Re: Proxy header for SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 02 Oct 2013 12:49:18 +0200
Aurélien Bompard <gauret@xxxxxxx> wrote:

> Hi *,
> 
> I'm having a small problem with the way we proxy connections to our
> webapps. If I understand correctly, the proxy handles SSL connections
> and forwards them as plain-text connections (which is normal).

Yeah. 

> The problem is, I can't find a header I could use to detect that the
> connection was made using HTTPS, and as a result I can't find a way to
> properly redirect plain-text connections to SSL on the login form (and
> when the user is auth'ed).
> 
> This is a common problem and Django has a way to detect that the
> connection was securely forwarded if some header is set :
> https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-header
> 
> A common way is to set HTTP_X_FORWARDED_PROTO to 'https'
> Which proxy are we using? With NginX the config line to add is:
> 
>   proxy_set_header X-Forwarded-Protocol $scheme;
> 
> With Apache it would be:
>   RequestHeader set X-Forwarded-Protocol "https"
> in the virtualhost listening on port 443, and:
>   RequestHeader set X-Forwarded-Protocol "http"
> in the virtualhost listening on port 80.

We do set that in a few places now... but not accross the board. 

We use haproxy behind apache to do the setup, we could possibly do
something in haproxy too?

> What do you think of all that? How do we handle HTTPS detection at the
> moment?
> If it looks OK to you, should we wait for the freeze to be over before
> making this change?

I'd like to get some more input from others.... we aren't in freeze
right now, but lets wait a bit and see if anyone else has ideas. ;) 

kevin

Attachment: signature.asc
Description: PGP signature

_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux