CFHTTP "Connection Failures" issues when using mod_rewrite

Categories: HTML/ColdFusion

Several years ago I ran into some issues with CFHTTP giving "Connection Failures" when using GZIP, but recently I ran into some new "Connection Failures" when using CFHTTP. I recently installed some mod_rewrite rules on our server to:

  • Redirect naked domains to the www subdomain (i.e. map domain.com to www.domain.com)
  • Force SSL

My rules were pretty simple and worked great when invoked from the browser, but I quickly realized they were causing issues with CFHTTP.

The first issue to watch out for is really liberal naked domain rules (redirecting non-www version to www domains:)

RewriteEngine on

RewriteCond %{HTTPS} (on)?
RewriteCond %{HTTP:Host} ^(?!www\.)(.+)$ [NC]
RewriteCond %{REQUEST_URI} (.+)
RewriteRule .? http(?%1s)://www.%2%3 [R=301,L]

The problem with the rule above is that it doesn't take in account for IP addresses—this means calls to 127.0.0.1 would end up being redirected to www.127.0.0.1. This obviously is going to break any code that might be calling 127.0.0.1 over CFHTTP—such as scheduled tasks.

You can fix this by tightening up your rule to look for specific domain names:

RewriteEngine on

RewriteCond %{HTTPS} (on)?
RewriteCond %{HTTP:Host} ^(?!www\.)(domain.com)$ [NC]
RewriteCond %{REQUEST_URI} (.+)
RewriteRule .? http(?%1s)://www.%2%3 [R=301,L]

You could also consider adding a rule to fail if the host is an IP address:

RewriteEngine on

RewriteCond %{HTTPS} (on)?
RewriteCond %{HTTP:Host} !^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\$ [NC]
RewriteCond %{HTTP:Host} ^(?!www\.)(.+)$ [NC]
RewriteCond %{REQUEST_URI} (.+)
RewriteRule .? http(?%1s)://www.%2%3 [R=301,L]

However, the rule that was really the culprit in my situation was my force SSL rule. My original rule looked something like:

#Redirect non-HTTPS to HTTPS
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} (.*)
RewriteCond %{HTTP:Host} (www\.domain\.com)
RewriteRule .? https://%2%1 [R,L]

While this rule wouldn't have caused a problem is all my CFHTTP calls were invoked via SSL, there's no real reason to use SSL when calling a template locally—it adds complication and hurts performance.

This rule is a bit trickier to fix. The first step to fix this is to just add an agent rule and ignore agents posting with ColdFusion as their user agent:

#Redirect non-HTTPS to HTTPS
RewriteCond %{HTTP:User-Agent} !ColdFusion
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} (.*)
RewriteCond %{HTTP:Host} (www\.domain\.com)
RewriteRule .? https://%2%1 [R,L]

While this fix will work for most cases, I had a couple of uses of CFHTTP in which a user agent was being specifically specified to mimic a browser. The solution for us ended up being to add to our CFHTTP calls a custom header named x-Ignore-RewriteRule-Force-SSL with a value of true.

So know our CFHTTP calls look like:

<cfhttp>
  <!---// 
    a special header to mark this is a CFHTTP request, 
    can be used to cancel re-write rules
  //--->
  <cfhttpparam type="header" name="x-Ignore-RewriteRule-Force-SSL" value="true" />
</cfhttp>

Our revised mod_rewrite rule looks like this:

#Redirect non-HTTPS to HTTPS
RewriteCond %{HTTP:User-Agent} !ColdFusion
RewriteCond %{HTTP:x-Ignore-RewriteRule-Force-SSL} !^true$
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} (.*)
RewriteCond %{HTTP:Host} (www\.domain\.com)
RewriteRule .? https://%2%1 [R,L]

Our new rule allows us to programmatic skip the redirect rules by adding a custom header. While this would allow someone add a custom header to calls to our server to skip forcing SSL, this is an extreme corner case. The main reason we're forcing SSL is for user security.

Just something else to look into if your getting "Connection Failure" errors when using CFHTTP.

Comments

Greg Stevens's Gravatar Awesome rewrite's, thanks Dan! Been looking for some good solid naked -> www rewrite rules for a while now. Had something that worked but wasn't quite as elegant.

I'm curious what your opionion is...for standards, would it be better to use "x-ColdFusion-CFHTTP-Request"?
Dan G. Switzer, II's Gravatar @Greg:

Always best to stick with standards. I'll update the example.
Dan G. Switzer, II's Gravatar I also just updated the example to change the header name to "x-Ignore-RewriteRule-Force-SSL"--which is a more generic name.
Sebastiaan's Gravatar Off-topic: why would you want to do this (redirecting non-www version to www domains) when many others recently go the other way (naked)?
Dan G. Switzer, II's Gravatar @Sebastiaan:

It really doesn't matter which way you go--just as long as you're routing the traffic to a specific location. We route to www to be consistent, because we have other sub-domains that interact with the domain.

The key thing really is to make sure that search engines and people always see the same domain.
Sebastiaan's Gravatar @Dan:

For all our clients websites we go naked, so I guess we're consistent as well!
Dan G. Switzer, II's Gravatar @Sebastiaan:

Are you using rewrite rules to force that behavior? If not, you may want to watch out for people linking to www.domain.com--which will cause the search engines to index both versions of the site, and *potentially* harming SEO.
Thomas's Gravatar Dan,
This code is exactly what I need, Thank you!
However do you know what I save the file as?
I need to put it in my file tree somewhere, right. But what do I name the file so that it works?
I'm using yahoo as my host.. 

As for Sebastiaan's question, of "why would you want to do this?"
I need it so that my php scripts will all function properly with "phpMyAdmin."
without the www some of my table scripts will not communicate with the database. 
Thanks again Dan, Great scripting!
Dan G. Switzer, II's Gravatar @Thomas:

I'd ask a Yahoo! support forum to see if they even support it.
Thomas's Gravatar Thanks Dan,
I checked and your right they do not support it, however they will let you activate this feature without code, but they want users to purchase a merchant account to activate this feature. Looks like I might finally be moving to Linux.

Add Comment

Leave this field empty


If you subscribe, any new posts to this thread will be sent to your email address.