Hi *,
I'm having a small problem with the way we proxy connections to our webapps. If I understand correctly, the proxy handles SSL connections and forwards them as plain-text connections (which is normal). The problem is, I can't find a header I could use to detect that the connection was made using HTTPS, and as a result I can't find a way to properly redirect plain-text connections to SSL on the login form (and when the user is auth'ed).
This is a common problem and Django has a way to detect that the connection was securely forwarded if some header is set : https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-header
A common way is to set HTTP_X_FORWARDED_PROTO to 'https' Which proxy are we using? With NginX the config line to add is:
proxy_set_header X-Forwarded-Protocol $scheme;
With Apache it would be: RequestHeader set X-Forwarded-Protocol "https" in the virtualhost listening on port 443, and: RequestHeader set X-Forwarded-Protocol "http" in the virtualhost listening on port 80.
What do you think of all that? How do we handle HTTPS detection at the moment? If it looks OK to you, should we wait for the freeze to be over before making this change?
Thanks, Aurélien
On Wed, 02 Oct 2013 12:49:18 +0200 Aurélien Bompard gauret@free.fr wrote:
Hi *,
I'm having a small problem with the way we proxy connections to our webapps. If I understand correctly, the proxy handles SSL connections and forwards them as plain-text connections (which is normal).
Yeah.
The problem is, I can't find a header I could use to detect that the connection was made using HTTPS, and as a result I can't find a way to properly redirect plain-text connections to SSL on the login form (and when the user is auth'ed).
This is a common problem and Django has a way to detect that the connection was securely forwarded if some header is set : https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-header
A common way is to set HTTP_X_FORWARDED_PROTO to 'https' Which proxy are we using? With NginX the config line to add is:
proxy_set_header X-Forwarded-Protocol $scheme;
With Apache it would be: RequestHeader set X-Forwarded-Protocol "https" in the virtualhost listening on port 443, and: RequestHeader set X-Forwarded-Protocol "http" in the virtualhost listening on port 80.
We do set that in a few places now... but not accross the board.
We use haproxy behind apache to do the setup, we could possibly do something in haproxy too?
What do you think of all that? How do we handle HTTPS detection at the moment? If it looks OK to you, should we wait for the freeze to be over before making this change?
I'd like to get some more input from others.... we aren't in freeze right now, but lets wait a bit and see if anyone else has ideas. ;)
kevin
We do set that in a few places now... but not accross the board. We use haproxy behind apache to do the setup, we could possibly do something in haproxy too?
I don't know HAProxy, but a search on their lists gave me this: http://comments.gmane.org/gmane.comp.web.haproxy/8935 http://www.serverphorums.com/read.php?10,378116
So it's apparently done using the "reqadd" directive.
I'd like to get some more input from others.... we aren't in freeze right now, but lets wait a bit and see if anyone else has ideas. ;)
Sure!
Thanks, Aurélien
Doesn't it have to be done by whatever terminates the initial http or https session (in our case, Apache)? Otherwise, Apache would have to somehow convey the information it knows to HAProxy in some fashion. May as well just do it in Apache as suggested.
-- Matt Domsch Distinguished Engineer, Director Dell | Software Group
-----Original Message----- From: infrastructure-bounces@lists.fedoraproject.org [mailto:infrastructure-bounces@lists.fedoraproject.org] On Behalf Of Kevin Fenzi
Sent: Wednesday, October 02, 2013 10:26 PM To: infrastructure@lists.fedoraproject.org Subject: Re: Proxy header for SSL
On Wed, 02 Oct 2013 12:49:18 +0200 Aurélien Bompard gauret@free.fr wrote:
Hi *,
I'm having a small problem with the way we proxy connections to our webapps. If I understand correctly, the proxy handles SSL connections and forwards them as plain-text connections (which is normal).
Yeah.
The problem is, I can't find a header I could use to detect that the connection was made using HTTPS, and as a result I can't find a way to properly redirect plain-text connections to SSL on the login form (and when the user is auth'ed).
This is a common problem and Django has a way to detect that the connection was securely forwarded if some header is set : https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-h eader
A common way is to set HTTP_X_FORWARDED_PROTO to 'https' Which proxy are we using? With NginX the config line to add is:
proxy_set_header X-Forwarded-Protocol $scheme;
With Apache it would be: RequestHeader set X-Forwarded-Protocol "https" in the virtualhost listening on port 443, and: RequestHeader set X-Forwarded-Protocol "http" in the virtualhost listening on port 80.
We do set that in a few places now... but not accross the board.
We use haproxy behind apache to do the setup, we could possibly do something in haproxy too?
What do you think of all that? How do we handle HTTPS detection at the moment? If it looks OK to you, should we wait for the freeze to be over before making this change?
I'd like to get some more input from others.... we aren't in freeze right now, but lets wait a bit and see if anyone else has ideas. ;)
kevin
On Oct 4, 2013 6:00 AM, Matt_Domsch@dell.com wrote:
Doesn’t it have to be done by whatever terminates the initial http or
https session (in our case, Apache)? Otherwise, Apache would have to somehow convey the information it knows to HAProxy in some fashion. May as well just do it in Apache as suggested.
Yeah, if it's autodetected. But this setting might just be us selecting the protocol that we know it is coming in on. If so it probably makes sense to choose where to set this according to where we'll remember to look if we change something.
Fwiw, I think we have been seeing this in app configuration up to now. (The app substitutes the correct value based on its configuration file instead of on an apache header... which we have to manually set inside an apache config file.)
-Toshio
infrastructure@lists.fedoraproject.org