to tackle this problem in your web server, you can also issue the Vary: X-Forwarded-Proto response header in the vcl_backend_response subroutine of your VCL code.

This is the code you need to make this happen:

sub vcl_backend_response {
    if(beresp.http.Vary) {
        set beresp.http.Vary = beresp.http.Vary + ", X-Forwarded-Proto";
    } else {
        set beresp.http.Vary = "X-Forwarded-Proto";
    }
}