Several years ago I ran into some issues with CFHTTP giving "Connection Failures" when using GZIP, but recently I ran into some new "Connection Failures" when using CFHTTP. I recently installed some mod_rewrite rules on our server to:
My rules were pretty simple and worked great when invoked from the browser, but I quickly realized they were causing issues with CFHTTP.
The first issue to watch out for is really liberal naked domain rules (redirecting non-www version to www domains:)
RewriteEngine on RewriteCond %{HTTPS} (on)? RewriteCond %{HTTP:Host} ^(?!www\.)(.+)$ [NC] RewriteCond %{REQUEST_URI} (.+) RewriteRule .? http(?%1s)://www.%2%3 [R=301,L]
The problem with the rule above is that it doesn't take in account for IP addresses—this means calls to 127.0.0.1 would end up being redirected to www.127.0.0.1. This obviously is going to break any code that might be calling 127.0.0.1 over CFHTTP—such as scheduled tasks.
You can fix this by tightening up your rule to look for specific domain names:
RewriteEngine on RewriteCond %{HTTPS} (on)? RewriteCond %{HTTP:Host} ^(?!www\.)(domain.com)$ [NC] RewriteCond %{REQUEST_URI} (.+) RewriteRule .? http(?%1s)://www.%2%3 [R=301,L]
You could also consider adding a rule to fail if the host is an IP address:
RewriteEngine on RewriteCond %{HTTPS} (on)? RewriteCond %{HTTP:Host} !^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\$ [NC] RewriteCond %{HTTP:Host} ^(?!www\.)(.+)$ [NC] RewriteCond %{REQUEST_URI} (.+) RewriteRule .? http(?%1s)://www.%2%3 [R=301,L]
However, the rule that was really the culprit in my situation was my force SSL rule. My original rule looked something like:
#Redirect non-HTTPS to HTTPS RewriteCond %{HTTPS} off RewriteCond %{REQUEST_URI} (.*) RewriteCond %{HTTP:Host} (www\.domain\.com) RewriteRule .? https://%2%1 [R,L]
While this rule wouldn't have caused a problem is all my CFHTTP calls were invoked via SSL, there's no real reason to use SSL when calling a template locally—it adds complication and hurts performance.
This rule is a bit trickier to fix. The first step to fix this is to just add an agent rule and ignore agents posting with ColdFusion as their user agent:
#Redirect non-HTTPS to HTTPS RewriteCond %{HTTP:User-Agent} !ColdFusion RewriteCond %{HTTPS} off RewriteCond %{REQUEST_URI} (.*) RewriteCond %{HTTP:Host} (www\.domain\.com) RewriteRule .? https://%2%1 [R,L]
While this fix will work for most cases, I had a couple of uses of CFHTTP in which a user agent was being specifically specified to mimic a browser. The solution for us ended up being to add to our CFHTTP calls a custom header named x-Ignore-RewriteRule-Force-SSL with a value of true.
So know our CFHTTP calls look like:
<cfhttp> <!---// a special header to mark this is a CFHTTP request, can be used to cancel re-write rules //---> <cfhttpparam type="header" name="x-Ignore-RewriteRule-Force-SSL" value="true" /> </cfhttp>
Our revised mod_rewrite rule looks like this:
#Redirect non-HTTPS to HTTPS RewriteCond %{HTTP:User-Agent} !ColdFusion RewriteCond %{HTTP:x-Ignore-RewriteRule-Force-SSL} !^true$ RewriteCond %{HTTPS} off RewriteCond %{REQUEST_URI} (.*) RewriteCond %{HTTP:Host} (www\.domain\.com) RewriteRule .? https://%2%1 [R,L]
Our new rule allows us to programmatic skip the redirect rules by adding a custom header. While this would allow someone add a custom header to calls to our server to skip forcing SSL, this is an extreme corner case. The main reason we're forcing SSL is for user security.
Just something else to look into if your getting "Connection Failure" errors when using CFHTTP.
10 Comments
Comments for this entry have been disabled.